{
	"id": "f2044c76-3c6c-4443-9c1e-d88558822e91",
	"created_at": "2026-04-06T00:08:19.74564Z",
	"updated_at": "2026-04-10T03:20:19.354181Z",
	"deleted_at": null,
	"sha1_hash": "53c237a05693d812b9bf5e56cfaf27d8f0a50b50",
	"title": "Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2942809,
	"plain_text": "Gootloader: ‘Initial Access as a Service’ Platform Expands Its\r\nSearch for High Value Targets - SentinelLabs\r\nBy Antonio Pirozzi\r\nPublished: 2021-06-16 · Archived: 2026-04-05 16:18:18 UTC\r\nThe ongoing Gootloader campaign expands its scope to highly sensitive assets worldwide including financial,\r\nmilitary, automotive, pharmaceutical and energy sectors, operating on an Initial Access as a Service model.\r\nExecutive Summary\r\nSince the beginning of Jan 2021 an active Gootloader campaign has been observed in the wild expanding\r\nits scope of interest to a wider set of enterprise verticals worldwide.\r\nAnalysis of over 900 unique droppers reveals that the campaign targets diverse enterprise and government\r\nverticals including military, financial, chemistry, banks, automotive, investment companies and energy\r\nstakeholders, primarily in the US, Canada, Germany, and South Korea.\r\nAround 700 high-traffic compromised websites were used as a delivery network.\r\nThe campaign uses tailored filenames to lure targets in a typical form of social engineering.\r\nThis campaign has a low static detection rate alongside robust sandbox evasion techniques and ‘fileless’\r\nstages.\r\nConsidering the wide distribution of the campaign and the heterogeneity of its deployed arsenal, we assess\r\nthat Gootloader acts as an ‘Initial Access As a Service’ provider, after which a variety of tools may be\r\ndeployed.\r\nIntroduction\r\nWe have been tracking an active Gootloader campaign aimed at enterprise and government targets worldwide. The\r\nprimary industries of interest appear to be U.S. military, governmental, and financial entities, trading, mining,\r\ngreen energy, game industries and automotive companies, as well as their suppliers and service providers.\r\nFirst spotted in 2014, Gootkit was born as a banking trojan. It has since evolved to become more of an infostealer,\r\noperated by what appears to be a cluster of actors. The name ‘Gootkit’ is often used interchangeably to refer to\r\nboth the malware and the group, but that’s admittedly loose. In March 2021, Sophos were the first to identify the\r\nmulti-payload delivery platform and call it “Gootloader”.\r\nEarly activity of Gootloader campaigns was first spotted by security researcher @ffforward in late 2020 and later\r\npublished by ASEC, malwarebytes, and TrendMicro. Pivoting on those findings, we were able to gather a sizable\r\namount of malicious artifacts related to the same Gootloader campaign. We collected about 900 JavaScript (js)\r\ndroppers from a period of four months (1 Jan 2021 – 25 April 2021) by leveraging this\r\nGootloader_JavaScript_infector YARA Rule. Our aim is to deepen our understanding of the Gootloader service\r\nplatform and the selective nature of this campaign: topics that haven’t been investigated at scale.\r\nhttps://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/\r\nPage 1 of 13\n\nThe campaign uses customized filenames to lure targets through SEO poisoning, with the name of the js loader\r\nplaying an active part of the social engineering process. For this reason, we deemed that in this campaign the\r\nfilenames provided a strong indication of the contents victims were interested in searching for and, by extension,\r\nthe scope of the intended targets.\r\nThe detection rate of these artifacts on by VirusTotal engines is very low and ranges from 1 to 7:\r\nLow detection on VirusTotal\r\nMoreover, considering that the subsequent stages are downloaded and executed in-memory, this ‘fileless’\r\nmechanism is very effective at evading standard sandboxes.\r\nThe Stealthy JS Loader\r\nThe core component of Gootloader is a small js loader (2.8 KB) that acts as the first-stage of the infection chain.\r\nIt’s not new, and the same artifact is used in other Gootkit campaigns. The loader is composed of three highly\r\nobfuscated layers that contain encoded URLs. These form part of a network of compromised websites used to\r\ndeliver the final payload, typically one of the malware families listed below:\r\nBlueCrab (mostly targeting Korean Users)\r\nCobalt Strike Beacons\r\nGootkit\r\nKronos\r\nRevil\r\nhttps://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/\r\nPage 2 of 13\n\nWe see Gootloader as a cluster of activity representing an ‘Initial Access as a Service’ business model, allowing it\r\nto distribute malware for different cybercrime groups for affiliate fees. All of the above payloads are known\r\n‘MaaS’ (Malware-as-a-Service) families that thrive on affiliate distribution models. Seeing that in some cases the\r\npayload distributed is Cobalt Strike, we cannot exclude that the Gootloader operators are conducting their own\r\nreconnaissance or credential harvesting for further gain.\r\nAnalyzing the JavaScript components was made drastically easier with the use of HP’s Gootloader decoder to\r\nautomate the deobfuscation and extraction of embedded URLs and content.\r\nThe beautified version of the js loader’s first layer reveals the malicious logic:\r\njs loader 1st layer\r\nOnce deobfuscated, we obtain the 2nd layer:\r\njs loader 2nd layer\r\nAnd finally the cleartext (and beautified) version:\r\nhttps://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/\r\nPage 3 of 13\n\njs loader decoded\r\nFrom the decoded script we can now see how Gootloader performs some target filtering to ensure that the victim\r\nis a part of an Active Directory domain via expanding the \"%USERDNSDOMAIN%\"   environment variable.\r\nChecking to see if the user is an AD domain\r\nIf the check returns true, then it appends an id (278146 in the above example) at the end of the query string and\r\nrequests the next stage from one of the websites contained in the ‘K’ array.\r\nGootloader Delivery Platform\r\nIn this section, we examine how the Gootloader delivery network works, starting with the distribution of the js\r\nloader using a social engineering lure all the way to the final payload.\r\nThe delivery network is composed of two levels. The first level consists of compromised well-ranked websites\r\nindexed by Google and hijacked by threat actors to host a js redirector.\r\nHijacked websites host a js redirector\r\nAt the time of writing, we estimate there are around 700 different compromised websites worldwide.\r\nThe script embedded on these compromised websites is responsible for performing the following checks via\r\nHTTP headers before delivering the js loader to the target:\r\nreferral: check that the request comes specifically from a Google search\r\nfirst time condition: check that the host/machine has not previously visited the site\r\ntimezone: check the timezone based on the requester IP\r\nThe timezone check is particularly interesting: in our analysis, the Gootloader platform apparently ‘geofences’ its\r\nintended targets by only deliverering malware if the victim comes from specific countries: the US, Canada,\r\nhttps://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/\r\nPage 4 of 13\n\nGermany, and South Korea.\r\nIf any of the above conditions is not met, then the redirector builds a dummy page without a malicious component\r\nfor the user, such as the following:\r\nDummy page for uninteresting visitors\r\nOtherwise, the embedded script automatically builds and displays a fake forum page containing a thread relevant\r\nto the user’s search content, along with the link to the js loader:\r\nFake forum page for interesting targets\r\nThe compromised websites use old and vulnerable CMS versions that have been exploited to insert the malicious\r\nscript.\r\nhttps://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/\r\nPage 5 of 13\n\nDuring our analysis, we were able to extract the exploited domains used as a second-level delivery network for\r\nthis campaign (the list is not exhaustive):\r\nwww[.]kartatatrzanska[.]pl\r\nwww[.]hrgenius-uk[.]com\r\nwww[.]joseph-koenig-gymnasium[.]de\r\nwww[.]hagdahls[.]com\r\nwww[.]formenbau-jaeger[.]de\r\nwww[.]fabiancoutoxp[.]com[.]ar\r\nwww[.]cristianivanciu[.]ro\r\nwww[.]communityhalldp[.]org[.]uk\r\nwww[.]hoteladler[.]it\r\nwww[.]handekazanova[.]com\r\nwww[.]hccpa[.]com[.]tw\r\nwww[.]forumeuropeendebioethique[.]eu\r\nwww[.]cwa1037[.]org\r\nwww[.]edmondoberselli[.]net\r\nwww[.]ehiac[.]com\r\nwww[.]cljphotographyny[.]com\r\nwww[.]charismatrade[.]ro\r\nwww[.]commitment[.]co[.]at\r\nwww[.]giuseppedeluigi[.]com\r\nwww[.]esist[.]org\r\nwww[.]dischner-kartsport[.]de\r\nwww[.]espai30lasagrera[.]cat\r\nwww[.]kettlebellgie[.]be\r\nwww[.]frerecapucinbenin[.]org\r\nwww[.]adpm[.]com[.]br\r\nThe malicious link embedded into the fake page points to a .php resource. In turn, that component is responsible\r\nfor delivering the malicious loader to victims by pulling a zip archive containing the js loader with the same name\r\nfrom the second level delivery network.\r\nhttps:\r\nThe above URL reminds us of a typical webshell schema through which it’s possible to track campaigns and\r\nvictims. Moreover, subsequent attempts to download the same file using the same URL from the same machine\r\nwill fail. Each download attempt automatically generates a new URL. In fact, three different attempts from\r\ndifferent IPs generate the following unique URLs:\r\nhttps://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/\r\nPage 6 of 13\n\nDifferent IPs generate unique URLs\r\nThis substantiates the notion of a fully-automated assembly line process for malicious bundles.\r\nOnce the malicious js loader is delivered to the victim and executed through the wscript.exe process, it performs\r\nanother request to one of the embedded domains belonging to the same 2nd level delivery network.\r\nIn the request, the loader passes a random-looking parameter ( “?wmsyxqsucnsif=” ) to the search.php\r\ncomponent, assigning a value to it. The assigned value consists of a randomly generated numeric value followed\r\nby an ID that signals that the user is part of a domain.\r\nThe “?wmsyxqsucnsif=” query parameter changes for each analyzed dropper. By extracting a few of them, we\r\nnoticed differences in length:\r\n Iywoiqoagiqj Length: 12\r\nUlxoflokgzjuj Length: 13\r\n Xksrabkxexxje Length: 13\r\n Ulxoflokgzjuj Length: 13\r\n Frzlewezxuqra Length: 13\r\n Wehzijrczmewt Length: 13\r\n Fzwuidcgfwpid Length: 13\r\n Xrplomnpnofoc Length: 13\r\n Jrnfrcbxrmwnr Length: 13\r\n \r\n Zlurylnryiaupe Length: 14\r\n Bhqtjmvrrnpttw Length: 14\r\n Hmdfwcokgjutia Length: 14\r\n \r\n Btvhenvucpmtvpta Length: 16\r\n Vzhnbqsvkxxndgem Length: 16\r\n Mnxcmedoofhmjhob Length: 16\r\n Olwakhzcqflqrbln Length: 16\r\n \r\n Ecteaaaqztxoqblrar Length: 18\r\nhttps://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/\r\nPage 7 of 13\n\nWe were able to populate at least five different clusters based on assigned lengths: 12, 13, 14, 16 and 18. A\r\nrandomly generated, unique string is assigned to each loader. The query parameter, at this stage, may be used for\r\ndownload tracking or other purposes.\r\nDelivery of the Final Payload\r\nIf the js loader succeeds in contacting the C2, then it retrieves an encoded PowerShell stager that in turn\r\ndownloads the next payload and writes it to the registry as a list of keys. The js loader then deploys additional\r\nPowerShell responsible for loading and decoding the content hidden in the registry.\r\nBase64 obfuscated PowerShell\r\nDecoded PowerShell content\r\nThe additional PowerShell is responsible for extracting the payload from the registry, converting it from ascii\r\ninto bytes through the chba() function then loading and executing it by reflection.\r\nAt this point, the code spawns the ImagingDevices.exe process and injects itself into it via process hollowing. As\r\nnoted above, the injected payload varies between Cobalt Strike Beacons and various well-konwn malware families\r\nsuch as REvil and Kronos.\r\nhttps://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/\r\nPage 8 of 13\n\nPowerShell execution chain\r\nAnalysis of the network communication allowed us to spot different network clusters revolving around the\r\nfollowing IPs:\r\n23.106.122[.]245\r\n78.128.113[.]14\r\nNetwork clusters\r\nThese two Cobalt Strike Team Servers now appear to serve Gootloader exclusively, however, there appears to be\r\nsome infrastructure overlap on 78.128.113[.14]. This particular host has been observed as part of multiple Cobalt\r\nStrike-centric campaigns over the last several years. It is not possible to conclusively say that the same “actor” or\r\n“group” has been operating that infrastructure throughout the history of its misuse. That said, it is important to\r\nnote that while campaigns have varied, this host has constantly been utilized to stage and serve CS Beacons and\r\nadditional payloads, up to and including this ongoing Gootloader campaign. It is reasonable to assume given such\r\nhistory that the host is at least partially under control of an affiliate group.\r\nhttps://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/\r\nPage 9 of 13\n\nVictimology\r\nAs evidenced by artifacts in the code, this ongoing Gootloader campaign is selective and targets users from\r\nenterprise environments. Extrapolating from the variety of languages used in various components of the\r\ncampaign, we can surmise that the operators favored targets in Korean, German and English-speaking\r\nenvironments.\r\nFile names in different languages\r\nThe names of lures embedded into Gootloader samples also offer additional insights into the nature of the desired\r\ntargets. For example, the artifact ‘besa_national_agreement_2021.js’ (SHA1:\r\nb0251c0b26c6541dd1d6d2cb511c4f500e2606ce ) could suggest targets interested in components supplied by an\r\nItalian manufacturing company that produces security valves. Categorizing the loaders by their names, we can\r\nsurmise targeted verticals:\r\nTargeted industries\r\nInterestingly, Korean loaders follow a different naming convention to that used for other languages. Rather than\r\nusing company names or specific entities, they use a more generic naming scheme. This could indicate the\r\npresence of region-specific Gootloader operators with their own TTPs. It’s notable that despite not expressly\r\ntargeting specific entities, these infections continue to check for users that are part of corporate domains.\r\nNAME TRANSLATION\r\n유튜브_영상(egj).js YouTube_Video(egj).js\r\n휴먼명조_폰트(fm).js ( Human Myeongjo_Font(fm).js\r\n살육의_천사_게임(lep).js Slaughter_angel_game(lep).js\r\nhttps://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/\r\nPage 10 of 13\n\n바코드생성프로그램(bo).js Barcode generation program (bo).js\r\n웨스트월드_시즌2_2화(jbk).js West World_Season 2 Episode 2(jbk).js\r\n스팀_게임_무료(wdb).js Steam_Game_Free(wdb).js\r\nConclusion\r\nWe analyzed an ongoing Gootloader campaign attempting to lure professionals and enterprise employees\r\nworldwide. The selective nature of this campaign, the option to deliver multiple payloads, as well as the utilization\r\nof Cobalt Strike leads us to believe that Gootloader is an ‘Initial Access as a Service’ provider primarily for\r\nransomware operators.\r\nThis malicious operation is still active at the time of writing and we continue to expect future campaigns seeking\r\nadditional targets and verticals. For that reason, we continue to actively monitor Gootloader as a means of\r\ndistribution for the next strand of widespread ransomware.\r\nIoCs Gootloader Q1 2021\r\nMITRE TTPs\r\nJs loader + powershell stage:\r\nInitial Access (TA0001):\r\nT1566 Phishing\r\nT1566.002 Spear Phishing Link\r\nT0817 Drive-by Compromise\r\nExecution (TA0002):\r\nT1059.007 Command and Scripting Interpreter: JavaScript\r\nT1059.001 Command and Scripting Interpreter: Powershell\r\nT1204.002 User Execution: Malicious File\r\nPersistence (TA0003):\r\nT1547.001 Boot or Logon Autostart Execution\r\nDefence Evasion(TA0005):\r\n T1027 Obfuscated Files or Information\r\nPrivilege Escalation(TA0004):\r\nT1055.012 Process Injection: Process Hollowing\r\nURLs (Delivery Network):\r\nwww[.]hagdahls[.]com/search[.]php? |  /about[.]php?\r\nhttps://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/\r\nPage 11 of 13\n\nwww[.]hoteladler[.]it/search[.]php? |  /about[.]php?\r\nwww[.]handekazanova[.]com/search[.]php? |  /about[.]php?\r\nwww[.]hccpa[.]com[.]tw/search[.]php? |  /about[.]php?\r\nwww[.]hrgenius-uk[.]com/search[.]php? |  /about[.]php?\r\nwww[.]joseph-koenig-gymnasium[.]de/search[.]php? |  /about[.]php?\r\nwww[.]kartatatrzanska[.]pl/search[.]php? |  /about[.]php?\r\nwww[.]edmondoberselli[.]net/search[.]php? |  /about[.]php?\r\nwww[.]cwa1037[.]org/search[.]php? |  /about[.]php?\r\nwww[.]ehiac[.]com/search[.]php? |  /about[.]php?\r\nwww[.]cljphotographyny[.]com/search[.]php? |  /about[.]php?\r\nwww[.]charismatrade[.]ro/search[.]php? |  /about[.]php?\r\nwww[.]commitment[.]co[.]at/search[.]php? |  /about[.]php?\r\nwww[.]giuseppedeluigi[.]com/search[.]php? |  /about[.]php?\r\nwww[.]esist[.]org/search[.]php? |  /about[.]php?\r\nwww[.]dischner-kartsport[.]de/search[.]php? |  /about[.]php?\r\nwww[.]espai30lasagrera[.]cat/search[.]php? |  /about[.]php?\r\nwww[.]kettlebellgie[.]be/search[.]php? |  /about[.]php?\r\nwww[.]forumeuropeendebioethique[.]eu/search[.]php? |  /about[.]php?\r\nwww[.]frerecapucinbenin[.]org/search[.]php? |  /about[.]php?\r\nwww[.]formenbau-jaeger[.]de/search[.]php? |  /about[.]php?\r\nwww[.]fabiancoutoxp[.]com[.]ar/search[.]php? |  /about[.]php?\r\nCobalt C2\r\n78.128.113[.]14\r\n23.106.122[.]245\r\nNetwork Communication\r\nhttps://78.128.113[.]14/j.ad\r\nhttps://78.128.113[.]14/ca\r\nhttps://78.128.113[.]14/updates.rss\r\nhttps://78.128.113[.]14/load\r\nhttps://78.128.113[.]14/pixel.gif\r\nhttps://23.106.122[.]245/pixel.gif\r\nhttps://23.106.122[.]245/fwlink\r\nYARA\r\nhttps://github.com/sophoslabs/IoCs/blob/master/Troj-gootloader.yara\u003c\r\nSHA1s and Lures\r\nhttps://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/\r\nPage 12 of 13\n\nOver 900 SHA1 hashes identified as part of the Gootloader Q1 2021 campaign along with some of the most\r\nrelevant lures and embedded URLs used for the delivery of the payloads:\r\nhttps://github.com/SentineLabs/Gootloader-iocs-q1-2021\r\nSource: https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/\r\nhttps://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/"
	],
	"report_names": [
		"gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets"
	],
	"threat_actors": [],
	"ts_created_at": 1775434099,
	"ts_updated_at": 1775791219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/53c237a05693d812b9bf5e56cfaf27d8f0a50b50.pdf",
		"text": "https://archive.orkl.eu/53c237a05693d812b9bf5e56cfaf27d8f0a50b50.txt",
		"img": "https://archive.orkl.eu/53c237a05693d812b9bf5e56cfaf27d8f0a50b50.jpg"
	}
}