Gootloader Returns: What Goodies Did They Bring?
Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploits WordPress comment endpoints for payload delivery. It has shifted to Startup folder persistence and employs extensive obfuscation techniques. Reconnaissance begins quickly after infection, followed by predictable attack patterns including AD enumeration, lateral movement, and potential ransomware preparation. The loader's delivery method and obfuscation techniques have evolved, making it more challenging to detect and analyze.
AI Analysis
Technical Summary
Gootloader is a JavaScript-based malware loader that has re-emerged with new capabilities and techniques, operated by the threat actor group Storm-0494. It functions as a loader for Vanilla Tempest, a malware family that delivers multiple ransomware variants. The recent campaign features advanced obfuscation using custom WOFF2 fonts with glyph substitution, which complicates static and dynamic analysis by hiding filenames and payload indicators. The loader exploits WordPress comment endpoints to deliver its payload, leveraging SEO poisoning techniques to increase infection rates. Upon successful infection, Gootloader establishes persistence via the Windows Startup folder rather than traditional registry or scheduled task methods, evading some common detection mechanisms. Early post-infection behavior includes rapid reconnaissance activities such as Active Directory enumeration, credential harvesting, and lateral movement within the network. These actions facilitate the compromise of domain controllers, enabling the deployment of ransomware families like Noberus, Quantum Locker, BlackCat, and Alphv. The malware uses extensive obfuscation and anti-analysis techniques, including code encryption and polymorphism, to avoid detection by security tools. The attack chain is characterized by predictable stages, starting from initial infection, reconnaissance, lateral movement, and culminating in ransomware deployment. The use of WordPress comment endpoints as a delivery vector highlights the exploitation of web infrastructure common in many organizations. This evolution in tactics, techniques, and procedures (TTPs) increases the difficulty of detection and response, requiring defenders to adapt their monitoring and mitigation strategies accordingly.
Potential Impact
For European organizations, the resurgence of Gootloader presents significant risks, particularly to entities relying on WordPress-based web infrastructure and Active Directory for internal network management. Successful infections can lead to rapid domain controller compromises, resulting in full network control loss, data exfiltration, and ransomware deployment. The ransomware families associated with this loader are known for encrypting critical data and demanding substantial ransoms, potentially causing severe operational disruptions and financial losses. The obfuscation techniques and use of legitimate web components for delivery increase the likelihood of bypassing traditional security controls, raising the risk of undetected intrusions. Organizations in sectors such as finance, healthcare, government, and critical infrastructure, which often have complex AD environments and public-facing WordPress sites, are particularly vulnerable. The threat also increases the risk of supply chain attacks if compromised WordPress sites serve as vectors to downstream partners. Overall, the impact includes confidentiality breaches, integrity violations through ransomware encryption, and availability loss due to operational downtime.
Mitigation Recommendations
To mitigate the threat posed by Gootloader, European organizations should implement the following specific measures: 1) Harden WordPress installations by disabling or tightly controlling comment functionality, applying the latest security patches, and using web application firewalls (WAFs) configured to detect and block malicious payloads delivered via comment endpoints. 2) Deploy advanced detection capabilities that can identify WOFF2 font glyph substitution obfuscation, including behavioral analysis tools that monitor for unusual font file usage or decoding attempts. 3) Monitor Active Directory for early signs of enumeration and lateral movement, such as unusual LDAP queries, unexpected account privilege escalations, and anomalous logon patterns. 4) Enforce strict application whitelisting and restrict execution from user Startup folders to prevent persistence of unauthorized binaries. 5) Implement network segmentation to limit lateral movement opportunities and isolate critical assets like domain controllers. 6) Conduct regular threat hunting exercises focusing on indicators of compromise related to Gootloader and associated ransomware families. 7) Educate IT and security teams about the evolving TTPs of this threat, emphasizing the importance of early detection and rapid incident response. 8) Maintain offline, tested backups to enable recovery in the event of ransomware encryption. These targeted actions go beyond generic advice by addressing the specific delivery and persistence mechanisms used by Gootloader.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland, Belgium
Indicators of Compromise
- url: https://espressonisten.de/
- url: https://r34porn.net/
- url: https://www.lovestu.com/
- url: https://www.pathfindertravels.se/tickets/
- url: https://www.smithcoinc.biz/
- url: https://www.supremesovietoflove.com/wp/
- url: https://xxxmorritas.com/
- hash: 2f056ce0657542da3e7e43fb815a8973c354624043f19ef134dff271db1741b3
- hash: 5ec9e926d4fb4237cf297d0d920cf0e9a5409f0226ee555bd8c89b97a659f4b0
- hash: 7557d5fed880ee1e292aba464ffdc12021f9acbe0ee3a2313519ecd7f94ec5c4
- hash: 87cbe9a5e9da0dba04dbd8046b90dbd8ee531e99fd6b351eae1ae5df5aa67439
- hash: ad88076fd75d80e963d07f03d7ae35d4e55bd49634baf92743eece19ec901e94
- hash: b9a61652dffd2ab3ec3b7e95829759fc43665c27e9642d4b2d4d2f7287254034
- hash: c2326db8acae0cf9c5fc734e01d6f6c1cd78473b27044955c5761ec7fd479964
- hash: c2b9782c55f75bb1797cb4fbae0290b44d0fcad51bf4f2c11c52ebbe3526d2ac
- hash: cf44aa11a17b3dad61cae715f4ea27c0cbf80732a1a7a1c530a5c9d3d183482a
- ip: 103.253.42.91
- ip: 146.19.49.177
- ip: 178.32.224.219
- ip: 193.104.58.64
- ip: 213.232.236.138
- ip: 37.59.205.2
- ip: 91.236.230.134
- url: http://cookcountyjudges.org/
- url: https://allreleases.ru/
- url: https://apprater.net/
- url: https://aradax.ir/
- url: https://blossomthemesdemo.com/
- url: https://bluehamham.com/
- url: https://buildacampervan.com/
- url: https://campfosterymca.com/
- url: https://cargoboard.de/
- url: https://cloudy.pk/
- url: https://cortinaspraga.com/
- url: https://dailykhabrain.com.pk/
- url: https://egyptelite.com/
- url: https://eliskavaea.cz/
- url: https://filmcrewnepal.com/
- url: https://fotbalovavidea.cz/
- url: https://gravityforms.ir/
- url: https://headedforspace.com/
- url: https://hotporntv.net/
- url: https://idmpakistan.pk/
- url: https://influenceimmo.com/
- url: https://jungutah.com/
- url: https://kollabmi.se/
- url: https://latimp.eu/
- url: https://leadoo.com/
- url: https://lepolice.com/
- url: https://medicit-y.ch/
- url: https://michaelcheney.com/
- url: https://motoz.com.au/
- url: https://myanimals.com/
- url: https://onsk.dk/
- url: https://ostmarketing.com/
- url: https://patriotillumination.com/
- url: https://redronic.com/
- url: https://restaurantchezhenri.ca/
- url: https://solidegypt.net/
- url: https://spirits-station.fr/
- url: https://studentspoint.org/
- url: https://sugarbeecrafts.com/
- url: https://themasterscraft.com/
- url: https://thetripschool.com/
- url: https://tiresdoc.com/
- url: https://unica.md/
- url: https://usma.ru/
- url: https://villasaze.ir/
- url: https://vps3nter.ir/
- url: https://wessper.com/
- url: https://whiskymuseum.at/
- url: https://www.claritycontentservices.com/wp/
- url: https://www.ferienhausdehaanmieten.de/
- url: https://www.minklinkaps.com/
- url: https://www.us.registration.fcaministers.com/
- url: https://www.wagenbaugrabs.ch/
- url: https://www.worldwealthbuilders.com/
- url: https://www1.zonewebmaster.eu/news/
- url: https://www2.pelisyseries.net/
- url: https://x.fybw.org/
- url: https://yoga-penzberg.de/
- url: https://yourboxspring.nl/
- domain: allreleases.ru
- domain: apprater.net
- domain: aradax.ir
- domain: blossomthemesdemo.com
- domain: bluehamham.com
- domain: buildacampervan.com
- domain: campfosterymca.com
- domain: cargoboard.de
- domain: cookcountyjudges.org
- domain: cortinaspraga.com
- domain: egyptelite.com
- domain: eliskavaea.cz
- domain: espressonisten.de
- domain: filmcrewnepal.com
- domain: fotbalovavidea.cz
- domain: gravityforms.ir
- domain: headedforspace.com
- domain: hotporntv.net
- domain: jungutah.com
- domain: kollabmi.se
- domain: medicit-y.ch
- domain: michaelcheney.com
- domain: motoz.com.au
- domain: onsk.dk
- domain: ostmarketing.com
- domain: patriotillumination.com
- domain: redronic.com
- domain: restaurantchezhenri.ca
- domain: solidegypt.net
- domain: spirits-station.fr
- domain: studentspoint.org
- domain: themasterscraft.com
- domain: thetripschool.com
- domain: tiresdoc.com
- domain: unica.md
- domain: villasaze.ir
- domain: vps3nter.ir
- domain: whiskymuseum.at
- domain: xxxmorritas.com
- domain: yoga-penzberg.de
- domain: yourboxspring.nl
- domain: www.claritycontentservices.com
- domain: www.ferienhausdehaanmieten.de
- domain: www.lovestu.com
- domain: www.minklinkaps.com
- domain: www.pathfindertravels.se
- domain: www.smithcoinc.biz
- domain: www.supremesovietoflove.com
- domain: www.us.registration.fcaministers.com
- domain: www.wagenbaugrabs.ch
- domain: www.worldwealthbuilders.com
- domain: www1.zonewebmaster.eu
- domain: www2.pelisyseries.net
- domain: x.fybw.org
Gootloader Returns: What Goodies Did They Bring?
Description
Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploits WordPress comment endpoints for payload delivery. It has shifted to Startup folder persistence and employs extensive obfuscation techniques. Reconnaissance begins quickly after infection, followed by predictable attack patterns including AD enumeration, lateral movement, and potential ransomware preparation. The loader's delivery method and obfuscation techniques have evolved, making it more challenging to detect and analyze.
AI-Powered Analysis
Technical Analysis
Gootloader is a JavaScript-based malware loader that has re-emerged with new capabilities and techniques, operated by the threat actor group Storm-0494. It functions as a loader for Vanilla Tempest, a malware family that delivers multiple ransomware variants. The recent campaign features advanced obfuscation using custom WOFF2 fonts with glyph substitution, which complicates static and dynamic analysis by hiding filenames and payload indicators. The loader exploits WordPress comment endpoints to deliver its payload, leveraging SEO poisoning techniques to increase infection rates. Upon successful infection, Gootloader establishes persistence via the Windows Startup folder rather than traditional registry or scheduled task methods, evading some common detection mechanisms. Early post-infection behavior includes rapid reconnaissance activities such as Active Directory enumeration, credential harvesting, and lateral movement within the network. These actions facilitate the compromise of domain controllers, enabling the deployment of ransomware families like Noberus, Quantum Locker, BlackCat, and Alphv. The malware uses extensive obfuscation and anti-analysis techniques, including code encryption and polymorphism, to avoid detection by security tools. The attack chain is characterized by predictable stages, starting from initial infection, reconnaissance, lateral movement, and culminating in ransomware deployment. The use of WordPress comment endpoints as a delivery vector highlights the exploitation of web infrastructure common in many organizations. This evolution in tactics, techniques, and procedures (TTPs) increases the difficulty of detection and response, requiring defenders to adapt their monitoring and mitigation strategies accordingly.
Potential Impact
For European organizations, the resurgence of Gootloader presents significant risks, particularly to entities relying on WordPress-based web infrastructure and Active Directory for internal network management. Successful infections can lead to rapid domain controller compromises, resulting in full network control loss, data exfiltration, and ransomware deployment. The ransomware families associated with this loader are known for encrypting critical data and demanding substantial ransoms, potentially causing severe operational disruptions and financial losses. The obfuscation techniques and use of legitimate web components for delivery increase the likelihood of bypassing traditional security controls, raising the risk of undetected intrusions. Organizations in sectors such as finance, healthcare, government, and critical infrastructure, which often have complex AD environments and public-facing WordPress sites, are particularly vulnerable. The threat also increases the risk of supply chain attacks if compromised WordPress sites serve as vectors to downstream partners. Overall, the impact includes confidentiality breaches, integrity violations through ransomware encryption, and availability loss due to operational downtime.
Mitigation Recommendations
To mitigate the threat posed by Gootloader, European organizations should implement the following specific measures: 1) Harden WordPress installations by disabling or tightly controlling comment functionality, applying the latest security patches, and using web application firewalls (WAFs) configured to detect and block malicious payloads delivered via comment endpoints. 2) Deploy advanced detection capabilities that can identify WOFF2 font glyph substitution obfuscation, including behavioral analysis tools that monitor for unusual font file usage or decoding attempts. 3) Monitor Active Directory for early signs of enumeration and lateral movement, such as unusual LDAP queries, unexpected account privilege escalations, and anomalous logon patterns. 4) Enforce strict application whitelisting and restrict execution from user Startup folders to prevent persistence of unauthorized binaries. 5) Implement network segmentation to limit lateral movement opportunities and isolate critical assets like domain controllers. 6) Conduct regular threat hunting exercises focusing on indicators of compromise related to Gootloader and associated ransomware families. 7) Educate IT and security teams about the evolving TTPs of this threat, emphasizing the importance of early detection and rapid incident response. 8) Maintain offline, tested backups to enable recovery in the event of ransomware encryption. These targeted actions go beyond generic advice by addressing the specific delivery and persistence mechanisms used by Gootloader.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation"]
- Adversary
- Storm-0494
- Pulse Id
- 690cadc6a4a3c3370cc2e697
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://espressonisten.de/ | — | |
urlhttps://r34porn.net/ | — | |
urlhttps://www.lovestu.com/ | — | |
urlhttps://www.pathfindertravels.se/tickets/ | — | |
urlhttps://www.smithcoinc.biz/ | — | |
urlhttps://www.supremesovietoflove.com/wp/ | — | |
urlhttps://xxxmorritas.com/ | — | |
urlhttp://cookcountyjudges.org/ | — | |
urlhttps://allreleases.ru/ | — | |
urlhttps://apprater.net/ | — | |
urlhttps://aradax.ir/ | — | |
urlhttps://blossomthemesdemo.com/ | — | |
urlhttps://bluehamham.com/ | — | |
urlhttps://buildacampervan.com/ | — | |
urlhttps://campfosterymca.com/ | — | |
urlhttps://cargoboard.de/ | — | |
urlhttps://cloudy.pk/ | — | |
urlhttps://cortinaspraga.com/ | — | |
urlhttps://dailykhabrain.com.pk/ | — | |
urlhttps://egyptelite.com/ | — | |
urlhttps://eliskavaea.cz/ | — | |
urlhttps://filmcrewnepal.com/ | — | |
urlhttps://fotbalovavidea.cz/ | — | |
urlhttps://gravityforms.ir/ | — | |
urlhttps://headedforspace.com/ | — | |
urlhttps://hotporntv.net/ | — | |
urlhttps://idmpakistan.pk/ | — | |
urlhttps://influenceimmo.com/ | — | |
urlhttps://jungutah.com/ | — | |
urlhttps://kollabmi.se/ | — | |
urlhttps://latimp.eu/ | — | |
urlhttps://leadoo.com/ | — | |
urlhttps://lepolice.com/ | — | |
urlhttps://medicit-y.ch/ | — | |
urlhttps://michaelcheney.com/ | — | |
urlhttps://motoz.com.au/ | — | |
urlhttps://myanimals.com/ | — | |
urlhttps://onsk.dk/ | — | |
urlhttps://ostmarketing.com/ | — | |
urlhttps://patriotillumination.com/ | — | |
urlhttps://redronic.com/ | — | |
urlhttps://restaurantchezhenri.ca/ | — | |
urlhttps://solidegypt.net/ | — | |
urlhttps://spirits-station.fr/ | — | |
urlhttps://studentspoint.org/ | — | |
urlhttps://sugarbeecrafts.com/ | — | |
urlhttps://themasterscraft.com/ | — | |
urlhttps://thetripschool.com/ | — | |
urlhttps://tiresdoc.com/ | — | |
urlhttps://unica.md/ | — | |
urlhttps://usma.ru/ | — | |
urlhttps://villasaze.ir/ | — | |
urlhttps://vps3nter.ir/ | — | |
urlhttps://wessper.com/ | — | |
urlhttps://whiskymuseum.at/ | — | |
urlhttps://www.claritycontentservices.com/wp/ | — | |
urlhttps://www.ferienhausdehaanmieten.de/ | — | |
urlhttps://www.minklinkaps.com/ | — | |
urlhttps://www.us.registration.fcaministers.com/ | — | |
urlhttps://www.wagenbaugrabs.ch/ | — | |
urlhttps://www.worldwealthbuilders.com/ | — | |
urlhttps://www1.zonewebmaster.eu/news/ | — | |
urlhttps://www2.pelisyseries.net/ | — | |
urlhttps://x.fybw.org/ | — | |
urlhttps://yoga-penzberg.de/ | — | |
urlhttps://yourboxspring.nl/ | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash2f056ce0657542da3e7e43fb815a8973c354624043f19ef134dff271db1741b3 | — | |
hash5ec9e926d4fb4237cf297d0d920cf0e9a5409f0226ee555bd8c89b97a659f4b0 | — | |
hash7557d5fed880ee1e292aba464ffdc12021f9acbe0ee3a2313519ecd7f94ec5c4 | — | |
hash87cbe9a5e9da0dba04dbd8046b90dbd8ee531e99fd6b351eae1ae5df5aa67439 | — | |
hashad88076fd75d80e963d07f03d7ae35d4e55bd49634baf92743eece19ec901e94 | — | |
hashb9a61652dffd2ab3ec3b7e95829759fc43665c27e9642d4b2d4d2f7287254034 | — | |
hashc2326db8acae0cf9c5fc734e01d6f6c1cd78473b27044955c5761ec7fd479964 | — | |
hashc2b9782c55f75bb1797cb4fbae0290b44d0fcad51bf4f2c11c52ebbe3526d2ac | — | |
hashcf44aa11a17b3dad61cae715f4ea27c0cbf80732a1a7a1c530a5c9d3d183482a | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip103.253.42.91 | — | |
ip146.19.49.177 | — | |
ip178.32.224.219 | — | |
ip193.104.58.64 | — | |
ip213.232.236.138 | — | |
ip37.59.205.2 | — | |
ip91.236.230.134 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainallreleases.ru | — | |
domainapprater.net | — | |
domainaradax.ir | — | |
domainblossomthemesdemo.com | — | |
domainbluehamham.com | — | |
domainbuildacampervan.com | — | |
domaincampfosterymca.com | — | |
domaincargoboard.de | — | |
domaincookcountyjudges.org | — | |
domaincortinaspraga.com | — | |
domainegyptelite.com | — | |
domaineliskavaea.cz | — | |
domainespressonisten.de | — | |
domainfilmcrewnepal.com | — | |
domainfotbalovavidea.cz | — | |
domaingravityforms.ir | — | |
domainheadedforspace.com | — | |
domainhotporntv.net | — | |
domainjungutah.com | — | |
domainkollabmi.se | — | |
domainmedicit-y.ch | — | |
domainmichaelcheney.com | — | |
domainmotoz.com.au | — | |
domainonsk.dk | — | |
domainostmarketing.com | — | |
domainpatriotillumination.com | — | |
domainredronic.com | — | |
domainrestaurantchezhenri.ca | — | |
domainsolidegypt.net | — | |
domainspirits-station.fr | — | |
domainstudentspoint.org | — | |
domainthemasterscraft.com | — | |
domainthetripschool.com | — | |
domaintiresdoc.com | — | |
domainunica.md | — | |
domainvillasaze.ir | — | |
domainvps3nter.ir | — | |
domainwhiskymuseum.at | — | |
domainxxxmorritas.com | — | |
domainyoga-penzberg.de | — | |
domainyourboxspring.nl | — | |
domainwww.claritycontentservices.com | — | |
domainwww.ferienhausdehaanmieten.de | — | |
domainwww.lovestu.com | — | |
domainwww.minklinkaps.com | — | |
domainwww.pathfindertravels.se | — | |
domainwww.smithcoinc.biz | — | |
domainwww.supremesovietoflove.com | — | |
domainwww.us.registration.fcaministers.com | — | |
domainwww.wagenbaugrabs.ch | — | |
domainwww.worldwealthbuilders.com | — | |
domainwww1.zonewebmaster.eu | — | |
domainwww2.pelisyseries.net | — | |
domainx.fybw.org | — |
Threat ID: 690cb1e3ad97a06a3c494305
Added to database: 11/6/2025, 2:34:11 PM
Last enriched: 11/6/2025, 2:36:28 PM
Last updated: 12/21/2025, 8:31:25 PM
Views: 353
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Massive Android botnet Kimwolf infects millions, strikes with DDoS
MediumIranian Infy APT Resurfaces with New Malware Activity After Years of Silence
MediumThreatFox IOCs for 2025-12-20
MediumU.S. DOJ Charges 54 in ATM Jackpotting Scheme Using Ploutus Malware
MediumThreatFox IOCs for 2025-12-19
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.