GootLoader is a JavaScript-based malware loader that has re-emerged with new evasion and obfuscation techniques targeting WordPress sites. It uses a novel method of embedding custom WOFF2 web fonts with glyph substitution to obfuscate filenames displayed in browsers, effectively defeating static analysis and user inspection by rendering filenames as unreadable characters in source code but readable text in the browser UI. The malware exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads, each encrypted with unique keys, which contain JavaScript files designed to deploy the Supper backdoor. This backdoor provides remote shell access and SOCKS5 proxy capabilities, allowing attackers to control infected systems and pivot within networks. The ZIP archives employ a trick where they unpack as harmless .TXT files in common analysis tools but extract valid JavaScript payloads in Windows Explorer, further complicating detection. Observed attacks involved rapid hands-on keyboard intrusions, including lateral movement to domain controllers via Windows Remote Management (WinRM) and creation of new admin users, enabling full network compromise. The malware distribution leverages SEO poisoning and malicious Google Ads campaigns to redirect victims searching for legal or utility-related documents to compromised WordPress sites hosting the malware. The threat actor behind GootLoader is linked to Hive0127 (UNC2565) and collaborates with other groups deploying ransomware such as INC and Interlock, indicating a broad and evolving cybercriminal ecosystem. The use of basic but well-obfuscated tools demonstrates that sophisticated exploits are not necessary when operational security and evasion techniques are effective.

European organizations running WordPress sites or relying on SEO-driven web traffic are at risk of infection through maliciously crafted comment endpoints and poisoned search results. The rapid escalation from initial infection to domain controller compromise within 17 hours highlights the potential for swift and severe network breaches, leading to loss of confidentiality, integrity, and availability of critical systems. The deployment of the Supper backdoor enables attackers to establish persistent remote access and proxy capabilities, facilitating data exfiltration, lateral movement, and ransomware deployment. Given the malware’s ability to evade detection by common analysis tools and deceive users, organizations may experience prolonged dwell times and delayed incident response. The targeting of legal and utility-related search terms suggests potential impacts on sectors such as legal services, utilities, and public administration. The involvement of ransomware groups increases the risk of financial loss, operational disruption, and reputational damage. Overall, the threat poses a medium to high risk to European enterprises, especially those with exposed WordPress infrastructure and insufficient endpoint and network monitoring.

1. Harden WordPress installations by disabling or strictly controlling comment endpoints and implementing Web Application Firewalls (WAFs) with rules to detect and block malicious payloads and unusual POST requests. 2. Employ advanced threat detection solutions capable of analyzing obfuscated JavaScript and custom font usage, including behavioral analysis and sandboxing that can handle evasion techniques like glyph substitution and ZIP file unpacking tricks. 3. Monitor DNS and web traffic for SEO poisoning indicators and suspicious redirects, especially for searches related to legal and utility terms. 4. Enforce strict access controls and multi-factor authentication on domain controllers and critical systems to prevent lateral movement and privilege escalation. 5. Implement network segmentation to limit the spread of intrusions and restrict WinRM and other remote management protocols to authorized systems only. 6. Conduct regular threat hunting and incident response exercises focused on detecting hands-on keyboard activity and backdoor communications such as SOCKS5 proxy traffic. 7. Educate users and administrators about the risks of downloading files from untrusted sources and inspecting suspicious filenames that may be obfuscated. 8. Keep WordPress core, plugins, and themes up to date and remove unused components to reduce attack surface. 9. Utilize endpoint detection and response (EDR) tools with capabilities to detect runtime shellcode construction and API hammering behaviors characteristic of Supper backdoor activity.