Highlights of Our CISO Dinner
Upgrading struggling vulnerability management programs to Threat Exposure Management, with Host, CISO Al Lindseth formerly from Plains All American Pipeline and PWC - 6 minute podcast
Gootloader malware has re-emerged with renewed and aggressive operations starting October 27, 2025, targeting organizations worldwide through sophisticated SEO poisoning and compromised WordPress sites. The latest Gootloader campaigns demonstrate rapid operational efficiency, achieving domain controller compromise within just 17 hours of initial infection. This resurgence features advanced evasion techniques including custom WOFF2 font obfuscation for filenames, XOR-encrypted payloads delivered through WordPress comment submission endpoints, and persistence mechanisms using Windows 8.3 short filenames in Startup-folder shortcuts. The threat operation reflects collaboration between Storm-0494 (Gootloader operators) and Vanilla Tempest/Rhysida ransomware actors, creating a fast-paced, organized, and technically sophisticated threat chain. Organizations using Windows platforms face critical risks from this Gootloader resurgence, which leverages the Supper SOCKS5 backdoor for covert access and leads to potential Rhysida ransomware deployment.
Gootloader has resurfaced after reduced activity, returning in late October 2025 with renewed aggressive operations targeting Windows platforms worldwide. Multiple Gootloader infections beginning October 27, 2025 escalated into hands-on-keyboard intrusions that achieved domain controller compromise within just 17 hours of initial infection. This demonstrates the attackers’ operational efficiency and ability to progress rapidly from initial access through reconnaissance, privilege escalation, and lateral movement phases of the Gootloader attack chain.
The Gootloader campaigns follow a consistent attack pattern that includes Active Directory enumeration through Kerberoasting, SPN scanning, and WinRM-based lateral movement, ultimately leading to privileged account creation and preparatory actions for ransomware deployment. A key technical evolution in these Gootloader campaigns is the use of custom WOFF2 web fonts with glyph substitution to obfuscate filenames within malicious JavaScript payloads. This Gootloader obfuscation method hides readable text in the source code, revealing it only when rendered by the browser, thereby evading static detection mechanisms used by security tools.
The Gootloader loader continues to abuse WordPress comment submission endpoints (/wp-comments-post.php) to deliver XOR-encrypted ZIP archives, each uniquely keyed by its obfuscated filename. The Gootloader infection chain reflects the group’s continued reliance on Search Engine Optimization (SEO) poisoning, which lures victims searching for business-related documents to compromised WordPress sites. For persistence, Gootloader has shifted from scheduled tasks to Startup-folder shortcuts using Windows 8.3 short filenames to obscure true file paths and hinder forensic analysis.
Following initial Gootloader compromise, the attackers deploy the “Supper” SOCKS5 backdoor, which employs heavy obfuscation techniques including API hashing, runtime shellcode injection, API hammering, and custom LZMA compression. Despite its simple functionality providing SOCKS proxying and remote shell access, the Supper backdoor’s encryption and rotating C2 infrastructure ensure reliable, covert access. This Gootloader operation highlights collaboration between Storm-0494 (Gootloader operators) and Vanilla Tempest/Rhysida ransomware actors, where Storm-0494 handles Gootloader infection and initial access, and Vanilla Tempest conducts rapid reconnaissance and domain controller compromise within hours.
Implement behavioral monitoring in EDR and SIEM platforms to detect suspicious PowerShell, WScript, or CScript activity associated with Gootloader, especially processes launched from unusual locations such as %AppData%. Hunt for Startup-folder .lnk shortcuts referencing JavaScript files or using Windows 8.3 short filenames that may indicate Gootloader persistence mechanisms on compromised systems.
Block or sinkhole the identified C2 IP addresses and domains linked to recent Gootloader activity to prevent command and control communication. Closely monitor outbound network connections over TCP/443 that do not conform to standard TLS handshakes, as the Supper backdoor used in Gootloader campaigns uses encrypted but non-TLS communication over that port.
Review proxy and web logs for POST requests to */wp-comments-post.php, especially those followed by small ZIP downloads, which may indicate Gootloader payload delivery from compromised WordPress sites. Collect forensic artifacts from systems suspected of Gootloader compromise, including Startup folder contents, %AppData% directories, registry Run keys, and memory dumps for evidence of Gootloader persistence or lateral movement.
Assume potential credential theft on Gootloader-affected hosts given the rapid escalation to domain controller compromise. Enforce password resets for privileged and service accounts, enable MFA where possible, and monitor for new account creations or privilege escalations following a Gootloader infection event to prevent ransomware deployment.
Educate users about SEO-poisoning lures that promise business-related documents or templates from unfamiliar websites, which are primary Gootloader infection vectors. Restrict execution of JavaScript files via Windows Script Host where not required, and apply least privilege principles to limit lateral movement opportunities if Gootloader successfully compromises initial systems.
2f056ce0657542da3e7e43fb815a8973c354624043f19ef134dff271db1741b3, b9a61652dffd2ab3ec3b7e95829759fc43665c27e9642d4b2d4d2f7287254034, cf44aa11a17b3dad61cae715f4ea27c0cbf80732a1a7a1c530a5c9d3d183482a, 39d980851be1e111c035e4db2589fa3d5f59a5bef7b7b3e36bff5435c78f7049, c2326db8acae0cf9c5fc734e01d6f6c1cd78473b27044955c5761ec7fd479964, ad88076fd75d80e963d07f03d7ae35d4e55bd49634baf92743eece19ec901e94, 7557d5fed880ee1e292aba464ffdc12021f9acbe0ee3a2313519ecd7f94ec5c4, 5ec9e926d4fb4237cf297d0d920cf0e9a5409f0226ee555bd8c89b97a659f4b0, 87cbe9a5e9da0dba04dbd8046b90dbd8ee531e99fd6b351eae1ae5df5aa67439
C:\Users\username\AppData\Roaming\ISIS Drivers, C:\Users\username\AppData\Roaming\Nuance, C:\Users\username\AppData\Roaming\PFU, C:\Users\username\AppData\Local\Oardwior, C:\Users\username\AppData\Roaming\myHUD, C:\Users\username\AppData\Roaming\Canon U.S.A.
178.32.224.219, 37.59.205.2, 193.104.58.64, 103.253.42.91, 91.236.230.134, 213.232.236.138, 146.19.49.177
hxxps://spirits-station.fr/, hxxps://www.us.registration.fcaministers.com/, hxxps://motoz.com.au/, hxxps://routinelynomadic.com/, hxxps://www.wagenbaugrabs.ch/, hxxps://studentspoint.org/, hxxps://dailykhabrain.com.pk/, hxxps://myanimals.com/, hxxps://www2.pelisyseries.net/, hxxps://www.claritycontentservices.com/wp/, hxxps://patriotillumination.com/, hxxps://michaelcheney.com/, hxxps://allreleases.ru/, hxxps://cloudy.pk/, hxxps://eliskavaea.cz/, hxxps://leadoo.com/, hxxps://ostmarketing.com/, hxxps://egyptelite.com/, hxxps://restaurantchezhenri.ca/, hxxps://www1.zonewebmaster.eu/news/, hxxps://campfosterymca.com/, hxxps://idmpakistan.pk/, hxxps://themasterscraft.com/, hxxps://unica.md/, hxxps://cargoboard.de/, hxxps://www.supremesovietoflove.com/wp/, hxxps://buildacampervan.com/, hxxps://www.minklinkaps.com/, hxxps://aradax.ir/, hxxps://medicit-y.ch/, hxxps://redronic.com/, hxxps://www.ferienhausdehaanmieten.de/, hxxps://gravityforms.ir/, hxxps://apprater.net/, hxxps://fotbalovavidea.cz/, hxxps://usma.ru/, hxxps://thetripschool.com/, hxxps://cortinaspraga.com/, hxxp://cookcountyjudges.org/, hxxps://x.fybw.org/, hxxps://jungutah.com/, hxxps://influenceimmo.com/, hxxps://tokyocheapo.com/, hxxps://espressonisten.de/, hxxps://tiresdoc.com/, hxxps://yourboxspring.nl/, hxxps://filmcrewnepal.com/, hxxps://yoga-penzberg.de/, hxxps://sugarbeecrafts.com/, hxxps://www.worldwealthbuilders.com/, hxxps://lepolice.com/, hxxps://www.lovestu.com/, hxxps://bluehamham.com/, hxxps://vps3nter.ir/, hxxps://whiskymuseum.at/, hxxps://latimp.eu/, hxxps://solidegypt.net/, hxxps://wessper.com/, hxxps://www.pathfindertravels.se/tickets/, hxxps://www.smithcoinc.biz/, hxxps://kollabmi.se/, hxxps://onsk.dk/, hxxps://villasaze.ir/, hxxps://blossomthemesdemo.com/, hxxps://headedforspace.com/
and other adult entertainment websites (URLs filtered).
T1189 – Drive-by Compromise: Gootloader uses SEO poisoning to lure victims to compromised WordPress sites. T1190 – Exploit Public-Facing Application: Gootloader abuses WordPress comment submission endpoints. T1608.006 – SEO Poisoning: Gootloader leverages search engine optimization to redirect victims. T1204 – User Execution: Gootloader requires user interaction to execute malicious JavaScript. T1059.007 – JavaScript: Gootloader payloads are delivered as obfuscated JavaScript files. T1059.001 – PowerShell: Gootloader uses PowerShell for various attack stages. T1059 – Command and Scripting Interpreter: Gootloader leverages multiple scripting interpreters.
T1547.001 – Registry Run Keys / Startup Folder: Gootloader creates Startup-folder shortcuts for persistence. T1547 – Boot or Logon Autostart Execution: Gootloader ensures execution on system restart. T1053.005 – Scheduled Task: Gootloader previously used scheduled tasks for persistence. T1053 – Scheduled Task/Job: Gootloader maintains persistence through task scheduling. T1068 – Exploitation for Privilege Escalation: Gootloader campaigns escalate privileges rapidly.
T1027 – Obfuscated Files or Information: Gootloader heavily obfuscates JavaScript payloads. T1027.013 – Encrypted/Encoded File: Gootloader uses XOR-encrypted ZIP archives and custom WOFF2 fonts. T1140 – Deobfuscate/Decode Files or Information: Gootloader payloads decrypt at runtime. T1036 – Masquerading: Gootloader uses Windows 8.3 short filenames to obscure file paths.
T1558.003 – Kerberoasting: Gootloader campaigns perform Active Directory enumeration through Kerberoasting. T1558 – Steal or Forge Kerberos Tickets: Gootloader operators target Kerberos authentication. T1552 – Unsecured Credentials: Gootloader seeks credentials throughout compromised environments. T1555 – Credentials from Password Stores: Gootloader targets stored credentials.
T1021.006 – Windows Remote Management: Gootloader uses WinRM-based lateral movement. T1021 – Remote Services: Gootloader leverages multiple remote service protocols. T1071.001 – Web Protocols: Gootloader communicates using web-based protocols. T1071 – Application Layer Protocol: Gootloader C2 uses application layer communication. T1095 – Non-Application Layer Protocol: Supper backdoor uses non-TLS encrypted communication over TCP/443. T1090 – Proxy: Supper SOCKS5 backdoor provides proxy functionality. T1105 – Ingress Tool Transfer: Gootloader downloads additional payloads and tools.
T1113 – Screen Capture: Gootloader operations may capture screenshots during reconnaissance. T1055 – Process Injection: Supper backdoor uses runtime shellcode injection. T1490 – Inhibit System Recovery: Gootloader prepares environments for ransomware deployment. T1584 – Compromise Infrastructure: Gootloader compromises WordPress sites for infrastructure. T1584.001 – Domains: Gootloader uses compromised domains for distribution. T1608 – Stage Capabilities: Gootloader stages tools and payloads on compromised infrastructure.
https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation
GootLoader’s Evolution: From SEO Poisoning to Persistent Network Intrusions
Get through updates and upcoming events, and more directly in your inbox
