#gootloader

@fddelg.bsky.social

1 month ago

LevelBlue - Open Threat Exchange Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

#GootLoader IoCs from 22 January 2026. More IoCs at otx.alienvault.com

Compromised hosts and file indicators:
gist.github.com/FernandoDomi...

The Daily Tech Feed

@thedailytechfeed.com

1 month ago

Gootloader malware resurfaces with advanced evasion tactics, bypassing modern security measures. Stay vigilant and implement robust defenses. #CyberSecurity #Malware #Gootloader #Ransomware Link: thedailytechfeed.com/gootloader-m...

CyberMaterial

@cybermaterial.bsky.social

1 month ago

GootLoader Bypasses Security With ZIPs
Read More: buff.ly/3Uc6emB

#GootLoader #Malware #InitialAccess #Ransomware #CobaltStrike #Rhysida #WindowsSecurity #ThreatHunting #EDR #MalwareAnalysis #CyberDefense

CySecurity News

@cysecuritynews.bsky.social

1 month ago

GootLoader Malware Uses Malformed ZIP Archives to Evade Detection  A fresh tactic has emerged among cybercriminals using GootLoader, a JavaScript-driven malware installer. Instead of standard compression, they now distribute broken ZIP files designed to slip past digital defenses. These flawed archives exploit differences across decompression programs - some fail to process them, others do so partially. This mismatch lets malicious code stay concealed during scans yet run normally when opened by users. Findings detailed by Expel show that inconsistent parsing logic in software plays right into attacker hands. Hidden scripts activate only when handled by specific tools found on typical machines.  Starting with a strange structure, these harmful ZIP files combine around 500 to 1,000 smaller archives into one large package. Because of this layered setup, standard programs like WinRAR or 7-Zip cannot properly read them - tools often relied on during malware checks. Due to the confusion they create, automatic detection systems frequently skip examining what's inside. Yet, when opened through Windows’ own built-in decompression feature, the file works without issue.  That smooth operation lets victims unknowingly unpack dangerous content. Since 2020, GootLoader has maintained a presence among cyber threats, primarily spreading via manipulated search results and deceptive online ads. People looking for official forms or corporate paperwork may unknowingly land on hacked WordPress sites offering infected files. These corrupted archives, once opened, trigger the payload delivery mechanism embedded within the software. Acting as a gateway tool, it paves the way for additional harmful programs - ransomware being one frequent outcome.  The chain of infection begins quietly, escalating quickly under the radar. By late 2025, Expel researchers noticed subtle upgrades, showing how the attack method keeps shifting. Instead of just stacking archives, hackers shorten key metadata inside ZIP structures - especially tampering with the end of central directory entries. That tweak triggers failures in numerous analysis programs, yet files still open in Windows Explorer.  Inside the package, unimportant sections get scrambled too, throwing off predictable reading patterns and making automated inspection harder. Researchers refer to this method as "hashbusting," delivering a distinct ZIP file to each target. Every time someone downloads it, differences in the archive's layout and data prevent standard hash checks from working. Even the JavaScript inside changes form with each instance. Detection systems relying on repeated patterns struggle as a result.   What makes the delivery hard to catch lies in its method. Rather than sending a typical ZIP archive, attackers transmit the malicious code as an XOR-encrypted flow of data, rebuilt only after reaching the target's browser. It grows by adding copies of itself over and over, expanding until it meets a specific volume - this skirts detection meant for compressed files. After launch, the script runs using built-in Windows tools, skipping any need to unpack completely, so the attack unfolds without drawing attention.  Once active, it stays on the machine by placing shortcuts into the Windows Startup directory - then triggers further scripts through native utilities like cscript or PowerShell. From there, data collection begins: details about the system get pulled and sent back to distant servers that control the attack, setting up what comes next without delay.  Although often overlooked, limiting access to built-in tools such as wscript.exe helps block common attack paths. Instead of running scripts automatically, setting systems to display code in basic viewers adds another layer of protection. As seen with GootLoader’s shifts over time, attackers now twist everyday OS functions into stealthy weapons, staying active even when defenses improve.

GootLoader Malware Uses Malformed ZIP Archives to Evade Detection #CyberSecurity #GootLoader #MaliciousCodes

The Daily Tech Feed

@thedailytechfeed.com

1 month ago

GootLoader malware evolves with advanced ZIP archive techniques to evade detection. Stay vigilant and implement security measures to protect your systems. #CyberSecurity #Malware #GootLoader Link: thedailytechfeed.com/gootloader-m...

Red Hot Cyber

@redhotcyber.bsky.social

1 month ago

Ritorna Gootloader più pericoloso che mai: il malware incastonato nello ZIP torna alla ribalta

📌 Link all'articolo : www.redhotcyber.com/post/rit...

#redhotcyber #news #malware #cybersecurity #hacking #gootloader

Rene Robichaud

@neroqc.bsky.social

1 month ago

Ce fichier ZIP presque impossible à analyser cache un malware bien connu De retour fin 2025, Gootloader change de tactique. Le malware s’appuie désormais sur une archive ZIP volontairement malformée pour faire trébucher les outils d’analyse, sans jamais empêcher l’exécutio...

Ce fichier ZIP presque impossible à analyser cache un malware bien connu
www.clubic.com/actualite-59...

#Infosec #Security #Cybersecurity #CeptBiro #ZIP #Malware #Gootloader #Ransomware

iT4iNT SERVER

@it4intserver.bsky.social

1 month ago

GootLoader Malware Uses 500–1,000 Concatenated ZIP Archives to Evade Detection The JavaScript (aka JScript) malware loader called GootLoader has been observed using a malformed ZIP archive that's designed to sidestep detection efforts by concatenating anywhere from 500 to 1,000 archives. "The actor creates a malformed archive as an anti-analysis technique," Expel security researcher Aaron Walton said in a report shared with The Hacker News. "That is, many unarchiving tools

iT4iNT SERVER GootLoader Malware Uses 500–1,000 Concatenated ZIP Archives to Evade Detection VDS VPS Cloud #GootLoader #Malware #CyberSecurity #InfoSec #MalwareAnalysis

Hasamba

@hasamba72.bsky.social

1 month ago

GootLoader reportedly chains 500–1,000 concatenated ZIP archives to evade detection, using archive concatenation to obscure payloads from scanners. #GootLoader #zip #malware https://bit.ly/49ESpj7

The New Oil

@thenewoil.org

1 month ago

Gootloader now uses 1,000-part ZIP archives for stealthy delivery The Gootloader malware, typically used for initial access, is now using a malformed ZIP archive designed to evade detection by concatenating up to 1,000 archives.

#Gootloader now uses 1,000-part #ZIP archives for stealthy delivery

www.bleepingcomputer.com/news/security/gootloader...

#cybersecurity

Ahmandonk

@ahmandonk.bsky.social

1 month ago

📰 Gootloader Gunakan Arsip ZIP 1.000 Bagian untuk Distribusi Malware yang Lebih Tersembunyi

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/01/16/gootloader-zi...

#ancaman #siber #cybersecurity #gootloader #malware #ransomware #zip #archive

The Daily Tech Feed

@thedailytechfeed.com

4 months ago

GootLoader returns with advanced font obfuscation, hiding malware on WordPress sites. Stay alert and secure your systems. #CyberSecurity #Malware #GootLoader #WordPress #InfoSec Link: thedailytechfeed.com/gootloader-r...

SearchEngine

@searchengine.activitypub.awakari.com.ap.brid.gy

4 months ago

GootLoader’s Cunning Revival: Font Obfuscation Fuels Fresh Cyber Onslaught GootLoader malware has resurfaced after seven months, using innovative font tricks on WordPress sites to hide payloads a...

#CybersecurityUpdate #cybersecurity #evasion #font #trick […]

[Original post on webpronews.com]

iT4iNT SERVER

@it4intserver.bsky.social

4 months ago

GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress. The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of initial infection. "

iT4iNT SERVER GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites VDS VPS Cloud #Cybersecurity #Malware #WordPress #GootLoader #Hacking

Technijian

@technijian.bsky.social

4 months ago

🚨 Gootloader malware is back — and it’s smarter than ever! 🔒 Stay protected with Technijian’s cybersecurity experts.
👉 Schedule your appointment: Technijian.com
📞 (949) 379-8500
#Gootloader #Cybersecurity #MalwareAlert #Ransomware #DataProtection #CyberAwareness #IrvineIT #OrangeCountyBusiness

@matricedigitale.bsky.social

4 months ago

Malware Gootloader si nasconde in Google Ads per documenti legali, mentre 239 app Android infette sul Play Store colpiscono 42 milioni di utenti con trojan, adware e spyware globali.

#Android #GoogleAds #GooglePlayStore #GootLoader #spyware #trojanbancario
www.matricedigitale.it/2025/11/06/m...

Mozilla

@mozilla.activitypub.awakari.com.ap.brid.gy

4 months ago

Gootloader Makes a Comeback With Advanced ZIP-Based Payload Delivery After a brief lull, the notorious Gootloader malware has resurfaced with new techniques to evade both analysts and automated det...

#Cyber #Security #News #JavaScript #Gootloader #comeback

Origin | Interest | Match

Mozilla

@mozilla.activitypub.awakari.com.ap.brid.gy

4 months ago

Gootloader Makes a Comeback With Advanced ZIP-Based Payload Delivery After a brief lull, the notorious Gootloader malware has resurfaced with new techniques aimed at evading both analysts and autom...

#Cyber #Security #News #Gootloader #comeback

Origin | Interest | Match

Ahmandonk

@ahmandonk.bsky.social

4 months ago

📰 Malware Gootloader Kembali Beraksi dengan Teknik Baru Setelah Vakum 7 Bulan

👉 Baca artikel lengkap di sini: ahmandonk.com/2025/11/06/malware-gootl...

#backdoor #cobalt #strike #gootloader #huntress #javascript #keamanan #siber #malware #phis

Adrian Anglin

@andranglin.bsky.social

11 months ago

Gootloader Returns with Fake Legal Document Lure via Google Ads Explore the new Gootloader tactics using Google Ads to spread malware through legal document searches and social engineering.

#Gootloader malware resurfaces—now spreading via Google Ads, pushing fake legal documents. Targets corporate users with SEO poisoning.

Active campaign: securityonline.info/gootloader-r... #CyberSecurity #Malware

ThreatInsight

@threatinsight.proofpoint.com

11 months ago

Under certain conditions, the URL will lead to a zip file with a JavaScript file that installs #GootLoader, while at other times it will lead to an actual docx template used as a decoy. It is not possible to see from the email or URL if it will lead to the malicious file or not.

Tommy Madjar

@ffforward.bsky.social

11 months ago

Great research on that #GootLoader is now including email in their delivery chain. Please don't download NDAs and other contract templates from free sites without any history.

Researcher for Gootloader malware

@gootloader.zip

11 months ago

🚨Gootloader Returns: Malware Hidden in Google Ads for Legal Documents The threat actor behind the Gootloader malware has once again changed their tactics, but also reverted to some of their old ways. Just like with the previous infection method, we are seeing Google …

⚠️ New TTPs detected for #Gootloader ⚠️
Out are the PDF conversions and back in are legal document lurs. They are still using #malvertising, not SEO poisoning.

gootloader.wordpress.com/2025/03/31/g...

Rene Robichaud

@neroqc.bsky.social

1 year ago

Gootloader Malware Employs Blackhat SEO Techniques to Attack Victims The Gootloader malware family employs sophisticated social engineering tactics to infiltrate computers.

Gootloader Malware Employs Blackhat SEO Techniques To Attack Victims
gbhackers.com/gootloader-m...

#Infosec #Security #Cybersecurity #CeptBiro #Gootloader #Malware #BlackhatSEOTechniques

Sophos X-Ops

@sophosxops.infosec.exchange.ap.brid.gy

1 year ago

Source of the Gootloader landing pages reveal a number of different search terms and phrases the threat actors wanted search engines to index. The linked subpages (selected with green) don't actually exist. The injected WordPress code defines a few hooks, one of them is for non-existing pages. This will serve the fake forum discussion, when the victim clicks on the search result

[re: Long thread]

Nobody knows exactly how the #Gootloader operators are finding and taking control over personal and business websites that use WordPress, but it's likely due to an earlier compromise of the site's administrator credentials, through […]

[Original post on infosec.exchange]

Sophos X-Ops

@sophosxops.infosec.exchange.ap.brid.gy

1 year ago

Hi everyone, it's @threatresearch driving the X-Ops social media today to let you know about a story we just published, written by my colleague Gabor Szappanos.

Szapi has done significant research in the past into a #malware family called #Gootloader that (for years, now) uses malicious #SEO […]

Researcher for Gootloader malware

@gootloader.zip

1 year ago

Tools/jQuery-GootloaderJSv2.yar at main · GootloaderSites/Tools Contribute to GootloaderSites/Tools development by creating an account on GitHub.

Created a new #yara rule for #gootloader, thanks to @malwrhunterteam.bsky.social smica83. github.com/GootloaderSi...

Christopher Luft

@tekgrunt.bsky.social

1 year ago

#169 - Intel Chat: Tools, N. Korean IT workers, GootLoader, FakeBat & Pacific Rim YouTube video by LimaCharlie

I just published episode #169 of The Cybersecurity Defenders Podcast on YouTube. A great chat about some current intel that is co-hosted by the one and only @bromiley.bsky.social.

You can watch it here: youtu.be/n2VM4t-eiB4

#cybersecurity #podcast #gootloader #fakebat

CyberTaters

@potato.software

1 year ago

GootLoader malware has transformed into an initial access platform, using SEO poisoning to infiltrate victims' systems. This evolution highlights the need for heightened awareness in #potatosecurity. Stay protected and informed about the latest #threats. #malware #GootLoader

malmoeb.bsky.social

@malmoeb.bsky.social

1 year ago

The #GootLoader sample in a recent IR case is not detected by a single AV product. Interestingly, when I search for similar files on VirusTotal, there are more GootLoader samples with Zero detections.

The files are heavily obfuscated and pretty big (over 40MB).