According to new research from Huntress, the malware known as GootLoader has reemerged after a brief spike in activity in early March of this year.
The cybersecurity firm announced that it has observed three GootLoader infections since October 27, 2025, two of which resulted in manual keyboard intrusion, and a domain controller compromise that occurred within 17 hours of the initial infection.
“GootLoader is back, leveraging custom WOFF2 fonts with glyph substitution to obfuscate filenames,” security researcher Anna Pham said, adding that the malware “exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads with unique keys for each file.”
GootLoader, which belongs to the threat actor tracked as Hive0127 (also known as UNC2565), is a JavaScript-based malware loader that is often distributed via search engine optimization (SEO) poisoning tactics that deliver additional payloads such as ransomware.
In a report published last September, Microsoft revealed that a threat actor called Vanilla Tempest was handed off from a GootLoader infection by Storm-0494 and used that access to drop a backdoor called Supper (also known as SocksShell or ZAPCAT) and AnyDesk for remote access. These attack chains led to the deployment of INC ransomware.
It is worth noting that Supper is also grouped with Interlock RAT (also known as NodeSnake), another malware primarily related to Interlock ransomware. “Although there is no direct evidence that Interlock used Supper, Interlock and Vice Society have each had ties to Ricida at different times, suggesting potential overlap in the broader cybercriminal ecosystem,” Foresekout noted last month.
And earlier this year, it was discovered that the attackers behind GootLoader used Google Ads to target victims searching for legal templates such as contracts on the search engine, redirecting them to compromised WordPress sites hosting malware-laced ZIP archives.
The latest attack sequence documented by Huntress shows that searches on Bing for terms such as “missouri coverutilityeasement roadway” are used to trick unsuspecting users into delivering ZIP archives. Of note here is the use of custom web fonts to obfuscate file names displayed in the browser in order to defeat static analysis techniques.
“So when a user tries to copy a filename or inspect the source code, they end up seeing strange characters like ‛›μI€vSO₽*’Oaμ==€ã‚33O%33ã€×:O[TM€v3cwv”Phamexplained[TM€v3cwv”Phamexplained[TM€v3cwv」のような奇妙な文字が表示されることになります」とファム氏は説明した。[TM€v3cwv”Phamexplained
“However, when rendered in a victim’s browser, these same characters are magically transformed into perfectly readable text like Florida_HOA_Committee_Meeting_Guide.pdf. This is achieved through a custom WOFF2 font file that Gootloader embeds directly into the page’s JavaScript code using Z85 encoding. Z85 encoding compresses 32KB of fonts into 40K of Base85 It is a variant of
We’ve also seen new techniques that modify ZIP files so that they unzip as harmless-looking .TXT files when opened with tools like VirusTotal, Python’s ZIP utility, and 7-Zip. In Windows File Explorer, the archive extracts the desired payload, a valid JavaScript file.
“This simple evasion technique buys the attacker time by hiding the true nature of the payload from automated analysis,” a security researcher who has been tracking the malware for years under the pseudonym “GootLoader” said of the evolution.
The JavaScript payload present within the archive is designed to deploy Supper, a backdoor capable of remote control and SOCKS5 proxying. In at least one instance, the attacker allegedly used Windows Remote Management (WinRM) to move laterally to a domain controller and create a new user with administrator-level access.
“The Supper SOCKS5 backdoor uses tedious obfuscation to protect simple functionality. API hammering, runtime shellcode construction, and custom encryption add headaches to analysis, but the core functionality, SOCKS proxying and remote shell access, remains intentionally basic,” Huntress said.
“This ‘good enough’ approach proves that attackers do not need state-of-the-art exploits when properly obfuscated basic tools accomplish their goals.”
Source link
