🛡️ Business security requires dealing with different types of threats, from mobile #malware to Python-based stealers. Let us show you exactly how you can do it 👨💻
Check out analysis of several hard-to-catch threats, including #GootLoader ⬇️
https://any.run/cybersecurity-blog/how-to-analyze-malware-threats/?utm_source=mastodon&utm_medium=post&utm_campaign=how_to_analyze_threats&utm_content=linktoblog&utm_term=270525
#Gootloader #Malware Resurfaces in #Google Ads for Legal Docs. Attackers target a familiar industry, law professionals, by hiding the infostealer in ads delivered via Google-based malvertising.
https://www.darkreading.com/cyberattacks-data-breaches/gootloader-malware-google-ads-legal-docs
Gootloader Returns: Malware Hidden in Google Ads for Legal Documents
#GootLoader
https://gootloader.wordpress.com/2025/03/31/gootloader-returns-malware-hidden-in-google-ads-for-legal-documents/
Sharing a community blog for visibility: https://gootloader.wordpress.com/2025/03/31/gootloader-returns-malware-hidden-in-google-ads-for-legal-documents/
Proofpoint also recently observed this activity delivering #GootLoader. Google Ads for a fake document creation app (lawliner[.]com) led to a malicious document creation website, on which users are directed to enter their email address.
When an email address is provided, the user will receive an email from the fake document creation website (lawyer@skhm[.])org with URL ending in .docx. Under certain conditions, the URL will lead to a zip file with a JavaScript file that installs GootLoader, while at other times it will lead to an actual docx template used as a decoy. It is not possible to see from the email or URL if it will lead to the malicious file or not.
Proofpoint recommends organizations block these domains. Also, people should be advised to never use untrusted / unapproved software for document creation.
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab
https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/
#InterisleConsultingGroup #Ne'er-Do-WellNews #ALittleSunshine #TheComingStorm #KasperskyLab #ProsperoOOO #ZachEdwards #Ransomware #GootLoader #Securehost #SilentPush #SocGholish #Intrinsec #AlfaBank #BEARHOST #spamhaus #Kentik
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab - One of the most notorious providers of abuse-friendly “bulletproof” web hosting fo... https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab/ #interisleconsultinggroup #neer-do-wellnews #alittlesunshine #thecomingstorm #kasperskylab #prosperoooo #zachedwards #ransomware #gootloader #securehost #silentpush #socgholish #intrinsec #alfabank #bearhost #spamhaus #kentik
Gootloader Malware Employs Blackhat SEO Techniques To Attack Victims
https://gbhackers.com/gootloader-malware-employs-blackhat-seo/
#Infosec #Security #Cybersecurity #CeptBiro #Gootloader #Malware #BlackhatSEOTechniques
Gootloader inside out
#GootLoader
https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/
I've been waiting for this writeup for a long time. Great dive on #Gootloader: https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/
Of particular note is the 24-hour timeout for any IP that receives a Gootloader download prompt, frustrating research attempts. But the whole research process here is excellent.
We don't want to tell the entire story here, but the bottom line is this: #Gootloader is and remains one of the most convoluted #malware attack methods we've seen. Its social engineering ruse and the way it shapes itself to your desires still convince people to click its bad links.
Gootloader has been playing the long game, and winning, below most people's radar, for years. It shows no sign of slowing down or changing its methods. After all, it's a working formula.
/end
https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/
Hi everyone, it's @threatresearch driving the X-Ops social media today to let you know about a story we just published, written by my colleague Gabor Szappanos.
Szapi has done significant research in the past into a #malware family called #Gootloader that (for years, now) uses malicious #SEO techniques to promote compromised websites into Google search results.
This research finally cracks wide open the mystery of how they manage to do that so effectively. It's a long read, but well worth the deep dive.
https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/
1/
👾 #GootLoader is an initial-access-as-a-service #malware operating since late 2020
It is distributed via hijacked WordPress websites in SEO poisoning attacks
Learn more and collect #IOCs & samples
🔗 https://any.run/malware-trends/gootloader/?utm_source=mastodon&utm_medium=post&utm_campaign=gootloader&utm_content=tracker&utm_term=130125
"Gootloader’s Pivot from SEO Poisoning: PDF Converters Become the New Infection Vector"👀
⬇️
"Visiting this WordPress site (surprise!), I found a form for uploading a PDF to convert it to a .DOCX file inside a .zip. But after passing certain checks—being from an English-speaking country and not having visited in the past 24 hours on the same class C subnet—users instead receive a .JS file inside the .zip rather than a genuine .DOCX."
👇
https://gootloader.wordpress.com/2024/11/07/gootloaders-pivot-from-seo-poisoning-pdf-converters-become-the-new-infection-vector/
CapLoader wasn’t designed as an alternative to a traditional NIDS, but the Alerts tab often gives a VERY good overview of the malicious traffic. Here’s a screenshot of CapLoader’s alerts for some recent PCAP files from malware-traffic-analysis.net.
#Lumma #GootLoader #AgentTesla #RURAT #Remcos #RedLine #BackConnect
#GootLoader is still active and efficient
https://securityaffairs.com/165368/malware/gootloader-malware-is-still-active.html
#securityaffairs #hacking
