{
	"id": "bfdeec56-e65f-4eef-842e-2542cb08a814",
	"created_at": "2026-04-06T00:12:18.906167Z",
	"updated_at": "2026-04-10T03:33:12.674482Z",
	"deleted_at": null,
	"sha1_hash": "4ec143f7e361635ed736431355f178ce163ab4fe",
	"title": "New Gootloader Variant “GootBot” Changes the Game in Malware Tactics",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74416,
	"plain_text": "New Gootloader Variant “GootBot” Changes the Game in\r\nMalware Tactics\r\nPublished: 2023-11-07 · Archived: 2026-04-05 17:32:17 UTC\r\nResearchers recently identified a fresh Gootloader malware variant known as “GootBot,” used in SEO poisoning\r\nattacks. This variant introduces features that enable threat actors to move laterally within infected systems, and\r\nmake it challenging for organizations to detect or block.\r\nGootloader has predominantly served as an initial access provider, with certain infections leading to ransomware\r\nincidents. The evolution of Gootloader malware, aimed at enhancing stealth and evading detection, coupled with\r\nthe potential for ransomware attacks, raises significant concerns.\r\nGootBot’s emergence signifies a significant shift in the malware’s post-infection tactics, and in this context,\r\ncomprehending their evolving tactics and tools is imperative for mitigating the risks associated with post-exploitation activities.\r\nHow Does GootBot Enhance the Capabilities of Gootloader?\r\nThe Gootloader group, also known as UNC2565 or Hive0127, has historically employed techniques like SEO\r\npoisoning and compromised WordPress websites. Although active since 2014, the group expanded its tactics in\r\n2022 by disseminating new secondary payloads such as Cobalt Strike, IcedID, and SystemBC in their attacks.\r\nWith the latest development, Gootloader introduces GootBot, which provides efficient means to infiltrate\r\nnetworks and deploy additional payloads. This approach aims to elude detection by steering clear of commonly\r\nidentified off-the-shelf tools like CobaltStrike or RDP for Command and Control (C2).\r\nResearchers identified the new variant in campaigns employing SEO poisoning attacks. These campaigns exploit\r\nsearch engine algorithms using keywords related to contracts, legal forms, and business documents, luring victims\r\nto seemingly legitimate websites where they unwittingly download the initial payload.\r\nAfter infection, GootBot implants are disseminated widely throughout the corporate network. Each implant\r\nconnects to a distinct hardcoded C2 server, often hosted on compromised WordPress sites, rendering detection and\r\nblocking more challenging. Furthermore, researchers note that GootBot currently maintains an undetected status\r\non VirusTotal.\r\nHow Does a Gootloader Infection Work? How Does It Employ GootBot?\r\nIBM’s X-Force has examined the stages of Gootloader malware infection and its latest variant, GootBot. Here is\r\nan overview of the researchers’ findings:\r\nGootloader Infections \r\nhttps://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/\r\nPage 1 of 5\n\nGootloader initiates infections when a user downloads an infected archive, containing a heavily obfuscated\r\nJavaScript file, which is Gootloader’s first stage. This JavaScript file drops another file in a selected subfolder\r\nunder the %AppData% folder with an inconspicuous English filename.\r\nRather than running the second stage directly, Gootloader triggers a scheduled task for execution and persistence.\r\nWhen the second stage JavaScript runs, it executes a PowerShell script and the third stage, which collects system\r\ninformation and uploads it to one of its 10 hardcoded C2 servers. Gootloader uses hacked WordPress sites for its\r\nC2 servers, leading to URLs ending with “/xmlrpc.php”.\r\nThe User-Agent remains consistent, as does the presumed malware ID, 3B47772CE3. The malware anticipates the\r\nC2’s response to contain a PowerShell script for execution. The third stage PowerShell script runs in an endless\r\nloop, enabling the actor to receive various PowerShell payloads from the C2.\r\nHow does Gootloader employ GootBot? (Source: IBM)\r\nIntroduction to GootBot\r\nThe GootBot payload is the new Gootloader variant that functions as a lightweight PowerShell script. GootBot\r\nonly contains a single C2 server address, and features strings that are slightly obfuscated using a replacement key.\r\nSimilar to Gootloader, GootBot sends a GET request to its C2 server, requesting PowerShell tasks. In response, it\r\nexpects a string with a Base64-encoded payload, with the task name encoded in the last 8 characters. GootBot\r\ndecodes the payload, injects it into a simple scriptblock, and runs it in a background job using the “Start-Job”\r\nCmdlet. This asynchronous execution reduces EDR detections, as there is no generated child processes.\r\nGootBot beacons out every 60 seconds, with settings changeable through specific strings. The working directory\r\npath can also be modified with a signal string. After receiving tasks from the C2, GootBot queries task results and\r\nreturns completed job results or specific strings for jobs that are not completed (“E1” or “E2”).\r\nPost-Infection\r\nGootBot’s lateral movement capabilities allow it to spread within the environment. Infected hosts receive scripts\r\nthat enumerate the host and domain, with various techniques used to distribute the GootBot payload to other hosts.\r\nGootBots’ C2 infrastructure rapidly generates various GootBot payloads, each with distinct C2 contact addresses.\r\nLateral-movement scripts automate their deployment, potentially resulting in host reinfections.\r\nLateral-movement scripts employ WinRM in PowerShell. Other examples include copying payloads via SMB, and\r\nusing WinAPI calls for creating remote services and scheduled tasks. In some cases, GootBot uses exfiltrated\r\ncredentials for spreading.\r\nAdditionally, GootBot employs environment variables to store encrypted strings, reducing script size. It may also\r\nuse a technique to spoof PowerShell process arguments by creating a new process before writing the malicious\r\nscript to the process’s standard input.\r\nGootBot conducts a reconnaissance script as one of its initial tasks, which includes the unique GootBot ID for the\r\nhost. It collects domain user names, OS information, architecture details, domain controller information, running\r\nprocesses, SIDs, local IP addresses, hostnames, and formats the data with the specified ID.\r\nhttps://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/\r\nPage 2 of 5\n\nStay Ahead of Threat Actors with SOCRadar XTI\r\nSOCRadar XTI leverages automated data collection, classification, and AI-driven analysis across a wide spectrum\r\nof sources spanning the surface, deep, and dark web. This comprehensive approach ensures that our Threat Actor\r\n\u0026 Malware panel remains continuously updated, providing you with the most current information regarding threat\r\nactors and malware.\r\nThe SOCRadar platform offers extensive details on GootLoader, including threat actors who have utilized its\r\nservices, related vulnerabilities, and indicators of compromise (IoCs). These details are continuously refreshed and\r\nkept up to date.\r\nDetails of Gootloader (SOCRadar)\r\nEquipped with the insights available on the SOCRadar platform, you can craft more effective use cases for the\r\ndetection and prevention of malicious activities. This proactive approach empowers you to safeguard your\r\norganization against potential threats.\r\nRecommendations to Avoid/Detect Gootloader Infections\r\nResearchers advise security teams to enable script block logging within their environments and maintain vigilant\r\nmonitoring of relevant Windows event logs, scheduled tasks, and network traffic to identify any signs of\r\ncompromise.\r\nFurther recommendations are listed below: \r\nClosely scrutinize the execution of JavaScript files within downloaded ZIP archives to detect potential\r\nthreats. \r\nThoroughly examine network traffic for any suspicious HTTP requests, particularly those ending with\r\n“xmlrpc.php”.\r\nKeep an eye out for unusual cookie values (=) and content formats (=[sX\u003c\u003e]). \r\nProactively monitor and identify lateral movement within your environment, utilizing various techniques\r\nlike WinRM, WMI, or SCM. \r\nAssess the usage of the “Start-Job” Cmdlet and consider disabling or monitoring it to prevent malicious\r\nactivities. \r\nIndicators of Compromise (IoCs) Related to Gootloader\r\nMandiant has previously published a blog post outlining Gootloader’s operations, which included a set of\r\nIndicators of Compromise (IoCs). See them below:\r\nZIP File:\r\n1011b2cbe016d86c7849592a76b72853\r\n80a79d0c9cbc3c5188b7a247907e7264\r\nbee08c4481babb4c0ac6b6bb1d03658e\r\nhttps://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/\r\nPage 3 of 5\n\nJS File:\r\n82607b68e061abb1d94f33a2e06b0d20\r\n961cd55b17485bfc8b17881d4a643ad8\r\naf9b021a1e339841cfdf65596408862d\r\nd3787939a5681cb6d6ac7c42cd9250b5\r\nea2271179e75b652cafd8648b698c6f9\r\nab1171752af289e9f85a918845859848\r\nRegistry Payload 1:\r\nFONELAUNCH.FAX\r\nd6220ca85c44e2012f76193b38881185\r\nFONELAUNCH.PHONE\r\n35238d2a4626e7a1b89b13042f9390e9\r\n53c213b090784a0d413cb00c27af6100\r\n7352c70b2f427ef4ff58128a428871d3\r\na0b7da124962b334f6c788c27beb46e3\r\na4ee41bd81dc3b842ddb2952d01f14ed\r\nd401dc350aff1e3fd4cc483238208b43\r\nec17564ac3e10530f11a455a475f9763\r\nf9365bf8d4b021a873eb206ec98453d9\r\naec78c1ef489f3f4b621037113cbdf81\r\nFONELAUNCH.DIALTONE\r\n08fa99c70e90282d6bead3bb25c358dc\r\naef6d31b3249218d24a7f3682a00aa10\r\nRegistry Payload 2:\r\nCobalt Strike BEACON\r\n04746416d5767197f6ce02e894affcc7\r\n2eede45eb1fe65a95aefa45811904824\r\n3d768691d5cb4ae8943d8e57ea83cac1\r\n84f313426047112bce498aad97778d38\r\n92a271eb76a0db06c94688940bc4442b\r\nSNOWCONE\r\n328b032c5b1d8ad5cf57538a04fb02f2\r\n7a1369922cfb6d00df5f8dd33ffb9991\r\nNetwork Indicators:\r\njonathanbartz[.]com\r\njp[.]imonitorsoft[.]com\r\njunk-bros[.]com\r\nkakiosk[.]adsparkdev[.]com\r\nhttps://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/\r\nPage 4 of 5\n\nkepw[.]org\r\nkristinee[.]com\r\nlakeside-fishandchips[.]com\r\nCobalt Strike Beacon Backdoor:\r\nhxxps://108.61.242[.]65/dot.gif\r\nhxxps://108.61.242[.]65/submit.php\r\nhxxps://146.70.78[.]43/fwlink\r\nhxxps://146.70.78[.]43/submit.php\r\nhxxps://87.120.254[.]39/ga.js\r\nhxxps://87.120.254[.]39/submit.php\r\nhxxps://45.150.108[.]213/ptj\r\nhxxps://45.150.108[.]213/submit.php\r\nhxxps://92.204.160[.]240/load\r\nhxxps://92.204.160[.]240/submit.php\r\nSource: https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/\r\nhttps://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/"
	],
	"report_names": [
		"new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics"
	],
	"threat_actors": [
		{
			"id": "fc7f0460-0a66-4178-9c5b-75abb22b87b0",
			"created_at": "2023-11-08T02:00:07.15123Z",
			"updated_at": "2026-04-10T02:00:03.427759Z",
			"deleted_at": null,
			"main_name": "UNC2565",
			"aliases": [
				"Hive0127"
			],
			"source_name": "MISPGALAXY:UNC2565",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434338,
	"ts_updated_at": 1775791992,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4ec143f7e361635ed736431355f178ce163ab4fe.pdf",
		"text": "https://archive.orkl.eu/4ec143f7e361635ed736431355f178ce163ab4fe.txt",
		"img": "https://archive.orkl.eu/4ec143f7e361635ed736431355f178ce163ab4fe.jpg"
	}
}