Gootloader Returns: Malware Hidden in Google Ads for Legal Documents

April 4, 2025, 8:32 a.m.

Description

The Gootloader malware campaign has evolved its tactics, now using Google Ads to target victims seeking legal templates. The threat actor advertises legal documents, primarily agreements, through compromised ad accounts. Users searching for templates are directed to a malicious website where they are prompted to enter their email address. They then receive an email with a link to download a seemingly legitimate document, which is actually a zipped .JS file containing malware. When executed, the malware creates a scheduled task and uses PowerShell to communicate with compromised WordPress blogs. The campaign demonstrates a shift in Gootloader's strategy, moving from poisoned search results to controlled infrastructure for malware delivery.

External References

https://gootloader.wordpress.com/2025/03/31/gootloader-returns-malware-hidden-in-google-ads-for-legal-documents
https://otx.alienvault.com/pulse/67ef0696f2790ccbd23c46a9
Tags
social engineering
powershell
javascript
google ads
gootloader
scheduled tasks
2025-04-03
email phishing
wordpress blogs
legal templates

Date

  • Created: April 3, 2025, 10:07 p.m.
  • Published: April 3, 2025, 10:07 p.m.
  • Modified: April 4, 2025, 8:32 a.m.

Attack Patterns

  • Gootloader
  • Gootloader