#Gootloader

🛡️ Business security requires dealing with different types of threats, from mobile #malware to Python-based stealers. Let us show you exactly how you can do it 👨‍💻

Check out analysis of several hard-to-catch threats, including #GootLoader ⬇️
any.run/cybersecurity-blog/how

#infosec #cybersecurity

Teddy / Domingo (🇨🇵/🇬🇧)TeddyTheBest@framapiaf.org
2025-04-03

#Gootloader #Malware Resurfaces in #Google Ads for Legal Docs. Attackers target a familiar industry, law professionals, by hiding the infostealer in ads delivered via Google-based malvertising.
darkreading.com/cyberattacks-d

2025-03-31

Sharing a community blog for visibility: gootloader.wordpress.com/2025/

Proofpoint also recently observed this activity delivering #GootLoader. Google Ads for a fake document creation app (lawliner[.]com) led to a malicious document creation website, on which users are directed to enter their email address.

When an email address is provided, the user will receive an email from the fake document creation website (lawyer@skhm[.])org with URL ending in .docx. Under certain conditions, the URL will lead to a zip file with a JavaScript file that installs GootLoader, while at other times it will lead to an actual docx template used as a decoy. It is not possible to see from the email or URL if it will lead to the malicious file or not.

Proofpoint recommends organizations block these domains. Also, people should be advised to never use untrusted / unapproved software for document creation.

2025-01-16

I've been waiting for this writeup for a long time. Great dive on #Gootloader: news.sophos.com/en-us/2025/01/

Of particular note is the 24-hour timeout for any IP that receives a Gootloader download prompt, frustrating research attempts. But the whole research process here is excellent.

2025-01-16

We don't want to tell the entire story here, but the bottom line is this: #Gootloader is and remains one of the most convoluted #malware attack methods we've seen. Its social engineering ruse and the way it shapes itself to your desires still convince people to click its bad links.

Gootloader has been playing the long game, and winning, below most people's radar, for years. It shows no sign of slowing down or changing its methods. After all, it's a working formula.

/end

news.sophos.com/en-us/2025/01/

2025-01-16
2025-01-16
2025-01-16
2025-01-16
2025-01-16
2025-01-16

Hi everyone, it's @threatresearch driving the X-Ops social media today to let you know about a story we just published, written by my colleague Gabor Szappanos.

Szapi has done significant research in the past into a #malware family called #Gootloader that (for years, now) uses malicious #SEO techniques to promote compromised websites into Google search results.

This research finally cracks wide open the mystery of how they manage to do that so effectively. It's a long read, but well worth the deep dive.

news.sophos.com/en-us/2025/01/

1/

👾 #GootLoader is an initial-access-as-a-service #malware operating since late 2020
It is distributed via hijacked WordPress websites in SEO poisoning attacks

Learn more and collect #IOCs & samples
🔗 any.run/malware-trends/gootloa

#cybersecurity #infosec

:mastodon: deciodecio@infosec.exchange
2024-11-08

"Gootloader’s Pivot from SEO Poisoning: PDF Converters Become the New Infection Vector"👀
⬇️
"Visiting this WordPress site (surprise!), I found a form for uploading a PDF to convert it to a .DOCX file inside a .zip. But after passing certain checks—being from an English-speaking country and not having visited in the past 24 hours on the same class C subnet—users instead receive a .JS file inside the .zip rather than a genuine .DOCX."
👇
gootloader.wordpress.com/2024/

#gootloader #CyberVeille #PDFConverter #malware

The image provides details from an investigation into a web host, revealing that it is registered with NameCheap, Inc., and hosted by "Stark Industries Solutions LTD," described as a "bulletproof hosting provider" often used for malicious purposes. It lists suspicious IP addresses (e.g., 45[.]83[.]140[.]139 to 45[.]83[.]140[.]148), each associated with potentially malicious domains related to online PDF services or legal themes, some of which appear linked to "Gootloader," a malware delivery service. Examples of domains include "pdf-online-tools[.]com," "berumenlaw[.]com," "pdfdocx[.]com," and others. Some domains were flagged by Shodan, a security search engine, with names previously identified as "EraPDF."
𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲netresec@infosec.exchange
2024-10-24

CapLoader wasn’t designed as an alternative to a traditional NIDS, but the Alerts tab often gives a VERY good overview of the malicious traffic. Here’s a screenshot of CapLoader’s alerts for some recent PCAP files from malware-traffic-analysis.net.

#Lumma #GootLoader #AgentTesla #RURAT #Remcos #RedLine #BackConnect

0	Malicious protocol	TLS, GootLoader	4	High		2024-06-24 16:39:59	3	10.6.24.101	94.242.50.135	443	TCP	tucinehd.com	43317	SIA VEESP
1	Malicious protocol	TLS, GootLoader	4	High		2024-06-24 16:40:01	4	10.6.24.101	142.251.116.94	443	TCP	update.googleapis.com, fonts.gstatic.com	15169	GOOGLE
2	Malicious protocol	TLS, Lumma	4	High		2024-06-24 16:42:15	2	10.6.24.101	172.67.138.40	443	TCP	latesttributedowps.shop	13335	CLOUDFLARENET
3	Malicious protocol	TLS, Lumma	4	High		2024-06-24 16:42:21	3	10.6.24.101	104.21.70.178	443	TCP	latesttributedowps.shop	13335	CLOUDFLARENET
4	Malicious protocol	BackConnect XOR	4	High		2024-06-25 19:41:24	2	10.6.25.101	64.7.198.158	443	TCP		399629	BLNWX
5	Malicious protocol	Remcos	4	High		2024-08-26 20:39:27	2	10.8.26.101	206.123.148.197	3980	TCP	janbours92harbu03.duckdns.org	9009	M247 Europe SRL
6	Malicious protocol	SMTP, Agent Tesla	4	High		2024-09-16 20:08:45	2	10.9.16.101	208.91.199.223	587	TCP	us2.smtp.mailhostbox.com, smtp.inhousepick.com	46606	UNIFIEDLAYER-AS-1
7	Malicious protocol	FTP, Agent Tesla	4	High		2024-09-17 20:07:17	1	10.9.17.101	216.252.233.118	21	TCP	lifechangerscare.com, ftp.lifechangerscare.com	40676	AS40676
8	Malicious protocol	RURAT	4	High		2024-10-01 16:59:42	1	10.10.1.101	111.90.140.34	80	TCP		45839	Shinjiru Technology Sdn Bhd
9	Malicious protocol	RURAT	4	High		2024-10-01 17:06:21	5	10.10.1.101	65.21.245.7	5651	TCP		24940	Hetzner Online GmbH

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst