The Return of GootLoader: A New Wave of Cyber Attacks Unveiled
Recent findings from cybersecurity firm Huntress have revealed a resurgence in GootLoader activity, with three infections detected since October 27, 2025. Two of these infections led to hands-on keyboard intrusions, resulting in domain controller compromise within just 17 hours of initial infection.
Security researcher Anna Pham highlighted the use of custom WOFF2 fonts with glyph substitution by GootLoader to obfuscate filenames. This malware exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads with unique keys per file.
GootLoader, linked to threat actor Hive0127 (aka UNC2565), is a JavaScript-based malware loader commonly distributed through search engine optimization (SEO) poisoning tactics to deliver additional payloads, including ransomware.
Microsoft’s Insight into GootLoader’s Collaborative Efforts
Microsoft’s report from last September disclosed that the threat actor Vanilla Tempest receives hand-offs from GootLoader infections by another threat actor, Storm-0494. This collaboration leads to the deployment of a backdoor called Supper (aka SocksShell or ZAPCAT) and the use of AnyDesk for remote access, ultimately resulting in the spread of INC ransomware.
Moreover, Supper has been associated with Interlock RAT (aka NodeSnake), a malware often linked to Interlock ransomware. The overlaps in the cybercriminal ecosystem suggest potential connections between different threat actors.
Evolution of GootLoader’s Tactics
Earlier this year, GootLoader’s operators utilized Google Ads to target victims searching for legal templates, redirecting them to compromised WordPress sites hosting malware-laced ZIP archives.
The latest attack sequence observed by Huntress involves searches on Bing for specific terms leading users to download ZIP archives. Notably, GootLoader now employs custom web fonts to obfuscate filenames, making them appear as jumbled characters to defeat static analysis methods.
Furthermore, a new evasion technique disguises the ZIP file to appear harmless when opened with certain tools, while extracting a valid JavaScript file as the intended payload on Windows File Explorer.
The Stealthy Nature of GootLoader’s Payload
Security researchers have uncovered that the JavaScript payload within the archive is designed to deploy Supper, a backdoor enabling remote control and SOCKS5 proxying. Threat actors have been observed using Windows Remote Management (WinRM) to move laterally to the Domain Controller, creating new admin-level user accounts.
Despite the obfuscation techniques used by GootLoader, the core capabilities of the Supper SOCKS5 backdoor remain basic yet effective, encompassing SOCKS proxying and remote shell access. This approach emphasizes the threat actors’ ability to achieve their objectives without relying on cutting-edge exploits.
