#Gootloader #Malware Resurfaces in #Google Ads for Legal Docs. Attackers target a familiar industry, law professionals, by hiding the infostealer in ads delivered via Google-based malvertising.
https://www.darkreading.com/cyberattacks-data-breaches/gootloader-malware-google-ads-legal-docs

I've been waiting for this writeup for a long time. Great dive on #Gootloader: https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/

Of particular note is the 24-hour timeout for any IP that receives a Gootloader download prompt, frustrating research attempts. But the whole research process here is excellent.

Hi everyone, it's @threatresearch driving the X-Ops social media today to let you know about a story we just published, written by my colleague Gabor Szappanos.

Szapi has done significant research in the past into a #malware family called #Gootloader that (for years, now) uses malicious #SEO techniques to promote compromised websites into Google search results.

This research finally cracks wide open the mystery of how they manage to do that so effectively. It's a long read, but well worth the deep dive.

https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/ ‎

1/

"Gootloader’s Pivot from SEO Poisoning: PDF Converters Become the New Infection Vector"

"Visiting this WordPress site (surprise!), I found a form for uploading a PDF to convert it to a .DOCX file inside a .zip. But after passing certain checks—being from an English-speaking country and not having visited in the past 24 hours on the same class C subnet—users instead receive a .JS file inside the .zip rather than a genuine .DOCX."

https://gootloader.wordpress.com/2024/11/07/gootloaders-pivot-from-seo-poisoning-pdf-converters-become-the-new-infection-vector/

#GootLoader is still active and efficient
https://securityaffairs.com/165368/malware/gootloader-malware-is-still-active.html
#securityaffairs #hacking

Finally finished reversing a new #GootLoader sample. Most #ThreatIntel I see suggests initial registry writes in support of the C2 payload, but it looks like they've done away with that and gone right to creating the Scheduled Tasks.

The DFIR Report posts from the future (26 February 2024). They provide a case study on a Gootloader infection stemming from an SEO-poisoned search result. 9 hours after infection, the malware deployed a Cobalt Strike beacon payload into the host's registry and executed it in memory. The threat actor deployed SystemBC to tunnel RDP access into the network, eventually compromising domain controllers, backup servers, and other key servers. IOC, Yara, Sigma rules, MITRE ATT&CK TTPs provided.
https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/

Current #GootLoader site, serving up malicious zip/js is hxxps://zoom.sleekdev.xyz/archive.php

Current #GootLoader site, serving up malicious zip/js is hxxps://www.ototo.com.cn/api.php

Current #GootLoader site, serving up malicious zip/js is hxxps://www.nilsjapan.com/api.php

@GossiTheDog @malware_traffic that Emma Hill is a busy, busy bee.

Soon to be the third anniversary of this blog. Virtually identical web template in the post. https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/
#Gootloader #malware

Current #GootLoader site, serving up malicious zip/js is hxxps://w3bminds.com/blog.php

Super handy detection for #GootLoader and others: for some reason, they think it's cute to make scheduled tasks using a changed working directory and the DOS shortname of the executable. But since no human would stack books like this regular scheduled task does this, an explicit DOS shortname with a ~1 in the task execution is a fairly solid detection signal.

#ThreatIntel #GootLoader