450/68 Friday, November 7, 2025
After seven months of inactivity, the Gootloader malware operation has returned, continuing to use SEO poisoning to manipulate search engine results and promote fake websites that lure users into downloading documents. These sites typically impersonate platforms offering free legal templates or contract forms. When victims search for such documents and click to download, they receive a ZIP file that contains a hidden malicious JavaScript (.js) script. If the user opens the file, Gootloader executes and downloads additional malware such as Cobalt Strike or other backdoors, enabling attackers to take control of the device, often leading to ransomware attacks.
In this new wave, Gootloader introduces more advanced detection-evasion techniques. One method involves using a special custom web font to hide keywords on the webpage-while the page source code shows unreadable characters, the font maps the glyphs to readable words when displayed in a browser. This prevents security scanners from detecting suspicious keywords like “invoice” or “contract.” Another technique involves using a deliberately malformed ZIP file. When victims open it with Windows Explorer, the malicious .js file is extracted, but when analyzed using tools like 7-Zip or VirusTotal, it appears as a harmless .txt file instead, tricking automated scanning systems into believing the file is safe.
The ultimate goal of this Gootloader campaign is to install a backdoor called “Supper SOCKS5,” used by the hacker group Vanilla Tempest to gain remote access to victim networks. The group has been associated with multiple ransomware attacks. Researchers observed that the attack execution is extremely fast—attackers begin scanning the internal network within 20 minutes after the first machine is infected, and they can take control of the domain controller within 17 hours. Users and organizations are advised to exercise extreme caution when searching for and downloading document templates from the internet. If a site is not recognized or trusted, it should be assumed to be malicious and avoided.
