← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
GootLoader New Evasion Methods Target Search Driven Workflows
WHITE PetrP.73 2025-11-08 Modified: 2025-12-08
146
IOCs
HIGH VOLUME
GootLoader, operated by the threat group UNC2565 (also known as Storm-0494), has resurfaced with advanced techniques to exploit search-driven workflows. This malware loader is central to a sophisticated Access-as-a-Service platform that facilitates initial access for ransomware affiliates, including Vanilla Tempest, and leverages SEO poisoning to attract users searching for business document templates. A notable attack technique involves the use of a dual-personality ZIP archive. This archive is engineered to deceive security sandboxes by appearing harmless while extracting a malicious .js file for human users. Upon execution, usually triggered by the user double-clicking the JScript file, the payload launches through Windows Script Host, specifically WScript.exe or CScript.exe, which in turn invokes PowerShell to retrieve subsequent malicious payloads.
phishingmalwarezipinitial access loadergootloaderip archive evasionpowershellunc2565wordpresswindows scriptgootbotcobalt strikestartupstorm0494gootkitloaderrhysidablackcatzeppelinscorepythonglobalexecutionevolutiongootloader jscripthostnamesipv4hashessha256
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Cobalt Strike GootLoader JScript
Indicators of Compromise (146)
All URL FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL https://espressonisten.de 2025-11-08
URL https://blossomthemesdemo.com 2025-11-08
URL https://headedforspace.com 2025-11-08
URL https://www.pathfindertravels.se/tickets/ 2025-11-08
URL https://www.supremesovietoflove.com/wp/ 2025-11-08
FileHash-SHA256 2f056ce0657542da3e7e43fb815a8973c354624043f19ef134dff271db1741b3 2025-11-08
FileHash-SHA256 5ec9e926d4fb4237cf297d0d920cf0e9a5409f0226ee555bd8c89b97a659f4b0 2025-11-08
FileHash-SHA256 7557d5fed880ee1e292aba464ffdc12021f9acbe0ee3a2313519ecd7f94ec5c4 2025-11-08
FileHash-SHA256 87cbe9a5e9da0dba04dbd8046b90dbd8ee531e99fd6b351eae1ae5df5aa67439 2025-11-08
FileHash-SHA256 a79eaf53a4b42e80d9ecdb8b139e9dc812cedf063153da3f8a2b7a49bc7b81d4 2025-11-08
FileHash-SHA256 ad88076fd75d80e963d07f03d7ae35d4e55bd49634baf92743eece19ec901e94 2025-11-08
FileHash-SHA256 b9a61652dffd2ab3ec3b7e95829759fc43665c27e9642d4b2d4d2f7287254034 2025-11-08
FileHash-SHA256 c2326db8acae0cf9c5fc734e01d6f6c1cd78473b27044955c5761ec7fd479964 2025-11-08
FileHash-SHA256 c2b9782c55f75bb1797cb4fbae0290b44d0fcad51bf4f2c11c52ebbe3526d2ac 2025-11-08
FileHash-SHA256 cf44aa11a17b3dad61cae715f4ea27c0cbf80732a1a7a1c530a5c9d3d183482a 2025-11-08
URL http://cookcountyjudges.org/ 2025-11-08
URL https://allreleases.ru 2025-11-08
URL https://apprater.net 2025-11-08
URL https://aradax.ir 2025-11-08
URL https://bluehamham.com 2025-11-08
URL https://buildacampervan.com 2025-11-08
URL https://campfosterymca.com 2025-11-08
URL https://cargoboard.de 2025-11-08
URL https://cloudy.pk 2025-11-08
URL https://cortinaspraga.com 2025-11-08
URL https://dailykhabrain.com.pk 2025-11-08
URL https://egyptelite.com 2025-11-08
URL https://eliskavaea.cz 2025-11-08
URL https://filmcrewnepal.com 2025-11-08
URL https://fotbalovavidea.cz 2025-11-08
URL https://gbhackers.com/gootloader-malware-via-google 2025-11-08
URL https://gravityforms.ir 2025-11-08
URL https://hotporntv.net 2025-11-08
URL https://idmpakistan.pk 2025-11-08
URL https://influenceimmo.com 2025-11-08
URL https://jungutah.com 2025-11-08
URL https://kollabmi.se 2025-11-08
URL https://latimp.eu 2025-11-08
URL https://leadoo.com 2025-11-08
URL https://lepolice.com 2025-11-08
URL https://medicit-y.ch 2025-11-08
URL https://michaelcheney.com 2025-11-08
URL https://motoz.com.au 2025-11-08
URL https://myanimals.com 2025-11-08
URL https://onsk.dk 2025-11-08
URL https://ostmarketing.com 2025-11-08
URL https://patriotillumination.com 2025-11-08
URL https://r34porn.net 2025-11-08
URL https://redcanary.com/blog/threat-intelligence/gootloader 2025-11-08
URL https://redronic.com 2025-11-08
URL https://restaurantchezhenri.ca 2025-11-08
URL https://solidegypt.net 2025-11-08
URL https://spirits-station.fr 2025-11-08
URL https://studentspoint.org 2025-11-08
URL https://sugarbeecrafts.com 2025-11-08
URL https://themasterscraft.com 2025-11-08
URL https://thetripschool.com 2025-11-08
URL https://tiresdoc.com 2025-11-08
URL https://unica.md 2025-11-08
URL https://usma.ru 2025-11-08
URL https://villasaze.ir 2025-11-08
URL https://vps3nter.ir 2025-11-08
URL https://wessper.com 2025-11-08
URL https://whiskymuseum.at 2025-11-08
URL https://www.claritycontentservices.com/wp/ 2025-11-08
URL https://www.ferienhausdehaanmieten.de 2025-11-08
URL https://www.lovestu.com 2025-11-08
URL https://www.minklinkaps.com 2025-11-08
URL https://www.smithcoinc.biz 2025-11-08
URL https://www.us.registration.fcaministers.com 2025-11-08
URL https://www.wagenbaugrabs.ch 2025-11-08
URL https://www.worldwealthbuilders.com 2025-11-08
URL https://www1.zonewebmaster.eu/news/ 2025-11-08
URL https://www2.pelisyseries.net 2025-11-08
URL https://x.fybw.org 2025-11-08
URL https://xxxmorritas.com 2025-11-08
URL https://yoga-penzberg.de 2025-11-08
URL https://yourboxspring.nl 2025-11-08
domain allreleases.ru 2025-11-08
domain apprater.net 2025-11-08
domain aradax.ir 2025-11-08
domain blossomthemesdemo.com 2025-11-08
domain bluehamham.com 2025-11-08
domain buildacampervan.com 2025-11-08
domain campfosterymca.com 2025-11-08
domain cargoboard.de 2025-11-08
domain cloudy.pk 2025-11-08
domain cookcountyjudges.org 2025-11-08
domain cortinaspraga.com 2025-11-08
domain dailykhabrain.com.pk 2025-11-08
domain egyptelite.com 2025-11-08
domain eliskavaea.cz 2025-11-08
domain espressonisten.de 2025-11-08
domain filmcrewnepal.com 2025-11-08
domain fotbalovavidea.cz 2025-11-08
domain gbhackers.com 2025-11-08
domain gravityforms.ir 2025-11-08
domain headedforspace.com 2025-11-08
domain hotporntv.net 2025-11-08
domain idmpakistan.pk 2025-11-08
domain influenceimmo.com 2025-11-08
domain jungutah.com 2025-11-08
domain kollabmi.se 2025-11-08
domain latimp.eu 2025-11-08
domain leadoo.com 2025-11-08
domain lepolice.com 2025-11-08
domain medicit-y.ch 2025-11-08
domain michaelcheney.com 2025-11-08
domain motoz.com.au 2025-11-08
domain myanimals.com 2025-11-08
domain onsk.dk 2025-11-08
domain ostmarketing.com 2025-11-08
domain patriotillumination.com 2025-11-08
domain r34porn.net 2025-11-08
domain redcanary.com 2025-11-08
domain redronic.com 2025-11-08
domain restaurantchezhenri.ca 2025-11-08
domain solidegypt.net 2025-11-08
domain spirits-station.fr 2025-11-08
domain studentspoint.org 2025-11-08
domain sugarbeecrafts.com 2025-11-08
domain themasterscraft.com 2025-11-08
domain thetripschool.com 2025-11-08
domain tiresdoc.com 2025-11-08
domain unica.md 2025-11-08
domain usma.ru 2025-11-08
domain villasaze.ir 2025-11-08
domain vps3nter.ir 2025-11-08
domain wessper.com 2025-11-08
domain whiskymuseum.at 2025-11-08
domain xxxmorritas.com 2025-11-08
domain yoga-penzberg.de 2025-11-08
domain yourboxspring.nl 2025-11-08
hostname www.claritycontentservices.com 2025-11-08
hostname www.ferienhausdehaanmieten.de 2025-11-08
hostname www.lovestu.com 2025-11-08
hostname www.minklinkaps.com 2025-11-08
hostname www.pathfindertravels.se 2025-11-08
hostname www.smithcoinc.biz 2025-11-08
hostname www.supremesovietoflove.com 2025-11-08
hostname www.us.registration.fcaministers.com 2025-11-08
hostname www.wagenbaugrabs.ch 2025-11-08
hostname www.worldwealthbuilders.com 2025-11-08
hostname www1.zonewebmaster.eu 2025-11-08
hostname www2.pelisyseries.net 2025-11-08
hostname x.fybw.org 2025-11-08
References (1)
↗ https://cybersecsentinel.com/gootloader-new-evasion-methods-target-search-driven-workflows/