{
	"id": "6565b3cc-f3b8-48c9-aed8-5579d010ddae",
	"created_at": "2026-04-06T02:13:01.157809Z",
	"updated_at": "2026-04-10T03:24:29.136399Z",
	"deleted_at": null,
	"sha1_hash": "287fdca0dfc6ac85464a950a76c6830379cfcdf2",
	"title": "??????Gootloader Returns: Malware Hidden in Google Ads for Legal Documents",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 427740,
	"plain_text": "🚨Gootloader Returns: Malware Hidden in Google Ads for Legal\r\nDocuments\r\nBy gootloadersites\r\nPublished: 2025-03-31 · Archived: 2026-04-06 01:34:22 UTC\r\nUpdate (31 Mar 2025 @ 822 PDT)\r\nThanks to Vultr for taking down skhm[.]org!\r\nUpdate (31 Mar 2025 @1016 PDT)\r\nThanks to CloudFlare for flagging lawliner[.]com!\r\nThe threat actor behind the Gootloader malware has once again changed their tactics, but also reverted to some of\r\ntheir old ways. Just like with the previous infection method, we are seeing Google Ads being used to target\r\nvictims. But this time it is using a familiar lure.\r\nThe threat actor is advertising legal templates, mainly around agreements. If this sounds familiar, for a very long\r\nperiod, Gootloader had over 5 million legal terms poisoned on compromised WordPress blogs. Now it looks like\r\nthey have stood up their own infrastructure to deliver the malware. Let me walk you through the infection process.\r\nhttps://gootloader.wordpress.com/2025/03/31/gootloader-returns-malware-hidden-in-google-ads-for-legal-documents/\r\nPage 1 of 4\n\nFirst it starts with a Google search for a legal template. For example “non disclosure agreement template”. Then\r\nthe user will see an advertisement from lawliner[.]com.\r\nThese are being delivered by the advertiser “MED MEDIA GROUP LIMITED”, which I assume has been\r\ncompromised. Here is a link to their other advertisements:\r\nhttps://adstransparency.google.com/advertiser/AR15344130772197965825.\r\nOnce the user clicks on the malicious advertisement from lawliner[.]com and lands on said page, they are\r\npresented with a button to “Get document” and are prompted to enter their email address. \r\nhttps://gootloader.wordpress.com/2025/03/31/gootloader-returns-malware-hidden-in-google-ads-for-legal-documents/\r\nPage 2 of 4\n\nShortly after they enter their email, they will receive an email from lawyer@skhm[.]org, with a link to their\r\nrequested Word document (.docx). Example link: https[:]//skhm[.]org/XYz/non_disclosure_agreement_nda.docx\r\nIf the user passed all of their gates, they will download a zipped .JS file. Following the example above, it would be\r\nnon_disclosure_agreement_nda.js, and the zipped would be non_disclosure_agreement_nda.zip. \r\nhttps://gootloader.wordpress.com/2025/03/31/gootloader-returns-malware-hidden-in-google-ads-for-legal-documents/\r\nPage 3 of 4\n\nNote: You cannot tell from the URL if you are going to be passed the malicious zipped .JS or a benign .docx file.\r\nWhen the user unzips and executes the .JS file, the same Gootloader behavior occurs. It creates a scheduled task,\r\npointing to a separate .JS file in the user’s appdata\\roaming folder. It will then run PowerShell, and call out to 10\r\nWordPress blogs (1-2 are actually compromised, the others are false positives). \r\nHere are two samples:\r\nhttps://www.virustotal.com/gui/file/5663e22c46d72e04b88c7b223c113aafb5657993dba70428b1badd1fe13c3b34\r\nhttps://www.virustotal.com/gui/file/95baedeb3be98760929c05055e516054db8c396cf5fce92784885f8a802ccc8f\r\nMy recommendation is to block/alert lawliner[.]com and skhm[.]org for web traffic. Additionally, block/alert\r\nskhm[.]org from email traffic. Last, I would search through historical events for contacts with the above domains.\r\nStay safe out there and happy hunting!\r\nIOCs:\r\nlawliner[.]com\r\nskhm[.]org\r\nSource: https://gootloader.wordpress.com/2025/03/31/gootloader-returns-malware-hidden-in-google-ads-for-legal-documents/\r\nhttps://gootloader.wordpress.com/2025/03/31/gootloader-returns-malware-hidden-in-google-ads-for-legal-documents/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://gootloader.wordpress.com/2025/03/31/gootloader-returns-malware-hidden-in-google-ads-for-legal-documents/"
	],
	"report_names": [
		"gootloader-returns-malware-hidden-in-google-ads-for-legal-documents"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441581,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/287fdca0dfc6ac85464a950a76c6830379cfcdf2.pdf",
		"text": "https://archive.orkl.eu/287fdca0dfc6ac85464a950a76c6830379cfcdf2.txt",
		"img": "https://archive.orkl.eu/287fdca0dfc6ac85464a950a76c6830379cfcdf2.jpg"
	}
}