The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress.
The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of initial infection.
“GootLoader is back and now leveraging custom WOFF2 fonts with glyph substitution to obfuscate filenames,” security researcher Anna Pham said, adding the malware “exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads with unique keys per file.”
GootLoader, affiliated with a threat actor tracked as Hive0127 (aka UNC2565), is a JavaScript-based malware loader that’s often distributed via search engine optimization (SEO) poisoning tactics to deliver additional payloads, including ransomware.
In a report published last September, Microsoft revealed the threat actor referred to as Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, leveraging the access to drop a backdoor called Supper (aka SocksShell or ZAPCAT), as well as AnyDesk for remote access. These attack chains have led to the deployment of INC ransomware.
It’s worth noting that Supper has also been grouped together with Interlock RAT (aka NodeSnake), another malware primarily associated with Interlock ransomware. “While there is no direct evidence of Interlock using Supper, both Interlock and Vice Society have been associated with Rhysida at different times, suggesting possible overlaps in the broader cybercriminal ecosystem,” Foresecout noted last month.
Then, earlier this year, the threat actor behind GootLoader was found to have leveraged Google Ads to target victims looking for legal templates, such as agreements, on search engines to redirect them to compromised WordPress sites hosting malware-laced ZIP archives.
The latest attack sequence documented by Huntress shows that searches for terms like “missouri cover utility easement roadway” on Bing are being used to direct unsuspecting users to deliver the ZIP archive. What’s notable this time around is the use of a custom web font to obfuscate the filenames displayed on the browser so as to defeat static analysis methods.
“So, when the user attempts to copy the filename or inspect the source code – they will see weird characters like ‛›μI€vSO₽*’Oaμ==€‚‚33O%33‚€×:O[TM€v3cwv,,” Pham explained.
“However, when rendered in the victim’s browser, these same characters magically transform into perfectly readable text like Florida_HOA_Committee_Meeting_Guide.pdf. This is achieved through a custom WOFF2 font file that Gootloader embeds directly into the JavaScript code of the page using Z85 encoding, a Base85 variant that compresses the 32KB font into a 40K.”
Also observed is a new trick that modifies the ZIP file…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
