{ "type": "URL", "indicator": "https://wessper.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://wessper.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4147062827, "indicator": "https://wessper.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "690f3c5dc4e3987d08cb8055", "name": "GootLoader New Evasion Methods Target Search Driven Workflows", "description": "GootLoader, operated by the threat group UNC2565 (also known as Storm-0494), has resurfaced with advanced techniques to exploit search-driven workflows. This malware loader is central to a sophisticated Access-as-a-Service platform that facilitates initial access for ransomware affiliates, including Vanilla Tempest, and leverages SEO poisoning to attract users searching for business document templates. A notable attack technique involves the use of a dual-personality ZIP archive. This archive is engineered to deceive security sandboxes by appearing harmless while extracting a malicious .js file for human users. Upon execution, usually triggered by the user double-clicking the JScript file, the payload launches through Windows Script Host, specifically WScript.exe or CScript.exe, which in turn invokes PowerShell to retrieve subsequent malicious payloads.", "modified": "2025-12-08T12:03:02.393000", "created": "2025-11-08T12:49:33.537000", "tags": [ "phishing", "malware", "zip", "initial access loader", "gootloader", "ip archive evasion", "powershell", "unc2565", "wordpress", "windows script", "gootbot", "cobalt strike", "startup", "storm0494", "gootkit", "loader", "rhysida", "blackcat", "zeppelin", "score", "python", "global", "execution", "evolution", "gootloader jscript", "hostnames", "ipv4", "hashes", "sha256" ], "references": [ "https://cybersecsentinel.com/gootloader-new-evasion-methods-target-search-driven-workflows/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader JScript", "display_name": "GootLoader JScript", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Legal", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "FileHash-SHA256": 10, "domain": 55, "hostname": 13 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://cybersecsentinel.com/gootloader-new-evasion-methods-target-search-driven-workflows/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cobalt strike", "Gootloader jscript" ], "industries": [ "Financial", "Legal" ], "unique_indicators": 153 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/wessper.com", "whois": "http://whois.domaintools.com/wessper.com", "domain": "wessper.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "690f3c5dc4e3987d08cb8055", "name": "GootLoader New Evasion Methods Target Search Driven Workflows", "description": "GootLoader, operated by the threat group UNC2565 (also known as Storm-0494), has resurfaced with advanced techniques to exploit search-driven workflows. This malware loader is central to a sophisticated Access-as-a-Service platform that facilitates initial access for ransomware affiliates, including Vanilla Tempest, and leverages SEO poisoning to attract users searching for business document templates. A notable attack technique involves the use of a dual-personality ZIP archive. This archive is engineered to deceive security sandboxes by appearing harmless while extracting a malicious .js file for human users. Upon execution, usually triggered by the user double-clicking the JScript file, the payload launches through Windows Script Host, specifically WScript.exe or CScript.exe, which in turn invokes PowerShell to retrieve subsequent malicious payloads.", "modified": "2025-12-08T12:03:02.393000", "created": "2025-11-08T12:49:33.537000", "tags": [ "phishing", "malware", "zip", "initial access loader", "gootloader", "ip archive evasion", "powershell", "unc2565", "wordpress", "windows script", "gootbot", "cobalt strike", "startup", "storm0494", "gootkit", "loader", "rhysida", "blackcat", "zeppelin", "score", "python", "global", "execution", "evolution", "gootloader jscript", "hostnames", "ipv4", "hashes", "sha256" ], "references": [ "https://cybersecsentinel.com/gootloader-new-evasion-methods-target-search-driven-workflows/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader JScript", "display_name": "GootLoader JScript", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Legal", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "FileHash-SHA256": 10, "domain": 55, "hostname": 13 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://wessper.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://wessper.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780430944.3761668 }