← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
GootLoader New Evasion Methods Target Search Driven Workflows
WHITE PetrP.73 2025-11-08 Modified: 2025-12-08
146
IOCs
HIGH VOLUME
GootLoader, operated by the threat group UNC2565 (also known as Storm-0494), has resurfaced with advanced techniques to exploit search-driven workflows. This malware loader is central to a sophisticated Access-as-a-Service platform that facilitates initial access for ransomware affiliates, including Vanilla Tempest, and leverages SEO poisoning to attract users searching for business document templates. A notable attack technique involves the use of a dual-personality ZIP archive. This archive is engineered to deceive security sandboxes by appearing harmless while extracting a malicious .js file for human users. Upon execution, usually triggered by the user double-clicking the JScript file, the payload launches through Windows Script Host, specifically WScript.exe or CScript.exe, which in turn invokes PowerShell to retrieve subsequent malicious payloads.
phishingmalwarezipinitial access loadergootloaderip archive evasionpowershellunc2565wordpresswindows scriptgootbotcobalt strikestartupstorm0494gootkitloaderrhysidablackcatzeppelinscorepythonglobalexecutionevolutiongootloader jscripthostnamesipv4hashessha256
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Cobalt Strike GootLoader JScript
Indicators of Compromise (68 / 146 total)
All URL FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL https://espressonisten.de 2025-11-08
URL https://blossomthemesdemo.com 2025-11-08
URL https://headedforspace.com 2025-11-08
URL https://www.pathfindertravels.se/tickets/ 2025-11-08
URL https://www.supremesovietoflove.com/wp/ 2025-11-08
URL http://cookcountyjudges.org/ 2025-11-08
URL https://allreleases.ru 2025-11-08
URL https://apprater.net 2025-11-08
URL https://aradax.ir 2025-11-08
URL https://bluehamham.com 2025-11-08
URL https://buildacampervan.com 2025-11-08
URL https://campfosterymca.com 2025-11-08
URL https://cargoboard.de 2025-11-08
URL https://cloudy.pk 2025-11-08
URL https://cortinaspraga.com 2025-11-08
URL https://dailykhabrain.com.pk 2025-11-08
URL https://egyptelite.com 2025-11-08
URL https://eliskavaea.cz 2025-11-08
URL https://filmcrewnepal.com 2025-11-08
URL https://fotbalovavidea.cz 2025-11-08
URL https://gbhackers.com/gootloader-malware-via-google 2025-11-08
URL https://gravityforms.ir 2025-11-08
URL https://hotporntv.net 2025-11-08
URL https://idmpakistan.pk 2025-11-08
URL https://influenceimmo.com 2025-11-08
URL https://jungutah.com 2025-11-08
URL https://kollabmi.se 2025-11-08
URL https://latimp.eu 2025-11-08
URL https://leadoo.com 2025-11-08
URL https://lepolice.com 2025-11-08
URL https://medicit-y.ch 2025-11-08
URL https://michaelcheney.com 2025-11-08
URL https://motoz.com.au 2025-11-08
URL https://myanimals.com 2025-11-08
URL https://onsk.dk 2025-11-08
URL https://ostmarketing.com 2025-11-08
URL https://patriotillumination.com 2025-11-08
URL https://r34porn.net 2025-11-08
URL https://redcanary.com/blog/threat-intelligence/gootloader 2025-11-08
URL https://redronic.com 2025-11-08
URL https://restaurantchezhenri.ca 2025-11-08
URL https://solidegypt.net 2025-11-08
URL https://spirits-station.fr 2025-11-08
URL https://studentspoint.org 2025-11-08
URL https://sugarbeecrafts.com 2025-11-08
URL https://themasterscraft.com 2025-11-08
URL https://thetripschool.com 2025-11-08
URL https://tiresdoc.com 2025-11-08
URL https://unica.md 2025-11-08
URL https://usma.ru 2025-11-08
URL https://villasaze.ir 2025-11-08
URL https://vps3nter.ir 2025-11-08
URL https://wessper.com 2025-11-08
URL https://whiskymuseum.at 2025-11-08
URL https://www.claritycontentservices.com/wp/ 2025-11-08
URL https://www.ferienhausdehaanmieten.de 2025-11-08
URL https://www.lovestu.com 2025-11-08
URL https://www.minklinkaps.com 2025-11-08
URL https://www.smithcoinc.biz 2025-11-08
URL https://www.us.registration.fcaministers.com 2025-11-08
URL https://www.wagenbaugrabs.ch 2025-11-08
URL https://www.worldwealthbuilders.com 2025-11-08
URL https://www1.zonewebmaster.eu/news/ 2025-11-08
URL https://www2.pelisyseries.net 2025-11-08
URL https://x.fybw.org 2025-11-08
URL https://xxxmorritas.com 2025-11-08
URL https://yoga-penzberg.de 2025-11-08
URL https://yourboxspring.nl 2025-11-08
References (1)
↗ https://cybersecsentinel.com/gootloader-new-evasion-methods-target-search-driven-workflows/