← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Gootloader Returns: What Goodies Did They Bring?
WHITE PetrP.73 2025-11-06 Modified: 2025-12-06
146
IOCs
HIGH VOLUME
Gootloader, a JavaScript-based malware loader, has resurfaced with renewed activity after a brief hiatus. This malware is primarily used by the threat actor known as Storm-0494 to gain initial access, often leveraging SEO poisoning to attract users to compromised sites. Gootloader employs heavily obfuscated JavaScript to deliver additional payloads and is known for facilitating infections that lead to the deployment of various ransomware families, such as Rhysida, BlackCat, Zeppelin, and Quantum Locker through another actor, Vanilla Tempest. One of the novel techniques used in recent Gootloader operations includes the incorporation of custom WOFF2 fonts, which employ glyph substitution to obscure filenames. The loader exploits WordPress comment submission endpoints to deliver XOR-encrypted ZIP files containing payloads, with a unique decryption key hardcoded in the site’s source code.
gootloaderjavascript filesupper backdoorc2 servervanilla tempestpowershellcasesha256javascriptwindowspathblackcatzeppelindownloadbacksupper socks5oysterloadersection).thesupperhuntress
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Gootloader OysterLoader
Indicators of Compromise (146)
All URL FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL https://espressonisten.de/ 2025-11-06
URL https://r34porn.net/ 2025-11-06
URL https://routinelynomadic.com/ 2025-11-06
URL https://www.lovestu.com/ 2025-11-06
URL https://www.pathfindertravels.se/tickets/ 2025-11-06
URL https://www.smithcoinc.biz/ 2025-11-06
URL https://www.supremesovietoflove.com/wp/ 2025-11-06
URL https://xxxmorritas.com/ 2025-11-06
FileHash-SHA256 2f056ce0657542da3e7e43fb815a8973c354624043f19ef134dff271db1741b3 2025-11-06
FileHash-SHA256 39d980851be1e111c035e4db2589fa3d5f59a5bef7b7b3e36bff5435c78f7049 2025-11-06
FileHash-SHA256 5ec9e926d4fb4237cf297d0d920cf0e9a5409f0226ee555bd8c89b97a659f4b0 2025-11-06
FileHash-SHA256 7557d5fed880ee1e292aba464ffdc12021f9acbe0ee3a2313519ecd7f94ec5c4 2025-11-06
FileHash-SHA256 87cbe9a5e9da0dba04dbd8046b90dbd8ee531e99fd6b351eae1ae5df5aa67439 2025-11-06
FileHash-SHA256 ad88076fd75d80e963d07f03d7ae35d4e55bd49634baf92743eece19ec901e94 2025-11-06
FileHash-SHA256 b9a61652dffd2ab3ec3b7e95829759fc43665c27e9642d4b2d4d2f7287254034 2025-11-06
FileHash-SHA256 c2326db8acae0cf9c5fc734e01d6f6c1cd78473b27044955c5761ec7fd479964 2025-11-06
FileHash-SHA256 c2b9782c55f75bb1797cb4fbae0290b44d0fcad51bf4f2c11c52ebbe3526d2ac 2025-11-06
FileHash-SHA256 cf44aa11a17b3dad61cae715f4ea27c0cbf80732a1a7a1c530a5c9d3d183482a 2025-11-06
URL http://cookcountyjudges.org/ 2025-11-06
URL https://allreleases.ru/ 2025-11-06
URL https://apprater.net/ 2025-11-06
URL https://aradax.ir/ 2025-11-06
URL https://blossomthemesdemo.com/ 2025-11-06
URL https://bluehamham.com/ 2025-11-06
URL https://buildacampervan.com/ 2025-11-06
URL https://campfosterymca.com/ 2025-11-06
URL https://cargoboard.de/ 2025-11-06
URL https://cloudy.pk/ 2025-11-06
URL https://cortinaspraga.com/ 2025-11-06
URL https://dailykhabrain.com.pk/ 2025-11-06
URL https://egyptelite.com/ 2025-11-06
URL https://eliskavaea.cz/ 2025-11-06
URL https://filmcrewnepal.com/ 2025-11-06
URL https://fotbalovavidea.cz/ 2025-11-06
URL https://gravityforms.ir/ 2025-11-06
URL https://headedforspace.com/ 2025-11-06
URL https://hotporntv.net/ 2025-11-06
URL https://idmpakistan.pk/ 2025-11-06
URL https://influenceimmo.com/ 2025-11-06
URL https://jungutah.com/ 2025-11-06
URL https://kollabmi.se/ 2025-11-06
URL https://latimp.eu/ 2025-11-06
URL https://leadoo.com/ 2025-11-06
URL https://lepolice.com/ 2025-11-06
URL https://medicit-y.ch/ 2025-11-06
URL https://michaelcheney.com/ 2025-11-06
URL https://motoz.com.au/ 2025-11-06
URL https://myanimals.com/ 2025-11-06
URL https://onsk.dk/ 2025-11-06
URL https://ostmarketing.com/ 2025-11-06
URL https://patriotillumination.com/ 2025-11-06
URL https://redronic.com/ 2025-11-06
URL https://restaurantchezhenri.ca/ 2025-11-06
URL https://solidegypt.net/ 2025-11-06
URL https://spirits-station.fr/ 2025-11-06
URL https://studentspoint.org/ 2025-11-06
URL https://sugarbeecrafts.com/ 2025-11-06
URL https://themasterscraft.com/ 2025-11-06
URL https://thetripschool.com/ 2025-11-06
URL https://tiresdoc.com/ 2025-11-06
URL https://tokyocheapo.com/ 2025-11-06
URL https://unica.md/ 2025-11-06
URL https://usma.ru/ 2025-11-06
URL https://villasaze.ir/ 2025-11-06
URL https://vps3nter.ir/ 2025-11-06
URL https://wessper.com/ 2025-11-06
URL https://whiskymuseum.at/ 2025-11-06
URL https://www.claritycontentservices.com/wp/ 2025-11-06
URL https://www.ferienhausdehaanmieten.de/ 2025-11-06
URL https://www.minklinkaps.com/ 2025-11-06
URL https://www.us.registration.fcaministers.com/ 2025-11-06
URL https://www.wagenbaugrabs.ch/ 2025-11-06
URL https://www.worldwealthbuilders.com/ 2025-11-06
URL https://www1.zonewebmaster.eu/news/ 2025-11-06
URL https://www2.pelisyseries.net/ 2025-11-06
URL https://x.fybw.org/ 2025-11-06
URL https://yoga-penzberg.de/ 2025-11-06
URL https://yourboxspring.nl/ 2025-11-06
domain allreleases.ru 2025-11-06
domain apprater.net 2025-11-06
domain aradax.ir 2025-11-06
domain blossomthemesdemo.com 2025-11-06
domain bluehamham.com 2025-11-06
domain buildacampervan.com 2025-11-06
domain campfosterymca.com 2025-11-06
domain cargoboard.de 2025-11-06
domain cloudy.pk 2025-11-06
domain cookcountyjudges.org 2025-11-06
domain cortinaspraga.com 2025-11-06
domain dailykhabrain.com.pk 2025-11-06
domain egyptelite.com 2025-11-06
domain eliskavaea.cz 2025-11-06
domain espressonisten.de 2025-11-06
domain filmcrewnepal.com 2025-11-06
domain fotbalovavidea.cz 2025-11-06
domain gravityforms.ir 2025-11-06
domain headedforspace.com 2025-11-06
domain hotporntv.net 2025-11-06
domain idmpakistan.pk 2025-11-06
domain influenceimmo.com 2025-11-06
domain jungutah.com 2025-11-06
domain kollabmi.se 2025-11-06
domain latimp.eu 2025-11-06
domain leadoo.com 2025-11-06
domain lepolice.com 2025-11-06
domain medicit-y.ch 2025-11-06
domain michaelcheney.com 2025-11-06
domain motoz.com.au 2025-11-06
domain myanimals.com 2025-11-06
domain onsk.dk 2025-11-06
domain ostmarketing.com 2025-11-06
domain patriotillumination.com 2025-11-06
domain r34porn.net 2025-11-06
domain redronic.com 2025-11-06
domain restaurantchezhenri.ca 2025-11-06
domain routinelynomadic.com 2025-11-06
domain solidegypt.net 2025-11-06
domain spirits-station.fr 2025-11-06
domain studentspoint.org 2025-11-06
domain sugarbeecrafts.com 2025-11-06
domain themasterscraft.com 2025-11-06
domain thetripschool.com 2025-11-06
domain tiresdoc.com 2025-11-06
domain tokyocheapo.com 2025-11-06
domain unica.md 2025-11-06
domain usma.ru 2025-11-06
domain villasaze.ir 2025-11-06
domain vps3nter.ir 2025-11-06
domain wessper.com 2025-11-06
domain whiskymuseum.at 2025-11-06
domain xxxmorritas.com 2025-11-06
domain yoga-penzberg.de 2025-11-06
domain yourboxspring.nl 2025-11-06
hostname www.claritycontentservices.com 2025-11-06
hostname www.ferienhausdehaanmieten.de 2025-11-06
hostname www.lovestu.com 2025-11-06
hostname www.minklinkaps.com 2025-11-06
hostname www.pathfindertravels.se 2025-11-06
hostname www.smithcoinc.biz 2025-11-06
hostname www.supremesovietoflove.com 2025-11-06
hostname www.us.registration.fcaministers.com 2025-11-06
hostname www.wagenbaugrabs.ch 2025-11-06
hostname www.worldwealthbuilders.com 2025-11-06
hostname www1.zonewebmaster.eu 2025-11-06
hostname www2.pelisyseries.net 2025-11-06
hostname x.fybw.org 2025-11-06
References (1)
↗ https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation