The Gootloader malware loader has reactivated its operations following a seven-month period of inactivity. This highly persistent threat is once again leveraging a technique known as SEO poisoning to push fake websites high up in search engine results. These sites, often impersonating sources for legal documents or agreements, are designed to distribute the JavaScript-based malware loader. Gootloader’s return means it is actively performing its primary function of enticing unsuspecting users to download and execute malicious files, thereby initiating a chain of infection.
Gootloader spreads through compromised or entirely attacker-controlled websites. Historically, the campaigns utilized fake message boards where “users” would recommend downloading malicious document templates. More recently, the strategy shifted to dedicated websites offering free templates for various legal documents. When a visitor attempted to “Get Document,” the site performed a check for legitimate users and then delivered a compressed archive containing a malicious document, typically a JScript file with a .js extension, such as mutual_non_disclosure_agreement.js.
Once the malicious document is executed, Gootloader takes over, downloading and deploying additional sophisticated malware payloads onto the victim’s device. These secondary payloads often include Cobalt Strike, various backdoors, and bots, all of which are instrumental in establishing initial access to corporate networks. This initial foothold is highly valuable to other cybercriminal groups who then exploit it to deploy ransomware or conduct other damaging attacks, making Gootloader a key enabler for larger cyber campaigns.
For years, a cybersecurity researcher operating under the pseudonym “Gootloader” has been dedicated to disrupting this operation. The researcher has actively tracked and worked to dismantle the malware’s infrastructure by submitting abuse reports to Internet Service Providers and hosting platforms. According to the researcher, these disruption activities directly led to the Gootloader operation suddenly ceasing all activity on March 31st, 2025.
However, the break has ended. The researcher, along with Anna Pham of Huntress Labs, has confirmed that Gootloader is back in full force with a new campaign that continues to impersonate legal document providers. The renewed effort is extensive, with the researcher noting, “In this latest campaign, we’ve observed thousands of unique keywords spread over 100 websites.” Despite the brief pause and adjustments, the core objective remains unchanged: to convince victims to download the malicious ZIP archive containing the JScript file to gain initial network access, ultimately leading to ransomware deployment.
Reference:
