{
	"id": "670eb6f1-4a31-451b-aea2-b7087d9b9595",
	"created_at": "2026-04-06T00:21:01.295448Z",
	"updated_at": "2026-04-10T03:23:51.791005Z",
	"deleted_at": null,
	"sha1_hash": "760ee572512dc8a3dc0bf4a0cf1f7d58a51922b7",
	"title": "Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 290411,
	"plain_text": "Tips for Automating IOC Extraction from GootLoader, a\r\nChanging JavaScript Malware\r\nBy Patrick Schläpfer\r\nPublished: 2022-05-04 · Archived: 2026-04-05 22:48:01 UTC\r\nThe threat actors behind GootLoader are always making adjustments to this family of JavaScript malware, which\r\naffects indicator of compromise (IOC) extraction using our decoder script. Whenever the GootLoader decoder\r\nbreaks we try to adapt it to the new version of the malware to help the security community. In this post, we share\r\nthe process of debugging and fixing the script, showing the common steps we usually take.\r\nFirst, we look at all extracts from the regular expressions (regex) because this is usually the reason why the\r\ndecoder breaks. To do so, we add print statements before and after each regex evaluation starting from the bottom\r\nof the script. The following image shows our first check.\r\nFigure 1 – Print statements around regular expression evaluations.\r\nBased on the output we try to figure out the position where the script fails to decode the new GootLoader version.\r\nIn this case, we get an empty content output and therefore the script failed earlier in the process. In Figure 2,\r\nabove the regex evaluation, we you can see an additional print statement to debug the script:\r\nFigure 2 – Printing the content and the longest match of the regex.\r\nRunning the script again leads to another empty output. So further debugging is required. Again, we add two print\r\nstatements around the next regex evaluation, which looks as follows:\r\nFigure 3 – Debug prints to check if the regex still works.\r\nAt this point we finally get an output from our debug print statements. This tells us that we found the position\r\nwhere the script fails to decode the new version of the malware.\r\nhttps://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/\r\nPage 1 of 4\n\nFigure 4 – Printed script content of the new GootLoader version.\r\nTo understand why this specific regex does not work anymore, we compare our debug outputs to the outputs of an\r\nolder GootLoader version where the decoder worked. Using the output of the working one, we can see what it\r\nshould look like (Figure 5).\r\nFigure 5 – Printed script content of an older GootLoader version.\r\nThe regex result for this evaluation should lead to a list of variables concatenated with plus signs. This list is used\r\nby GootLoader to rearrange the code into the right order and then later on execute it using the eval function. To\r\ndecode the script and extract the domains and URLs we need to do the same and bring the code into the correct\r\norder. With this version adjustment, GootLoader no longer uses just one statement to rearrange the code, but\r\nseveral interdependent ones. To fix the script we need to make two edits. First, we need to adjust the regex pattern\r\nso that it matches the new statements. Second, we need to add logic to merge the code. With the help of\r\nregex101.com we can adjust and fix the regex pattern.\r\nFigure 6 – Extracting the statements using regex.\r\nThe idea is to extract all the statements used for the code arrangement.\r\nFigure 7 – Definition of regex\r\npattern to extract the statements.\r\nhttps://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/\r\nPage 2 of 4\n\nEach statement can be split into the variable and the expression. To keep track of the variables we create a\r\ndictionary which uses the variables as keys and the expressions as values. The last statement is the main statement\r\nused to join the code. For this statement we substitute the expression based on the values in our dictionary and get\r\nthe final expression consisting of variables that refer to code fragments. The adjusted code sequence looks like\r\nthis:\r\nFigure 8 – Modified code sequence to decode the new GootLoader version.\r\nTo keep the script still compatible for older GootLoader versions, we add an If statement. If we do not get regex\r\nmatches for the simple statement, we use the code which evaluates compound statements. Finally, we remove the\r\nprint statements which we inserted for debugging and run the repaired script to get the following output:\r\nFigure 9 – GootLoader decoding script output.\r\nThis is the typical process we go through to adapt the decoding script to new GootLoader versions. As the threat\r\nactors behind GootLoader have been making version changes more frequently lately, we have had to make\r\nchanges to our script more frequently as well. We hope that this explanation is helpful for analyzing GootLoader\r\nand making adjustments of our decoder script.\r\nTools\r\nhttps://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/\r\nPage 3 of 4\n\nYou can download the latest GootLoader decoder script here:\r\nhttps://github.com/hpthreatresearch/tools/blob/main/gootloader/decode.py\r\nIOCs\r\nNew GootLoader version:\r\n0a7c07fc84fd9f5b91bde6822b865f9647ca4ece67e8a4a646ce8d405187dc8b\r\nhxxps://lakeside-fishandchips[.]com/test.php?sgjngbizjfwgs=\r\nhxxps://learn.openschool[.]ua/test.php?sgjngbizjfwgs=\r\nhxxps://kristinee[.]com/test.php?sgjngbizjfwgs=\r\nOlder GootLoader version:\r\n765fbca3b6b1a922b442bc7304454e752e8bf231e2abe5060ace55db72c78d68\r\nhxxps://kristinee[.]com/test.php?zemyrwgzcsnjur=\r\nhxxps://kepw[.]org/test.php?zemyrwgzcsnjur=\r\nhxxps://korsakovmusic[.]com/test.php?zemyrwgzcsnjur=\r\nSource: https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/\r\nhttps://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/"
	],
	"report_names": [
		"tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434861,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/760ee572512dc8a3dc0bf4a0cf1f7d58a51922b7.pdf",
		"text": "https://archive.orkl.eu/760ee572512dc8a3dc0bf4a0cf1f7d58a51922b7.txt",
		"img": "https://archive.orkl.eu/760ee572512dc8a3dc0bf4a0cf1f7d58a51922b7.jpg"
	}
}