{
	"id": "def3c86b-7217-48dd-bc8c-332362628b9f",
	"created_at": "2026-04-06T00:22:21.134228Z",
	"updated_at": "2026-04-10T13:13:02.775472Z",
	"deleted_at": null,
	"sha1_hash": "01143eba95cf04e63cd4ffb41d0472d2707033fe",
	"title": "THREAT ALERT: GootLoader - SEO Poisoning and Large Payloads Leading to Compromise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65816,
	"plain_text": "THREAT ALERT: GootLoader - SEO Poisoning and Large\r\nPayloads Leading to Compromise\r\nBy Cybereason Incident Response Team\r\nArchived: 2026-04-05 15:14:11 UTC\r\nCybereason issues Threat Alerts to inform customers of emerging impacting threats. The Cybereason Incident\r\nResponse (IR) team documented such critical attack scenarios, which started from a GootLoader infection to\r\nultimately deploy more capabilities. Cybereason Threat Alerts summarize these threats and provide practical\r\nrecommendations for protecting against them.\r\nKEY DETAILS\r\nGootLoader has security evasion in mind: Cybereason IR team observed payloads with large sizes\r\n(40MB and more) and masquerading with legitimate JavaScript code to evade security mechanisms.\r\nAggressive threat actor: The threat actor displayed fast-moving behaviors, quickly heading to control the\r\nnetwork it infected and getting elevated privileges in less than 4 hours.\r\nDeployment of additional C2 frameworks: Cybereason IR team observed post-infection frameworks\r\nbeing deployed: Cobalt Strike and SystemBC, which is usually leveraged for data exfiltration. \r\nSEO Poisoning techniques used: Cybereason’s IR team discovered SEO Poisoning techniques used to\r\nspread malware. It works when the threat actors create fraudulent websites. Threat actors optimize\r\nfraudulent websites to appear higher in search engine results. The higher the search engine results, the\r\nmore likely victims will click the links.  \r\nPost-exploitation activities detected by Cybereason: Cybereason Defense Platform generates detections\r\nupon these infections and post-exploitation actions.\r\nSevere Threat: Cybereason’s IR team assesses the threat level as SEVERE given the potential of the\r\nattacks.\r\nTargeting English-Speaking Countries: GootLoader targets companies in English-speaking countries,\r\nprimarily including the United States, United Kingdom, and Australia. \r\nTarget Industries Including Healthcare and Finance: Targeted attacks have been more prominent\r\nagainst healthcare and finance organizations.\r\nWHAT'S HAPPENING? \r\nIn December 2022, the Cybereason Incident Response (IR) team investigated an incident that involved new\r\ndeployment methods of GootLoader, observed recently in other cases.\r\nThe following observation was made regarding the infection methods used: \r\nHosting of the infection payload on a compromised WordPress website, acting as a water hole and\r\nleveraging Search Engine Optimization (SEO) (MITRE Stage Capabilities: SEO Poisoning) poisoning\r\nhttps://www.cybereason.com/blog/threat-alert-gootloader-seo-poisoning-and-large-payloads-leading-to-compromise\r\nPage 1 of 4\n\ntechniques to lure victims into downloading the malicious payloads\r\nSEO Poisoning and Google service abuse, in general, has been documented a lot recently, which\r\nindicates this infection vector is becoming common for threat actors\r\nCybereason IR team observed the deployment of GootLoader through heavily-obfuscated JavaScript files\r\nwith large file sizes (over 40 Megabytes) \r\nOn top of the new techniques utilized to load GootLoader, the post-infection methods that the threat actor carried\r\nout stand out: \r\nCybereason first observed Cobalt Strike deployment, which leveraged DLL Hijacking, on top of a VLC\r\nMediaPlayer executable.\r\nCobalt Strike is an adversary simulation framework with the primary use case of assisting red team\r\noperations, nowadays being leveraged by threat actors for post-infection activities. \r\nCybereason then identified SystemBC being leveraged by the threat actor\r\nSystemBC is a proxy malware leveraging SOCKS5 and often utilized during the exfiltration phase\r\nof the attack.\r\nGootkit / GootLoader\r\nGootkit initially started as a banking Trojan in 2014. It was only in 2021 when the actors behind this piece of\r\nmalware moonlighted and switched from a banker Trojan to a malware loader, leading to the GootLoader name.\r\nSecurity firm Mandiant named the threat actor operating GootLoader “UNC2565”.\r\nThe Sophos researchers were the first to name this malware family Gootloader.\r\nGootLoader generally relies on JavaScript for its infections. It also uses SEO poisoning techniques to place its\r\ninfected pages in internet browser search results. That way, it will change how potential victims see them by\r\npresenting different websites whenever your link is clicked. \r\nSEO Poisoning and malicious Google Ads explained with an example\r\nSEO Poisoning and Google service abuse like Google Ads is becoming a trend amongst malware operators to\r\ndistribute their payloads.\r\nAs explained above, threat actors create websites or populate web forums or similar websites with specific\r\nkeywords and links, leading to a website hosting the infected file.\r\nSearch engine Ads are also leveraged to provide a link to the infected piece of malware (fake software for\r\ninstance) on top of the search engine. \r\nWhen searching for Rufus Pro, a USB boot disk creator tool, we provided an example on the search engine\r\nDuckDuckGo. The first result is the legitimate Rufus software page, and the second is the SEO Poisoning\r\nphishing domain.\r\nThis page seems to be taken down, but another related page is still up, https://ruflus[.]xyz. It appears to be a clone\r\nof the official Rufus page:\r\nhttps://www.cybereason.com/blog/threat-alert-gootloader-seo-poisoning-and-large-payloads-leading-to-compromise\r\nPage 2 of 4\n\nHowever the download links to a malicious payload:  \r\nhttps://transfer[.]sh/get/7i8rkw/Rufus_Pro_signed.exe (VT link provided)\r\nThis appears to be a sample of Lumma Stealer\r\nDetection of SEO Poisoning and similar delivery methods such as Fake Google Ads \r\nWe are fully aware of this ongoing trend as well as threats actors taking advantage of google ads to get initial\r\naccess to their malware.\r\nAs for now, all the threats and malware that are known to use these tactics (for example Redline, Vidar, IcedID,\r\nGozi, Rhadamanthys and of course GootLoader) are covered in Cybereason.\r\nRelation with Wordpress-enabled websites\r\nMost of the domains configured in the GootLoader PowerShell stage #2 script had one commonality : they\r\ndisplayed a “/xmlrpc.php '' relation in VirusTotal.\r\nIntelligence teams have continuously observed GootLoader leveraging compromised Wordpress websites to use as\r\nC2 servers.\r\nPost-infection Activities \r\nFollowing the GootLoader infection, the Cybereason IR team observed hands-on keyboard activities which led to\r\nfurther deployment of attack frameworks, Cobalt Strike and SystemBC. \r\nThe threat actor leveraged these frameworks following the infection phase and during the lateral movement phase.\r\nDownload the Full Threat Alert\r\nThis blog post is a summary of a full 36-page Threat Alert, which can be downloaded here.\r\nCYBEREASON RECOMMENDATIONS\r\nThe Cybereason Defense Platform can detect and prevent GootLoader, Cobalt Strike, or SystemBC post-exploitations. Cybereason recommends the following actions:\r\nEnhance Cybereason sensor policies : Set the Cybereason Anti-Ransomware protection mode to Prevent.\r\nMore information for Cybereason customers can be found here.\r\nEnable Variant Payload Protection in your Cybereason sensor policy: Upgrade to a version that has\r\nVPP and enable VPP, as this will completely prevent the ransomware execution. VPP is supported in\r\nversion 21.2.100 and above  (Beta, and disabled by default) and 22.1.183 and above (GA, and enabled by\r\ndefault). More information can be found on The NEST.\r\nCompromised user blocking : Block users involved in the attack, in order to stop or at least slow down\r\nattacker propagation over the network.\r\nIdentify and block malicious network connections: Identify network flows toward malicious IP/domains\r\nidentified in the reports and block connections to stop the attacker from controlling the compromises\r\nhttps://www.cybereason.com/blog/threat-alert-gootloader-seo-poisoning-and-large-payloads-leading-to-compromise\r\nPage 3 of 4\n\nmachines.\r\nReset Active Directory access: If Domain controllers were accessed by the attacker and potentially all\r\naccounts have been stolen, it is recommended that, when rebuilding the network, all AD accesses are reset.\r\nImportant note : krbtgt account needs to be reset twice and in a timely fashion.\r\nEngage Incident Response: It is important to investigate thoroughly the actions of the attacker to be sure\r\nnot to miss any activity and patch what is needed to patch.\r\nCompromised machine cleansing: Isolate and re-image all infected machines, to limit the risk of a second\r\ncompromise or the attacker still getting access to the network afterward.\r\nABOUT THE RESEARCHERS \r\nLoïc Castel, IR Investigator, Cybereason IR Team\r\nLoïc Castel is a Security Analyst with the Cybereason IR team. Loïc analyses and researches critical incidents and\r\ncybercriminals in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known organizations such as ANSSI (French National Agency for the Security of Information Systems) and as\r\nLead Digital Forensics \u0026 Incident Response at Atos. Loïc loves digital forensics and incident response but is also\r\ninterested in offensive aspects such as vulnerability research.\r\nJakes Jansen, IR Investigator Cybereason IR Team\r\n Jakes is an Incident Response consultant and has been with Cybereason for a total of  3 years specializing in IR,\r\nReverse Engineering, and Threat Hunting. With more than 16 years of Infosec experience, Jakes was, among other\r\nroles, responsible for building and leading DFIR teams that have handled large-scale investigations for\r\ngovernment and multinational private entities, including financial institutions, manufacturing, and\r\ntelecommunications. Jakes also has experience in internal threat investigations, mobile phone analysis, syndicate\r\ncases, and data analysis expected with eDiscovery during corporate acquisitions.\r\nNitin Grover, IR Investigator, Cybereason IR Team\r\nCyber Security Specialist with over 5 years of multi-geographical experience in protecting organizations from\r\nvarious cyber security attacks. Reducing security risks by 70-80% for the clients by providing them with optimal\r\nVulnerability Assessments, Detailed Log Analysis, Security Strategies, Risk Management Solutions, Credential\r\nRisk Assessments, SIEM Solutions that include continuous threat monitoring and malicious activity detection\r\ncapabilities. Performing Incident Response Analysis and Digital Forensic investigations for clients on a security\r\nincident to ensure immediate containment, recovery, and no business disruption.\r\nAbout the Author\r\nCybereason Incident Response Team\r\nSource: https://www.cybereason.com/blog/threat-alert-gootloader-seo-poisoning-and-large-payloads-leading-to-compromise\r\nhttps://www.cybereason.com/blog/threat-alert-gootloader-seo-poisoning-and-large-payloads-leading-to-compromise\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-alert-gootloader-seo-poisoning-and-large-payloads-leading-to-compromise"
	],
	"report_names": [
		"threat-alert-gootloader-seo-poisoning-and-large-payloads-leading-to-compromise"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "fc7f0460-0a66-4178-9c5b-75abb22b87b0",
			"created_at": "2023-11-08T02:00:07.15123Z",
			"updated_at": "2026-04-10T02:00:03.427759Z",
			"deleted_at": null,
			"main_name": "UNC2565",
			"aliases": [
				"Hive0127"
			],
			"source_name": "MISPGALAXY:UNC2565",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434941,
	"ts_updated_at": 1775826782,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/01143eba95cf04e63cd4ffb41d0472d2707033fe.pdf",
		"text": "https://archive.orkl.eu/01143eba95cf04e63cd4ffb41d0472d2707033fe.txt",
		"img": "https://archive.orkl.eu/01143eba95cf04e63cd4ffb41d0472d2707033fe.jpg"
	}
}