Full Report
The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress. The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of initial infection. "
Analysis Summary
# Incident Report: GootLoader Resurgence with Advanced Obfuscation
## Executive Summary
The GootLoader malware operation has resurfaced, employing sophisticated techniques including WOFF2 font glyph substitution and ZIP file modification to evade static analysis. Observations across three incidents since October 27, 2025, reveal a rapid progression to high impact, with two cases resulting in hands-on-keyboard access and Domain Controller compromise within 17 hours of initial infection. The primary post-compromise activity involved deploying the Supper backdoor, leading potentially to ransomware deployment (INC ransomware).
## Incident Details
- **Discovery Date:** Huntress began observing activity since October 27, 2025.
- **Incident Date:** Activity observed starting October 27, 2025, and ongoing.
- **Affected Organization:** Specific organizations not disclosed in the summary, focused on victims searching for legal templates.
- **Sector:** Various sectors targeted via SEO poisoning (implied professional/legal sectors).
- **Geography:** Not specifically disclosed, but likely global due to the nature of SEO poisoning.
## Timeline of Events
### Initial Access
- **Date/Time:** Starting October 27, 2025.
- **Vector:** SEO poisoning (Google Ads/Bing search results) leading users to compromised WordPress sites.
- **Details:** Victims searching for legal documents (e.g., "missouri cover utility easement roadway") were redirected to compromised WordPress sites hosting malware. The malware was delivered inside XOR-encrypted ZIP archives.
### Lateral Movement
- **Date/Time:** Within 17 hours of initial infection in two observed cases.
- **Vector:** Post-infection, threat actors leveraged Windows Remote Management (WinRM).
- **Details:** WinRM was used to move laterally to the Domain Controller and establish persistence by creating a new user account.
### Data Exfiltration/Impact
- **Impact:** Installation of the Supper backdoor (aka SocksShell or ZAPCAT), enabling SOCKS5 proxying and remote control. Subsequent deployment of the INC ransomware was observed in associated chains.
### Detection & Response
- **Detection:** Activity was detected and reported by Huntress.
- **Response actions taken:** Not explicitly detailed in the text, beyond the identification and reporting of the new techniques.
## Attack Methodology
- **Initial Access:** SEO poisoning targeting users searching for specific documents; exploitation of WordPress comment endpoints to deliver payloads.
- **Persistence:** Creation of a new user account on the Domain Controller via WinRM.
- **Privilege Escalation:** Implied through rapid escalation to Domain Controller compromise.
- **Defense Evasion:**
1. **Custom WOFF2 Font Obfuscation:** Using glyph substitution within custom WOFF2 fonts (embedded via Z85 encoding) to display gibberish filenames in source code/inspection, which correctly render as normal filenames for the user.
2. **ZIP File Modification:** The archive unpacks as a harmless `.TXT` file when opened by static analysis tools (VirusTotal, 7-Zip), but executes a valid JavaScript file in Windows File Explorer.
- **Credential Access:** Not explicitly detailed, but required for DC compromise.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Use of Windows Remote Management (WinRM).
- **Collection:** Data collection implied prior to ransomware deployment.
- **Exfiltration:** Not explicitly detailed.
- **Impact:** Deployment of Supper backdoor, followed potentially by INC ransomware.
## Impact Assessment
- **Financial:** Not quantified, but high due to rapid DC compromise leading to potential ransomware deployment.
- **Data Breach:** Type and volume unknown, but high trust access granted by DC compromise suggests extensive access.
- **Operational:** High potential for operational disruption due to Domain Controller compromise and infrastructure takeover.
- **Reputational:** High potential, especially if INC ransomware deployment occurred.
## Indicators of Compromise
*Note: Based on analysis of the payload delivery mechanism, not specific file/network indicators provided.*
- **Network indicators:** Traffic associated with SOCKS5 proxying/remote access tools (e.g., AnyDesk).
- **File indicators:** XOR-encrypted ZIP archives; JavaScript payloads; Supper backdoor files.
- **Behavioral indicators:** Use of WinRM for remote administrative access to DC; custom WOFF2 font embedding in JavaScript.
## Response Actions
- **Containment measures:** Not detailed. Implied need to isolate compromised systems and revoke credentials related to the newly created user account.
- **Eradication steps:** Not detailed. Implied need to remove Supper backdoor and any persistence mechanisms.
- **Recovery actions:** Not detailed. Implied need to restore services post-ransomware (if applicable) and secure AD environment.
## Lessons Learned
- **Evasion Sophistication:** Threat actors are rapidly evolving delivery mechanisms, specifically leveraging web standards (WOFF2 fonts) and file format manipulation to bypass common security tools relying on static analysis (file/URL inspection).
- **Speed of Impact:** The swift escalation (DC compromise within 17 hours) underscores the critical nature of initial access controls and prompt detection following initial malware execution.
- **Ecosystem Complexity:** GootLoader acts as an initial access broker, linking to secondary actors (Hive0127/Storm-0494) who deploy subsequent stages like Supper and INC ransomware.
## Recommendations
- **Enhance Static Analysis Bypass:** Implement security controls capable of dynamic analysis or deep content inspection that are impervious to font-based visual obfuscation and deceptive file extensions within archives.
- **Restrict Lateral Movement Tools:** Review and restrict the use of administrative tools like WinRM on servers unless strictly necessary and tightly controlled via robust auditing and JIT access policies.
- **Strengthen WordPress Security:** Ensure WordPress comment endpoints are adequately sanitized and monitored for unusual file uploads or manipulation.
- **Rapid Incident Segmentation:** Prioritize containment actions when initial malware stages successfully execute to prevent rapid pivoting to Domain Services.