Gootloader Returns: What Goodies Did They Bring?

Nov. 6, 2025, 2:35 p.m.

Description

Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploits WordPress comment endpoints for payload delivery. It has shifted to Startup folder persistence and employs extensive obfuscation techniques. Reconnaissance begins quickly after infection, followed by predictable attack patterns including AD enumeration, lateral movement, and potential ransomware preparation. The loader's delivery method and obfuscation techniques have evolved, making it more challenging to detect and analyze.

External References

https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation
https://otx.alienvault.com/pulse/690cadc6a4a3c3370cc2e697
Tags
obfuscation
ransomware
seo poisoning
blackcat
alphv
javascript
gootloader
lateral movement
noberus
rhysida
2025-11-06
vanilla tempest
quantum locker
wordpress exploitation
zeppelin
supper socks5 backdoor

Date

  • Created: Nov. 6, 2025, 2:16 p.m.
  • Published: Nov. 6, 2025, 2:16 p.m.
  • Modified: Nov. 6, 2025, 2:35 p.m.

Indicators

  • cf44aa11a17b3dad61cae715f4ea27c0cbf80732a1a7a1c530a5c9d3d183482a
  • c2326db8acae0cf9c5fc734e01d6f6c1cd78473b27044955c5761ec7fd479964
  • c2b9782c55f75bb1797cb4fbae0290b44d0fcad51bf4f2c11c52ebbe3526d2ac
  • b9a61652dffd2ab3ec3b7e95829759fc43665c27e9642d4b2d4d2f7287254034
  • 87cbe9a5e9da0dba04dbd8046b90dbd8ee531e99fd6b351eae1ae5df5aa67439
  • ad88076fd75d80e963d07f03d7ae35d4e55bd49634baf92743eece19ec901e94
  • 7557d5fed880ee1e292aba464ffdc12021f9acbe0ee3a2313519ecd7f94ec5c4
  • 5ec9e926d4fb4237cf297d0d920cf0e9a5409f0226ee555bd8c89b97a659f4b0
  • 2f056ce0657542da3e7e43fb815a8973c354624043f19ef134dff271db1741b3
  • 91.236.230.134
  • 193.104.58.64
  • 37.59.205.2
  • 213.232.236.138
  • 178.32.224.219
  • 103.253.42.91
  • 146.19.49.177
  • www2.pelisyseries.net
  • www.worldwealthbuilders.com
  • www.wagenbaugrabs.ch
  • www1.zonewebmaster.eu
  • www.us.registration.fcaministers.com
  • www.smithcoinc.biz
  • www.supremesovietoflove.com
  • www.pathfindertravels.se
  • www.minklinkaps.com
  • www.lovestu.com
  • www.ferienhausdehaanmieten.de
  • www.claritycontentservices.com
  • https://yourboxspring.nl/
  • https://yoga-penzberg.de/
  • https://x.fybw.org/
  • https://www2.pelisyseries.net/
  • https://www1.zonewebmaster.eu/news/
  • https://www.worldwealthbuilders.com/
  • https://www.wagenbaugrabs.ch/
  • https://www.us.registration.fcaministers.com/
  • https://www.minklinkaps.com/
  • https://www.ferienhausdehaanmieten.de/
  • https://www.claritycontentservices.com/wp/
  • https://whiskymuseum.at/
  • https://vps3nter.ir/
  • https://wessper.com/
  • https://villasaze.ir/
  • https://usma.ru/
  • https://unica.md/
  • https://tiresdoc.com/
  • https://thetripschool.com/
  • https://themasterscraft.com/
  • https://sugarbeecrafts.com/
  • https://spirits-station.fr/
  • https://studentspoint.org/
  • https://solidegypt.net/
  • https://redronic.com/
  • https://patriotillumination.com/
  • https://restaurantchezhenri.ca/
  • https://ostmarketing.com/
  • https://onsk.dk/
  • https://myanimals.com/
  • https://motoz.com.au/
  • https://michaelcheney.com/
  • https://medicit-y.ch/
  • https://lepolice.com/
  • https://latimp.eu/
  • https://leadoo.com/
  • https://kollabmi.se/
  • https://jungutah.com/
  • https://influenceimmo.com/
  • https://idmpakistan.pk/
  • https://hotporntv.net/
  • https://headedforspace.com/
  • https://gravityforms.ir/
  • https://fotbalovavidea.cz/
  • https://filmcrewnepal.com/
  • https://eliskavaea.cz/
  • https://egyptelite.com/
  • https://dailykhabrain.com.pk/
  • https://cortinaspraga.com/
  • https://cloudy.pk/
  • https://cargoboard.de/
  • https://campfosterymca.com/
  • https://buildacampervan.com/
  • https://bluehamham.com/
  • https://blossomthemesdemo.com/
  • https://aradax.ir/
  • https://apprater.net/
  • http://cookcountyjudges.org/
  • https://allreleases.ru/
  • https://xxxmorritas.com/
  • https://www.supremesovietoflove.com/wp/
  • https://www.smithcoinc.biz/
  • https://www.pathfindertravels.se/tickets/
  • https://r34porn.net/
  • https://www.lovestu.com/
  • https://espressonisten.de/
  • x.fybw.org
  • yourboxspring.nl
  • yoga-penzberg.de
  • xxxmorritas.com
  • whiskymuseum.at
  • vps3nter.ir
  • villasaze.ir
  • unica.md
  • thetripschool.com
  • tiresdoc.com
  • themasterscraft.com
  • spirits-station.fr
  • studentspoint.org
  • solidegypt.net
  • redronic.com
  • restaurantchezhenri.ca
  • patriotillumination.com
  • ostmarketing.com
  • onsk.dk
  • motoz.com.au
  • michaelcheney.com
  • medicit-y.ch
  • kollabmi.se
  • jungutah.com
  • hotporntv.net
  • headedforspace.com
  • gravityforms.ir
  • fotbalovavidea.cz
  • filmcrewnepal.com
  • espressonisten.de
  • eliskavaea.cz
  • egyptelite.com
  • cortinaspraga.com
  • cookcountyjudges.org
  • cargoboard.de
  • buildacampervan.com
  • campfosterymca.com
  • bluehamham.com
  • blossomthemesdemo.com
  • aradax.ir
  • apprater.net
  • allreleases.ru
Download all indicators here!

Attack Patterns

  • Supper SOCKS5 Backdoor
  • Quantum Locker
  • Zeppelin
  • Gootloader - S1138
  • BlackCat - S1068
  • Noberus
  • Rhysida
  • ALPHV
  • Storm-0494