After a period of silence, the notorious JavaScript-based malware loader Gootloader has resurfaced according to researchers. Known for compromising legitimate websites to poison search engine results (SEO poisoning), the group has returned with a mature, highly specialized criminal supply chain and a suite of new evasion techniques that challenge traditional detection methods.
New analysis reveals that Gootloader has evolved from a simple loader into a complex gateway for ransomware, specifically bridging the gap between Initial Access Brokers (IABs) and aggressive ransomware operators like Vanilla Tempest.
The most striking feature of this new campaign is the implementation of a multi-layered evasion strategy designed to blind both static analysis tools and automated web crawlers.
1. Web Evasion via WOFF2 (The Invisible Lure)
Gootloader developers have introduced a sophisticated method to hide malicious filenames using WOFF2 (Web Open Font Format 2). This technique exploits the gap between machine-readable code and human perception; by moving the malicious filename from the HTML data layer to the font’s rendering logic, the text remains visible to the human victim but becomes invisible to web scrapers and security scanners.
2. Endpoint Evasion: The "8.3" Filename Trick
Once the malware reaches the endpoint, it uses a legacy Windows feature to bypass detection rules. Instead of calling malicious JavaScript files by their full, human-readable names, the malware references the Windows 8.3 short filename (e.g., ADAPTI~1.JS). This relies on the DOS-compatible naming convention Windows automatically generates for legacy support, effectively bypassing command-line detections looking for long, specific strings.
3. Persistence Shift: From Tasks to Shortcuts
The new campaigns achieve persistence by creating LNK (shortcut) files in the Windows Startup folder. These shortcuts do not execute the malware directly; instead, they point to other shortcuts hidden in seemingly benign directories, creating a convoluted execution chain that executes the final JavaScript payload.
The recently observed Gootloader ecosystem is a textbook example of the "Crime-as-a-Service" economy, featuring a distinct handoff between two groups: UNC2565 (The Broker) and Vanilla Tempest (The Operator).
The Broker (UNC2565 / Storm-0494)
The initial infection is managed by UNC2565. Their goal is stealth by deploying "GootBot," a custom, lightweight PowerShell implant and stability. GootBot blends in with legitimate traffic by communicating via the /xmlrpc.php endpoint of compromised WordPress sites. This replaces widely fingerprinted tools like Cobalt Strike, making the C2 traffic nearly indistinguishable from normal blog management activity.
The initial delivery is an XOR-encrypted ZIP archive. The decryption key is cleverly hardcoded into the compromised webpage's source code, linking the decryption directly to the filename of the payload.
The Operator (Vanilla Tempest / DEV-0832)
Once access is secured, UNC2565 sells or grants access to Vanilla Tempest group which utilises the Supper SOCKS5 backdoor and its specialised in "hands-on-keyboard" activity. Supper backdoor to perform rapid post-exploitation reconnaissance and lateral movement, ultimately deploying various ransomware families to monetise the breach.
