{ "id": "5abb2912-b8f2-4aee-88b8-f10c829e559b", "created_at": "2026-04-06T00:15:55.431407Z", "updated_at": "2026-04-10T03:33:12.686941Z", "deleted_at": null, "sha1_hash": "76522524597b520515851bb4182c66d5924a651f", "title": "GootBot Gootloaders new approach to post-exploitation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8988066, "plain_text": "GootBot Gootloaders new approach to post-exploitation\r\nBy Golo Mühr, Ole Villadsen\r\nPublished: 2023-11-06 · Archived: 2026-04-05 13:08:05 UTC\r\nOle Villadsen\r\nCyber Threat Hunt Analyst\r\nIBM Security\r\nIBM X-Force discovered a new variant of Gootloader — the “GootBot” implant — which facilitates stealthy\r\nlateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise\r\nenvironments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims’\r\nsearch activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot\r\ninto the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2\r\nsuch as CobaltStrike or RDP. This new variant is a lightweight but effective malware allowing attackers to rapidly\r\nspread throughout the network and deploy further payloads.\r\nPreviously, Gootloader was only observed as an initial access malware, after which attackers would load tools like\r\nCobaltStrike or use RDP to spread within the network. Campaigns leveraging GootBot for lateral movement\r\nconstitute a significant change in post-infection TTPs, as this custom tool enables threat actors to stay under the\r\nradar for a longer period. GootBot is downloaded as a payload after a Gootloader infection and has the capability\r\nto receive C2 tasks in the form of encrypted PowerShell scripts, which are run as jobs. Unlike Gootloader,\r\nGootBot is a lightweight obfuscated PS script, containing only a single C2 server. GootBot implants, each of\r\nwhich contains a different C2 server running on a hacked WordPress site, spread throughout infected enterprise\r\ndomains in large numbers in hopes of reaching a domain controller. At the time of writing, GootBot has no\r\ndetections listed on VirusTotal. This shift in TTPs and tooling heightens the risk of successful post-exploitation\r\nstages, such as Gootloader-linked ransomware affiliate activity.\r\nKey findings\r\nThe Gootloader group created a novel tool for C2 and lateral movement dubbed GootBot, which is being\r\nused in lieu of other traditional post-exploitation frameworks such as CobaltStrike.\r\nCurrently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms,\r\nor other business-related documents, directing victims to compromised sites designed to look like\r\nlegitimate forums where they are tricked into downloading the initial payload as an archive file.\r\nAfter an infection, large amounts of GootBot implants are disseminated throughout corporate environments\r\nwith each containing a different hardcoded C2 server, making it difficult to block.\r\nAt the time of writing, GootBot implants maintain zero AV detections on VirusTotal, enabling it to spread\r\nstealthily.\r\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 1 of 15\n\nGootloader has served as an initial access provider and successful infections have been known to lead to\r\nransomware.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nBackground\r\nThe Gootloader group, which X-Force tracks as Hive0127 (aka UNC2565), has been active since 2014 and relies\r\non a combination of SEO poisoning and compromised WordPress sites to deliver Gootloader. Gootloader\r\ninfections provide initial access for other threat actors, including ransomware affiliates, and attacks have led to\r\nfollow-on payloads such as IcedID, Cobalt Strike, and SystemBC.\r\nX-Force observed the group leveraging SEO poisoning as part of its malicious campaigns, which is a method that\r\nthreat actors use to manipulate search engine results in order to drive users to compromised websites based on the\r\nnotion that a search engine’s first results are likely to be accurate, safe and legitimate. Hive0127 typically targets\r\nonline searches for contracts, legal forms or other business-related documents; for example: “Is a closing\r\nstatement the same as a grand contract?”. Targets are served a compromised website modified to appear as a\r\nlegitimate forum at the top of the poisoned search engine results page. Within the forum conversation, the targets\r\nare then tricked into downloading an archive file related to their initial search terms, but which actually contains\r\nGootloader.\r\nAnalysis\r\nInfection diagram\r\nThe following graph is an example of how Gootloader may employ GootBot to spread throughout a network. The\r\nanalysis sections below detail the different stages of infection:\r\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 2 of 15\n\nInitial access via Gootloader\r\nGootloader infections start with a user downloading an infected archive, containing a significantly obfuscated\r\nJavaScript file, which is Gootloader’s first stage. Upon execution, it drops another JavaScript file in a selected\r\nsubfolder under the %APPDATA% folder with an unobtrusive English filename. Gootloader does not create a new\r\nfolder in %APPDATA% but rather selects one that already exists. This selection is not random but calculated\r\nbased on the number of subfolders that are found in the %APPDATA% folder. It is calculated as follows:\r\n722 – (Round down(722 / number_of_subfolders) * number_of_subfolders)\r\nInstead of running the second stage directly, Gootloader triggers a scheduled task to run the JavaScript as well as\r\nmake it persistent.\r\nThe scheduled task has the following parameters:\r\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 3 of 15\n\nName: \u003cRandom English words\u003e\r\nAction: wscript \u003cshort file name of 2nd stage ending with “~1.JS”\u003e\r\nFolder: [Subfolder in %APPDATA%]\r\nTrigger: LogonTriggerID [At the next log on of the current user]\r\nOnce the second stage JavaScript executes, it runs a PowerShell script and the third stage, which gathers system\r\ninformation and uploads it to any of its 10 hardcoded C2 servers. Gootloader uses hacked WordPress sites to run\r\ntheir C2 servers, leading to C2 URL paths ending with “/xmlrpc.php”.\r\nBelow is an example of an HTTP request from the malware.\r\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 4 of 15\n\nThe User-Agent is consistent as well as the presumed malware ID, 3B47772CE3.\r\nThe malware expects the C2 to respond with data that contains a PowerShell script that Gootloader executes.\r\nThe third stage PowerShell script runs in an endless loop giving the actor the ability to make the C2 respond with\r\nvarying PowerShell payloads.\r\nGootBot\r\nOne of the payloads X-Force observed is GootBot, a new variant of Gootloader. It features very similar\r\ncapabilities but comes in the form of a lightweight PowerShell script. Unlike the stage 3 PowerShell script,\r\nGootBot only contains a single C2 server address.\r\nGootBot’s strings are slightly obfuscated via a replacement key, as seen in the screenshot below:\r\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 5 of 15\n\nSimilar to Gootloader, the bot starts by sending a GET request to its C2 server, requesting PowerShell tasks. The\r\nfirst beacon has the following HTTP headers added by the malware:\r\nGET /xmlrpc.php HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/107.0.0.0 Safari/537.36\r\nCookie: \u003cBOT_ID\u003e=\u003cIf user is admin: 0/1\u003e\r\nPragma: no-cache\r\nCache-Control: no-cache, no-store\r\nExpires: 0\r\nAs a response, GootBot expects a string consisting of a Base64-encoded payload, and the last 8 characters being\r\nthe task name. It then decodes the payload and injects it into a simple scriptblock before executing it in a new\r\nbackground job using the “Start-Job” Cmdlet. This allows the PowerShell payload to be run asynchronously and\r\nwithout creating a child process, potentially resulting in less EDR detections.\r\nThe following screenshot shows the deobfuscated code running the C2 task.\r\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 6 of 15\n\nBy default, GootBot beacons out every 60 seconds, however, this can be changed by setting a specific string\r\ncontaining “asz” to the child jobs’ information attribute. The same applies to the working directory path, which\r\ncan be changed with the “asx” signal string.\r\nOnce the bot receives a task from the C2, the next loop iteration will start by querying the task result, for every\r\nchild job requested by the C2 server. If the job has been completed, it will return the job results. If it has not been\r\ncompleted yet, it will send the string “E1”, or the string “E2” if the job cannot be found. The job results are then\r\nconcatenated for all requested tasks using the following format:\r\n[!\u003cBOT_ID\u003e!]\u003cjob result 1\u003e!\u003c1\u003e[!\u003cBOT_ID\u003e!]\u003cjob result 2\u003e!\u003c2\u003e[!\u003cBOT_ID\u003e!]\u003cjob result 3\u003e!\u003c3\u003e…\r\nThe resulting string is Base64 encoded and obfuscated via a modulo-based algorithm which is similar to a\r\ntechnique observed in previous Gootloader JavaScript samples.\r\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 7 of 15\n\nThis time, GootBot sends a POST request to its C2 server. If the data is larger than 100,000 chars it is split into\r\nmultiple requests, formatted as follows:\r\nPOST /xmlrpc.php HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/107.0.0.0 Safari/537.36\r\nCookie: \u003cBOT_ID\u003e=\u003cIf user is admin: 0/1\u003e|\u003ctask name 1\u003e|\u003ctask name 2\u003e|\u003ctask name 3\u003e|\u003ctask name 4\u003e…\r\nPragma: no-cache\r\nCache-Control: no-cache, no-store\r\nExpires: 0\r\n\u003cBOT_ID\u003e=[sX\u003c\u003crandom_int\u003e\u003e\u003cpacket_seq_number\u003e]\u003cdata\u003e\r\nAgain, the bot expects a response containing the next task.\r\nLateral movement\r\nGootBot was also designed to be spread laterally throughout the environment. Once an initial host is infected,\r\nGootBot receives a number of scripts enumerating the host as well as the domain. X-Force also observed several\r\nscripts using different techniques to spread the embedded GootBot payload to other hosts. GootBots’ C2\r\ninfrastructure can quickly generate large numbers of GootBot payloads to be disseminated, each with a different\r\nC2 address to contact. These are deployed by lateral-movement scripts in an automated fashion, which may also\r\nlead to hosts being reinfected multiple times.\r\nLateral-movement scripts make use of WinRM in PowerShell, either via WMI or the “Invoke-Command” Cmdlet.\r\nOther examples include copying payloads via SMB and the use of WinAPI calls to SCM (Service Control\r\nManager) in order to create remote services and scheduled tasks.\r\nIn some cases, GootBot also uses exfiltrated credentials to spread:\r\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 8 of 15\n\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 9 of 15\n\nFigure: Lateral movement via WinRM Invoke-Command\r\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 10 of 15\n\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 11 of 15\n\nFigure: Lateral movement via SCM\r\nGootBot has also been shown to use environment variables to store encrypted strings, which further decreases the\r\nscripts’ size. In addition, GootBot may also be deployed using a technique to spoof the PowerShell processes’\r\narguments by creating a new process before writing the malicious script to the processes’ standard input.\r\nReconnaissance\r\nGootBot also runs a reconnaissance script as one of its first tasks. It contains the unique GootBot ID for the host.\r\nThe following information is pulled together, and returned to the job handler:\r\nDomain user name\r\nOS (from registry key)\r\nIf 64bit architecture (checking for x86 dir and also size of int ptr)\r\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 12 of 15\n\nDomain controllers:\r\nFrom registry\r\nFrom ENV var\r\nUsing [System.DirectoryServices.ActiveDirectory.DomainController]::FindAll\r\nRunning processes\r\nSID\r\nLocal IP address\r\nHostname\r\nThe data is formatted with the specified ID. See example data below with ID “FDA8970BA3”:\r\nActions on objective\r\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 13 of 15\n\nA Gootloader infection may quickly lead to the deployment of additional tools such as Cobalt Strike, SystemBC\r\nand domain compromise scripts including Kerberoasting attacks. Other observed behavior is the exfiltration of the\r\nfollowing sensitive information:\r\nLSASS process dump. Dumped using Procdump or the Minidump functionality of “comsvcs.dll”\r\nRegistry hives SAM, SYSTEM, SECURITY\r\nIn addition, Gootloader infections are also known to result in ransomware.\r\nConclusion\r\nThe discovery of the Gootbot variant highlights the lengths to which attackers will go to evade detection and\r\noperate in stealth. This is a highly effective malware that allows attackers to move laterally across the environment\r\nwith ease and speed and extend their attacks. In addition, Hive 0127’s usage of large clusters of compromised\r\nWordPress domains makes it increasingly difficult for defenders to block malicious traffic. As Gootloader\r\nfrequently serves as an initial access provider, awareness of these evolving TTPs and tools is important to mitigate\r\nthe risk of impactful post-exploitation activity.\r\nRecommendations\r\nEnsure anti-virus and associated files are up to date\r\nOrganizations should ensure that script block logging is enabled within their enterprise and monitor the\r\nrelevant Windows event logs for signs of compromise\r\nMonitor for execution of JavaScript files within downloaded ZIP archives\r\nMonitor for scheduled tasks using wscript.exe to execute JavaScript files using short names (*~1.JS)\r\nMonitor network traffic for suspicious HTTP requests to URLs ending with “xmlrpc.php”:\r\nSuspicious cookie value: \u003cBOT_ID\u003e=\u003cIf user is admin: 0/1\u003e\r\nSuspicious content format: \u003cBOT_ID\u003e=[sX\u003c\u003crandom_int\u003e\u003e\u003cpacket_seq_number\u003e]\u003cdata\u003e\r\nMonitor for lateral movement via WinRM, WMI or SCM\r\nDisable or monitor the “Start-Job” Cmdlet within your environment.\r\nFor more information on X-Force’s security research, threat intelligence and hacker-led insights, visit the X-Force\r\nResearch Hub.\r\nIndicators of Compromise (IOCs)\r\nIndicator Indicator Type Context\r\n6ff7a60c7cd8ffed318700dff453d\r\n3679adf27b11505f875d54e8afc33\r\nbb8465\r\nSHA256   GootBot\r\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 14 of 15\n\n95dbd3f273d621fa71631882d00be\r\nf71f902a4cc536ee150ec748aae4f4\r\n7e4d5\r\nSHA256  GootBot\r\nhttps://contentstudent[.]com/\r\nxmlrpc.php\r\nURL GootBot C2 server\r\nhttp://63factory[.]jp/wordpress/\r\nxmlrpc.php\r\nURL GootBot C2 server\r\nSource: https://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nhttps://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/" ], "report_names": [ "gootbot-gootloaders-new-approach-to-post-exploitation" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "fc7f0460-0a66-4178-9c5b-75abb22b87b0", "created_at": "2023-11-08T02:00:07.15123Z", "updated_at": "2026-04-10T02:00:03.427759Z", "deleted_at": null, "main_name": "UNC2565", "aliases": [ "Hive0127" ], "source_name": "MISPGALAXY:UNC2565", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434555, "ts_updated_at": 1775791992, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/76522524597b520515851bb4182c66d5924a651f.pdf", "text": "https://archive.orkl.eu/76522524597b520515851bb4182c66d5924a651f.txt", "img": "https://archive.orkl.eu/76522524597b520515851bb4182c66d5924a651f.jpg" } }