{
	"id": "b62ff05b-c717-4928-a493-b22cb96780e7",
	"created_at": "2026-04-06T00:15:02.394577Z",
	"updated_at": "2026-04-10T13:12:05.871069Z",
	"deleted_at": null,
	"sha1_hash": "4dd4a9bde86afdbbf024aadc27526d111784d398",
	"title": "Deep Dive into GOOTLOADER Malware and Its Infection Chain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 364481,
	"plain_text": "Deep Dive into GOOTLOADER Malware and Its Infection Chain\r\nBy Ryan Hicks, George Glass\r\nPublished: 2023-06-23 · Archived: 2026-04-05 16:50:23 UTC\r\nSummary\r\nKroll has analyzed incidents throughout Q1 2023 where drive-by compromise was the initial infection vector for\r\nGOOTLOADER malware. It is likely that the threat actors are utilizing SEO to drive individuals to either their\r\nown malicious website or to infected WordPress sites. These sites are then used to host documents that would be\r\nattractive to employees within the legal and professional services sectors. A key search term used by victims\r\nacross Kroll cases and open-source reporting is “agreement,” such as “transition services agreement,” “stock\r\npurchase agreement” and “transaction agreement”. Upon using search terms similar to the above, the malicious\r\nwebsites will display in the top results of the search engine, through SEO poisoning. Similar to a tactic we’ve\r\nobserved where threat actors manipulate Google Ads in order to drive users to malicious sites, this technique\r\nencourages users to click on a malicious link that will take the victim to an actor-controlled site where\r\nGOOTLOADER is hosted. GOOTLOADER leverages a vulnerable WordPress plugin to detect and ensure that the\r\nvictim has not visited the site before, their operating system is Windows, they are English-speaking and the\r\nassociated IP address is not blocked, before downloading a zip file from another compromised site. The zip file\r\ncontains a JavaScript (JS) file named after the item searched, which, when opened, creates a scheduled task to\r\nexecute a second stage JS file from the user profile.\r\nThis script sets up a SYSTEMBC remote access trojan to connect to command-and-control (C2) IP addresses\r\nbefore increasing remote access by deploying COBALTSTRIKE. It is highly likely that the threat actors then\r\nundertake a “hands-on” approach to identify data for exfiltration by utilizing tools such as FileZilla to upload to\r\ncloud storage sites.\r\nBased on Kroll’s observations, there has been no evidence of extortion, ransomware encryption or discussion\r\nabout any exfiltrated data on the deep and dark web (DDW). In these internally observed cases, it is unlikely that\r\nthe activity was of a financially motivated criminal group, and it is more indicative of a corporate espionage-related activity. However, the foothold gained by a threat actor using GOOTLOADER could be leveraged by other\r\ngroups, such as ransomware actors. \r\nhttps://www.kroll.com/en/insights/publications/cyber/deep-dive-gootloader-malware-infection-chain\r\nPage 1 of 5\n\nTypical GOOTLOADER Infection Chain\r\nInitial Infection\r\nGOOTLOADER is observed during the initial access phase of a compromise and is commonly seen distributed by\r\nSEO. Threat actors have also been observed compromising legitimate websites to host their malicious content, and\r\noften vulnerable WordPress sites have been exploited to deliver the malware. The benefits of SEO poisoning\r\ncompared to other social engineering techniques, such as phishing, is that it is much harder for defenders to detect\r\nactivity at this stage as there is no interaction with the victim infrastructure; it is just essentially waiting for a user\r\nto reach out and download the malicious content.\r\nRegarding GOOTLOADER delivery, we have seen themes focused on business-related lures such as legal matters,\r\nagreements and contracts. Some of the file names we have observed being downloaded by victims are:\r\nwhat_states_have_tax_reciprocity.zip\r\nworkplace_technology_agreement.zip\r\nwhat_is_isda_agreement.zip”\r\nIn one example, the presented webpage (below) appeared to look like a forum with comments that related to the\r\nsearch term. This forum thread was also seen in a number of different GOOTLOADER campaigns in open source,\r\ntherefore it is almost certain that the threat actor set it up\r\nhttps://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2022-threat-landscape-insider-threat-trojan-horseto provide legitimacy for posting the malicious link. The comment from the page “Admin”\r\ncontained a download of the malicious .zip file named identical to the search term used by the victim.\r\nhttps://www.kroll.com/en/insights/publications/cyber/deep-dive-gootloader-malware-infection-chain\r\nPage 2 of 5\n\nExample Forum Post Leading to GOOTLOADER Download\r\nExecution and Persistence\r\nIn cases from March and April 2023, we observed users downloading .zip files containing a malicious JS file that\r\nwas identified as GOOTLOADER using internal threat intelligence sources and open source. Once the zip file was\r\nunzipped and malicious JS file was executed by the user, a second JS file was dropped into the %APPDATA%\r\nfolder. The second-stage script then attempted to connect to C2 domains via wscript.exe and cscript.exe, executed\r\nby PowerShell scripts (example shown below). \r\nExtract from PowerShell script with User Agent Configuration and C2 Connection\r\nhttps://www.kroll.com/en/insights/publications/cyber/deep-dive-gootloader-malware-infection-chain\r\nPage 3 of 5\n\nThe initial JS file also goes on to create a registry key to add a root certificate, and also creates a scheduled task\r\nthat typically points to the second JS file for persistence. In other incident response cases, the execution of a\r\nCOBALTSTRIKE DLL was also observed for persistence in these scheduled tasks.\r\nExample Execution Chain\r\nFollowing this initial foothold by a threat actor, Kroll observed the following post-compromise activity:\r\nToolkit Deployment\r\nOnce a connection is made to the C2 domains, the threat actor loads the adversary simulation framework\r\nCOBALTSTRIKE onto the infected machine and attempts to move laterally via named pipes and remote service\r\ncreation. The remote access trojan known as SYSTEMBC is also leveraged to maintain persistent access to the\r\nnetwork by utilizing SOCKS5 proxies to hide network traffic from security appliances.\r\nInternal Scouting\r\nAfter gaining initial access and establishing a foothold within the network, the threat actor leverages tools such as\r\nAdvanced IP Scanner and the Bloodhound variant PSHound.ps1 to enumerate endpoints on the network and\r\nActive Directory information. The PowerSploit tool Powerview.ps1 was also observed  likely in an attempt to\r\nidentify file servers for data exfiltration. Process Hacker is sometimes used to view running software, likely to\r\nidentify security tooling.\r\nEscalation\r\nhttps://www.kroll.com/en/insights/publications/cyber/deep-dive-gootloader-malware-infection-chain\r\nPage 4 of 5\n\nPrivilege escalation is likely gained via COBALTSTRIKE or PowerSploit modules. Multiple legitimate accounts\r\nare then leveraged to gain access to other endpoints and file servers.\r\nLateral Movement\r\nLegitimate accounts are leveraged along with COBALTSTRIKE remote service execution to move around the\r\nnetwork laterally. Typically, only a small number of endpoints are utilized, with the key goal of gaining sensitive\r\ndocuments.\r\nMission Execution\r\nThe threat actor attempts to exfiltrate sensitive information via automated collection tools such as FileZilla and\r\nFreeFileSync to upload to a remote cloud storage site. The file transfer protocol (FTP) may also be leveraged to\r\nsend files to controlled infrastructure. Kroll has not identified ransomware encryption in internal cases, nor has\r\nKroll observed sales within DDW marketplaces or discussions relating to stolen data from GOOTLOADER. This\r\nsuggests that this activity is a targeted espionage campaign.\r\nDetection Opportunities\r\nThe following are examples of events that could provide detection opportunities to identify GOOTLOADER\r\nactivity early in the attack chain:\r\nScript files creating scheduled tasks (particularly PowerShell and JS)\r\nScript files spawning PowerShell, followed by external connections\r\nUser opening .zip files with .js file inside\r\n.php URLs downloading a .zip file (will likely require tuning to environment to identify anomalies)\r\nSource: https://www.kroll.com/en/insights/publications/cyber/deep-dive-gootloader-malware-infection-chain\r\nhttps://www.kroll.com/en/insights/publications/cyber/deep-dive-gootloader-malware-infection-chain\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.kroll.com/en/insights/publications/cyber/deep-dive-gootloader-malware-infection-chain"
	],
	"report_names": [
		"deep-dive-gootloader-malware-infection-chain"
	],
	"threat_actors": [],
	"ts_created_at": 1775434502,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4dd4a9bde86afdbbf024aadc27526d111784d398.pdf",
		"text": "https://archive.orkl.eu/4dd4a9bde86afdbbf024aadc27526d111784d398.txt",
		"img": "https://archive.orkl.eu/4dd4a9bde86afdbbf024aadc27526d111784d398.jpg"
	}
}