Sharing a community blog for visibility: https://gootloader.wordpress.com/2025/03/31/gootloader-returns-malware-hidden-in-google-ads-for-legal-documents/
Proofpoint also recently observed this activity delivering #GootLoader. Google Ads for a fake document creation app (lawliner[.]com) led to a malicious document creation website, on which users are directed to enter their email address.
When an email address is provided, the user will receive an email from the fake document creation website (lawyer@skhm[.])org with URL ending in .docx. Under certain conditions, the URL will lead to a zip file with a JavaScript file that installs GootLoader, while at other times it will lead to an actual docx template used as a decoy. It is not possible to see from the email or URL if it will lead to the malicious file or not.
Proofpoint recommends organizations block these domains. Also, people should be advised to never use untrusted / unapproved software for document creation.