← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Gootloader Returns: What Goodies Did They Bring?
WHITE PetrP.73 2025-11-06 Modified: 2025-12-06
146
IOCs
HIGH VOLUME
Gootloader, a JavaScript-based malware loader, has resurfaced with renewed activity after a brief hiatus. This malware is primarily used by the threat actor known as Storm-0494 to gain initial access, often leveraging SEO poisoning to attract users to compromised sites. Gootloader employs heavily obfuscated JavaScript to deliver additional payloads and is known for facilitating infections that lead to the deployment of various ransomware families, such as Rhysida, BlackCat, Zeppelin, and Quantum Locker through another actor, Vanilla Tempest. One of the novel techniques used in recent Gootloader operations includes the incorporation of custom WOFF2 fonts, which employ glyph substitution to obscure filenames. The loader exploits WordPress comment submission endpoints to deliver XOR-encrypted ZIP files containing payloads, with a unique decryption key hardcoded in the site’s source code.
gootloaderjavascript filesupper backdoorc2 servervanilla tempestpowershellcasesha256javascriptwindowspathblackcatzeppelindownloadbacksupper socks5oysterloadersection).thesupperhuntress
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Gootloader OysterLoader
Indicators of Compromise (68 / 146 total)
All URL FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL https://espressonisten.de/ 2025-11-06
URL https://r34porn.net/ 2025-11-06
URL https://routinelynomadic.com/ 2025-11-06
URL https://www.lovestu.com/ 2025-11-06
URL https://www.pathfindertravels.se/tickets/ 2025-11-06
URL https://www.smithcoinc.biz/ 2025-11-06
URL https://www.supremesovietoflove.com/wp/ 2025-11-06
URL https://xxxmorritas.com/ 2025-11-06
URL http://cookcountyjudges.org/ 2025-11-06
URL https://allreleases.ru/ 2025-11-06
URL https://apprater.net/ 2025-11-06
URL https://aradax.ir/ 2025-11-06
URL https://blossomthemesdemo.com/ 2025-11-06
URL https://bluehamham.com/ 2025-11-06
URL https://buildacampervan.com/ 2025-11-06
URL https://campfosterymca.com/ 2025-11-06
URL https://cargoboard.de/ 2025-11-06
URL https://cloudy.pk/ 2025-11-06
URL https://cortinaspraga.com/ 2025-11-06
URL https://dailykhabrain.com.pk/ 2025-11-06
URL https://egyptelite.com/ 2025-11-06
URL https://eliskavaea.cz/ 2025-11-06
URL https://filmcrewnepal.com/ 2025-11-06
URL https://fotbalovavidea.cz/ 2025-11-06
URL https://gravityforms.ir/ 2025-11-06
URL https://headedforspace.com/ 2025-11-06
URL https://hotporntv.net/ 2025-11-06
URL https://idmpakistan.pk/ 2025-11-06
URL https://influenceimmo.com/ 2025-11-06
URL https://jungutah.com/ 2025-11-06
URL https://kollabmi.se/ 2025-11-06
URL https://latimp.eu/ 2025-11-06
URL https://leadoo.com/ 2025-11-06
URL https://lepolice.com/ 2025-11-06
URL https://medicit-y.ch/ 2025-11-06
URL https://michaelcheney.com/ 2025-11-06
URL https://motoz.com.au/ 2025-11-06
URL https://myanimals.com/ 2025-11-06
URL https://onsk.dk/ 2025-11-06
URL https://ostmarketing.com/ 2025-11-06
URL https://patriotillumination.com/ 2025-11-06
URL https://redronic.com/ 2025-11-06
URL https://restaurantchezhenri.ca/ 2025-11-06
URL https://solidegypt.net/ 2025-11-06
URL https://spirits-station.fr/ 2025-11-06
URL https://studentspoint.org/ 2025-11-06
URL https://sugarbeecrafts.com/ 2025-11-06
URL https://themasterscraft.com/ 2025-11-06
URL https://thetripschool.com/ 2025-11-06
URL https://tiresdoc.com/ 2025-11-06
URL https://tokyocheapo.com/ 2025-11-06
URL https://unica.md/ 2025-11-06
URL https://usma.ru/ 2025-11-06
URL https://villasaze.ir/ 2025-11-06
URL https://vps3nter.ir/ 2025-11-06
URL https://wessper.com/ 2025-11-06
URL https://whiskymuseum.at/ 2025-11-06
URL https://www.claritycontentservices.com/wp/ 2025-11-06
URL https://www.ferienhausdehaanmieten.de/ 2025-11-06
URL https://www.minklinkaps.com/ 2025-11-06
URL https://www.us.registration.fcaministers.com/ 2025-11-06
URL https://www.wagenbaugrabs.ch/ 2025-11-06
URL https://www.worldwealthbuilders.com/ 2025-11-06
URL https://www1.zonewebmaster.eu/news/ 2025-11-06
URL https://www2.pelisyseries.net/ 2025-11-06
URL https://x.fybw.org/ 2025-11-06
URL https://yoga-penzberg.de/ 2025-11-06
URL https://yourboxspring.nl/ 2025-11-06
References (1)
↗ https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation