Gootloader malware returns with new stealth tactics after 7-month hiatus

The malware loader is back with advanced evasion techniques targeting users searching for legal document templates.

What happened

The Gootloader malware operation has resumed activity after a 7-month break, once again using SEO poisoning to promote fake websites that lure users into downloading malicious JavaScript files. The campaign primarily targets individuals searching for legal templates, such as NDAs or contracts, using deceptive tactics to distribute malware via attacker-controlled or compromised websites.

These websites appear in search engine results and display fake document-sharing platforms. When users attempt to download a document, they are served a ZIP archive containing a .js file that initiates Gootloader, which then downloads additional malware like backdoors, bots, or Cobalt Strike, often used to stage ransomware attacks.

Going deeper

Security researchers tracking Gootloader say the operation stopped abruptly on March 31, 2025, following takedown efforts. It has now returned with an expanded campaign involving over 100 domains and thousands of SEO keywords.

The latest variant uses several advanced techniques to avoid detection:

• A custom web font replaces visible letters with visually similar but encoded glyphs. This prevents automated tools from detecting words like “invoice” in the site’s source code.
• Malformed ZIP files behave differently depending on the extraction method. When opened in Windows Explorer, the malicious JavaScript file is extracted; when opened in tools like VirusTotal or 7-Zip, a harmless text file appears instead.
• The malware now drops the Supper SOCKS5 backdoor, which provides remote access and has ties to a known ransomware affiliate group, Vanilla Tempest. In observed attacks, threat actors moved quickly, reaching the Domain Controller in under 17 hours.
•  

What was said

According to the Gootloader researcher and Huntress Labs’ Anna Pham, the campaign’s goal remains unchanged: gain initial access through misleading downloads and escalate to full network compromise. Their latest blog post outlines the font-based obfuscation as a key innovation in this wave. Researchers from The DFIR Report added insights into the ZIP file manipulation technique, indicating the malware’s growing sophistication.

The big picture

According to The Register, “What makes Gootloader particularly dangerous is the speed of the attack chain,” said Steven Pham. “The research shows that organizations have a narrow window to detect and respond before threat actors achieve domain controller compromise and begin ransomware preparation activities.”

FAQs

What is SEO poisoning, and why is it effective for malware delivery?

SEO poisoning manipulates search engine rankings to push malicious websites to the top of search results, increasing the chance that unsuspecting users will click and download malware.

How does the font-based obfuscation method work in Gootloader's campaign?

It swaps the visible appearance of letters using a custom font, so what looks like random characters in the HTML source appears as real words when rendered, making it harder for detection tools to flag malicious content.

What is the Supper SOCKS5 backdoor, and why is it significant?

Supper is a remote access tool used to maintain control over infected devices. It's linked to Vanilla Tempest, a ransomware affiliate known to work with multiple ransomware operators.

Why do the ZIP files behave differently across extraction tools?

The ZIP archives are malformed to exploit differences in how tools handle file metadata, extracting malicious content on some systems while appearing harmless on others, avoiding sandbox detection.

How can individuals protect themselves from similar attacks?

Do not download templates or legal forms from unknown websites, use endpoint protection with behavioral detection, and verify URLs before interacting with downloads promoted through search engines.