GootLoader (Malware Family)

GootLoader

aka: SLOWPOUR

Actor(s): Storm-0249

According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file.

References

2025-04-24 ⋅ Mandiant ⋅ Mandiant
M-Trends 2025 Report
Akira Black Basta LockBit SystemBC GootLoader LockBit WIREFIRE Akira Black Basta Cobalt Strike LockBit RansomHub SystemBC Pink Sandstorm

2025-03-31 ⋅ GootLoader Wordpress ⋅ gootloadersites
Gootloader Returns: Malware Hidden in Google Ads for Legal Documents
GootLoader

2025-02-28 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab
FAKEUPDATES GootLoader

2024-11-21 ⋅ Intrinsec ⋅ CTI Intrinsec, Intrinsec
PROSPERO & Proton66: Uncovering the links between bulletproof networks
Coper SpyNote FAKEUPDATES GootLoader EugenLoader

2024-11-20 ⋅ Intrinsec ⋅ Equipe CTI
PROSPERO & Proton66: Tracing Uncovering the links between bulletproof networks
Coper SpyNote FAKEUPDATES GootLoader EugenLoader IcedID Matanbuchus Nokoyawa Ransomware Pikabot

2024-11-06 ⋅ Sophos ⋅ Asha Castle, Hikaru Koike, Sean Gallagher, Trang Tang
Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign
GootLoader

2024-11-01 ⋅ Google ⋅ andy2002a
Finding Malware: Detecting GOOTLOADER with Google Security Operations.
GootLoader

2024-09-18 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft
Tweet about threat actor Vanilla Tempest
INC GootLoader Storm-0494

2024-08-20 ⋅ Intel 471 ⋅ Intel 471
Threat Hunting Case Study: Tracking Down GootLoader
GootLoader

2024-06-24 ⋅ GootLoader Wordpress ⋅ gootloadersites
Gootloader’s New Hideout Revealed: The Malware Hunt in WordPress’ Shadows
GootLoader

2024-05-13 ⋅ Malsada Tech ⋅ Aaron Samala
Gootloader Isn’t Broken
GootLoader

2024-02-26 ⋅ The DFIR Report ⋅ The DFIR Report
SEO Poisoning to Domain Control: The Gootloader Saga Continues
GootLoader

2024-02-14 ⋅ GootLoader Wordpress ⋅ gootloadersites
My-Game Retired? Latest Changes to Gootloader
GootLoader

2023-12-09 ⋅ Github (struppigel) ⋅ Karsten Hahn
AST based GootLoader unpacker, C2 extractor and deobfuscator
GootLoader

2023-11-07 ⋅ SOCRadar ⋅ SOCRadar
New Gootloader Variant “GootBot” Changes the Game in Malware Tactics
GootLoader Cobalt Strike UNC2565

2023-11-06 ⋅ Security Intelligence ⋅ Golo Mühr, Ole Villadsen
GootBot – Gootloader’s new approach to post-exploitation
GootLoader UNC2565

2023-08-10 ⋅ Trustwave ⋅ Rodel Mendrez
Gootloader: Why your Legal Document Search May End in Misery
GootLoader

2023-06-23 ⋅ Kroll ⋅ George Glass, Keith Wojcieszek, Ryan Hicks
Deep Dive into GOOTLOADER Malware and Its Infection Chain
GootLoader

2023-06-22 ⋅ Reliaquest ⋅ Caroline Fenstermacher
Goot to Loot - How a Gootloader Infection Led to Credential Access
GootLoader SystemBC

2023-04-26 ⋅ eSentire ⋅ Joe Stewart, Keegan Keplinger
Gootloader Unloaded: Researchers Launch Multi-Pronged Offensive Against Gootloader, Cutting Off Traffic to Thousands of Gootloader Web Pages and Using the Operator’s Very Own Tactics to Protect End-Users
GootLoader

2023-02-14 ⋅ Cybereason ⋅ Cybereason Incident Response (IR) team
GootLoader - SEO Poisoning and Large Payloads Leading to Compromise
GootLoader Cobalt Strike SystemBC

2023-01-26 ⋅ Mandiant ⋅ Andy Morales, Govand Sinjari
Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations
GootLoader UNC2565

2023-01-12 ⋅ eSentire ⋅ eSentire
Gootloader Malware Leads to Cobalt Strike and Hand-on-Keyboard Activity
GootLoader

2023-01-09 ⋅ Trendmicro ⋅ Fe Cureg, Hitomi Kimura, Ryan Maglaque, Trent Bessell
Gootkit Loader Actively Targets Australian Healthcare Industry
GootLoader GootKit

2023-01-05 ⋅ gootloadersites
What is Gootloader?
GootLoader

2023-01-05 ⋅ gootloadersites
Gootloader Command & Control
GootLoader

2022-12-07 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
GootLoader Striking with a New Infection Technique
GootLoader

2022-07-20 ⋅ NVISO Labs ⋅ Sasja Reynaert
Analysis of a trojanized jQuery script: GootLoader unleashed
GootLoader Cobalt Strike

2022-07-14 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
GootLoader, From SEO Poisoning to Multi-Stage Downloader
GootLoader

2022-06-05 ⋅ Dino Hacks ⋅ Niranjan Hegde
Loading GootLoader
GootLoader

2022-05-12 ⋅ Red Canary ⋅ Lauren Podber, Tony Lambert
The Goot cause: Detecting Gootloader and its follow-on activity
GootLoader Cobalt Strike

2022-05-12 ⋅ Red Canary ⋅ Lauren Podber, Tony Lambert
Gootloader and Cobalt Strike malware analysis
GootLoader Cobalt Strike

2022-05-09 ⋅ The DFIR Report ⋅ The DFIR Report
SEO Poisoning – A Gootloader Story
GootLoader LaZagne Cobalt Strike GootKit

2022-05-04 ⋅ HP ⋅ Patrick Schläpfer
Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware
GootLoader

2022-02-26 ⋅ Mandiant ⋅ Mandiant
TRENDING EVIL Q1 2022
KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot

2021-08-25 ⋅ RiskIQ ⋅ Jordan Herman
EITest: Linkages to the Ongoing Malware Delivery Campaign Referred to as "Gootloader"
GootLoader

2021-08-12 ⋅ Sophos ⋅ Andrew Brandt, Gabor Szappanos
Gootloader’s “mothership” controls malicious content
GootLoader

2021-06-16 ⋅ SentinelOne ⋅ Antonio Pirozzi
Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets
GootLoader

There is no Yara-Signature yet.

GootLoader Propose Change

References

GootLoader