The highly active malware known as GootLoader has recently resurfaced, following a brief increase in activity earlier this year. Cybersecurity researchers have documented new infections since late October 2025, noting that in two observed cases, the malware rapidly escalated to full hands-on-keyboard network intrusions, compromising the domain controller within just 17 hours of the initial breach. This JavaScript-based loader, managed by the group Hive0127 (aka UNC2565), is primarily distributed through SEO poisoning, tricking users searching for common files like legal templates into downloading malicious ZIP archives from compromised WordPress sites. The threat actor leverages the WordPress comment endpoint to deliver these payloads, which are often a precursor to dropping larger threats, including various ransomware strains.
The renewed attacks demonstrate significant advancements in evasion techniques. One of the most notable new methods involves using custom WOFF2 fonts with glyph substitution to obfuscate filenames. When a victim views the compromised site, the font makes malicious filenames appear as legitimate documents, such as a PDF guide. However, if the user tries to copy the filename or inspect the source code, they are met with a string of nonsensical, scrambled characters. This complex Z85-encoded custom font file is directly embedded into the page’s JavaScript, effectively defeating static analysis tools by hiding the true nature of the file being downloaded.
Furthermore, the threat actor has introduced a new modification to the ZIP archive itself to bypass automated security checks. Tools commonly used for sandbox analysis, such as VirusTotal, Python utilities, or 7-Zip, will extract the archive to reveal an innocuous-looking .TXT file. Crucially, when the same file is opened using Windows File Explorer, it extracts the actual intended payload: a valid JavaScript file. This simple, yet effective, evasion technique buys the threat actor valuable time by concealing the payload’s true nature from many automated and preliminary analysis systems before it can execute its full function.
The intended payload within the archive is a JavaScript-based program designed to deploy the Supper backdoor (also tracked as SocksShell or ZAPCAT). Supper provides the attackers with both remote control and SOCKS5 proxying capabilities. In previous documented attack chains, GootLoader infections have been observed handing off access to the threat group Vanilla Tempest (also known as Storm-0494), which then uses Supper and tools like AnyDesk to deploy INC ransomware or other threats such as those associated with the Rhysida ransomware group. In the recent Huntress-documented incident, the threat actors leveraged the Supper backdoor to use Windows Remote Management (WinRM) to move laterally within the network.
This lateral movement enabled them to quickly reach the Domain Controller and establish persistence by creating a new, admin-level user account. The Supper backdoor is characterized by its tedious obfuscation, including custom encryption, API hammering, and runtime shellcode construction, all designed to frustrate analysis. Despite these layers of complexity, security researchers note that the core capabilities remain basic—SOCKS proxying and remote shell access. The success of this “good enough” approach highlights that sophisticated exploits aren’t always necessary when threat actors can effectively weaponize and obfuscate basic, reliable tools to achieve rapid network compromise and domain controller takeover.
Reference:
