Gootloader Malware Is Back With New Tricks After 7-month Break

The Gootloader malware loader operation has returned after a 7-month absence and is once again performing SEO poisoning to promote fake websites that distribute the malware.

Gootloader is a JavaScript-based malware loader spread through compromised or attacker-controlled websites, used to trick users into downloading malicious documents.

The websites are promoted in search engines either via ads or through search engine optimization (SEO) poisoning, which ranks a website higher in the results for a particular keyword, like legal documents and agreements.

In the past, these websites would display fake message boards that pretended to discuss users' query, with some posts recommending (malicious) document templates that could be downloaded. The SEO campaigns later switched to using websites that pretend to offer free templates for various legal documents.

When a visitor clicked the "Get Document" button, the site checked if they were a legitimate user and, if so, downloaded an archive containing a malicious document with a .js extension. For example, the archive could include a file named mutual_non_disclosure_agreement.js.

Gootloader would execute when launching the document and downloaded additional malware payloads onto the device, including Cobalt Strike, backdoors, and bots that provided initial access to corporate networks. Other threat actors then used this access to deploy ransomware or conduct other attacks.

A cybersecurity researcher operating under the pseudonym "Gootloader" has been tracking and actively disrupting the malware operation for years by filing abuse reports with ISPs and hosting platforms to take down attacker-controlled infrastructure.

The researcher told BleepingComputer that his activities led to the Gootloader operation suddenly ceasing on March 31st, 2025.

The researcher and Anna Pham of Huntress Labs now report that Gootloader has returned in a new campaign that once again impersonates legal documents.

"In this latest campaign, we've observed thousands of unique keywords spread over 100 websites," reads a new blog post by the Gootloader researcher. "The ultimate goal remains the same: convince victims to download a malicious ZIP archive containing a JScript (.JS) file that establishes initial access for follow-on activity — usually leading to ransomware deployment."

Source: BleepingComputer