{
	"id": "c95241dd-c798-4587-b821-cddc1b9b4c1f",
	"created_at": "2026-04-06T00:08:40.929838Z",
	"updated_at": "2026-04-10T13:12:27.68089Z",
	"deleted_at": null,
	"sha1_hash": "73dc28245e1c5733a61e18f756136e0b5648a0e2",
	"title": "What is GootLoader?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 235455,
	"plain_text": "What is GootLoader?\r\nBy gootloadersites\r\nPublished: 2023-01-05 · Archived: 2026-04-02 10:41:06 UTC\r\nGootloader is a malware that falls into the class of “Initial Access as a Service”. Basically, it infects a host (in this\r\ncase Windows), maintains access, and (presumably) sells access for further compromise of the system and/or\r\nnetwork.\r\nGootloader spreads via SEO poisoning (Search Engine Optimization), on compromised WordPress blogs,\r\npredominantly targeting “agreement/form/contract” type terms. Poisoned terms have been observed in Korean and\r\nFrench as well. In the past we have seen over a million terms be poisoned, across thousands of compromised\r\nblogs.\r\nGootloader has been around for a number of years and is constantly evolving to evade detection. But the behavior\r\nhas hasn’t changed, that much, over the years.\r\nA user searches for a term, ex: “licensing agreement basic definition” in Google or Bing and click on a\r\ncompromised site. As long as they are visiting the site from a Windows computer, and an English-speaking\r\ncountry, the page will be redrawn to look like a forum, with a link of exactly what they searched for (see below).\r\nhttps://gootloader.wordpress.com/2023/01/05/what-is-gootloader/\r\nPage 1 of 2\n\nWhen they click the link, a zip file will download, and inside of the zip file, a malicious .JS file resides. Currently\r\n(as of 5Jan2023), when the user runs the malicious .JS, it creates a scheduled task, and runs PowerShell code to\r\ncall out to 10 domains with various info about the system.\r\nGootloader keeps calling out to these domains, waiting for code to run. The next stage is usually CobaltStrike, but\r\nthat depends on who the access was passed off (or sold) to. Unfortunately, this has led to ransomware in many\r\ncases.\r\nSource: https://gootloader.wordpress.com/2023/01/05/what-is-gootloader/\r\nhttps://gootloader.wordpress.com/2023/01/05/what-is-gootloader/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://gootloader.wordpress.com/2023/01/05/what-is-gootloader/"
	],
	"report_names": [
		"what-is-gootloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434120,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/73dc28245e1c5733a61e18f756136e0b5648a0e2.pdf",
		"text": "https://archive.orkl.eu/73dc28245e1c5733a61e18f756136e0b5648a0e2.txt",
		"img": "https://archive.orkl.eu/73dc28245e1c5733a61e18f756136e0b5648a0e2.jpg"
	}
}