{
	"id": "8ed3ba8c-8226-4005-add6-f9dc1e43b6d9",
	"created_at": "2026-04-06T00:10:39.645554Z",
	"updated_at": "2026-04-10T13:11:49.513689Z",
	"deleted_at": null,
	"sha1_hash": "b82030c39edb363e8489cf9dc1efb54e699b4f79",
	"title": "Threat hunting case study: Tracking down GootLoader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46160,
	"plain_text": "Threat hunting case study: Tracking down GootLoader\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 14:12:46 UTC\r\nOne of the ways users become infected with malware is through search engine optimization (SEO) poisoning.\r\nThis technique is a net that entraps groups of users searching for certain terms. By either seeding legitimate sites\r\nwith malware or creating misleading websites, attackers can lure people into downloading malicious code. One\r\ngroup of threat actors that has effectively used SEO poisoning to infect computers is behind the malware known as\r\nGootLoader. GootLoader is loader malware that appeared in late 2020. In its early days, GootLoader delivered the\r\nGootkit banking trojan to facilitate account takeover (ATO). However, Gootkit is seldom seen anymore.\r\nGootLoader’s mission has diversified, and its operators have shifted to an initial access broker (IAB) model.\r\nAccess brokering is part of cybercrime-as-a-service, featuring threat actors who specialize in gaining access to\r\nsystems and who then sell that access on to other threat actors. Those access buyers then exploit those computers,\r\nwhether for data theft, ransomware or other schemes. GootLoader’s access has also been used to install tools for\r\nreconnaissance and lateral movement, including Rubeus, SharpHound, SystemBC and Cobalt Strike, a legitimate\r\npenetration testing framework that is abused by threat actors.\r\nIn early 2023, GootLoader was distributed on sites that would show up in search results when looking for terms\r\nsuch as “agreement,” “contract,” “form,” “law,” “license” and “template.” To create these malicious links,\r\nGootLoader’s operators would look to leverage vulnerabilities in websites and forums using the WordPress\r\ncontent management system (CMS). This allowed the threat actors to add new servers to their network, increasing\r\ntheir distribution and chances that users will encounter a GootLoader-seeded site in a search.\r\nGootLoader remains a pervasive threat to organizations. Due to its stealthiness, effectiveness and exploitation in\r\nthe wild by a number of ransomware campaigns, it is important that teams assess and prepare for this loader’s\r\ncapabilities. Early detection and removal of a GootLoader infection can mean avoiding a data breach or\r\nransomware attack. This post will discuss how to use Intel 471’s HUNTER platform to look for clues of\r\nGootLoader infections.\r\nTo begin threat hunting, we first need to collect current tactics, techniques and procedures (TTPs) GootLoader\r\nuses. These TTPs can originate from a variety of sources, such as vendor reports and data shared by independent\r\nresearchers. The TTPs comprise current behaviors the malware is using and are less likely to be changed by the\r\nmalware’s operators.\r\nFor this threat hunting example, we will collect TTPs from the DFIR Report, a group of researchers who publish\r\nabout their investigations into malware infections, ransomware incidents and data breaches. In February 2024, the\r\nDFIR Report published “SEO Poisoning to Domain Control: The GootLoader Saga Continues.” The post\r\ndiscusses an incident at an organization that originated with a user conducting a search for “Implied Employment\r\nAgreement.” One of the sites returned was a compromised website mimicking a forum that hosted GootLoader.\r\nThe person followed a link and downloaded what purported to be an employment agreement but was actually\r\nGootLoader.\r\nhttps://intel471.com/blog/threat-hunting-case-study-tracking-down-gootloader\r\nPage 1 of 3\n\nThe DFIR Report contains details about GootLoader’s execution:\r\n[Image: Fig1]\r\nScrolling down to the “Persistence” section of the DFIR Report gives more information about scheduled tasks,\r\nwhich is one of GootLoader’s recurrent behaviors, and the evidence that it leaves behind. We can also identify the\r\nusers who executed GootLoader and the trigger that the scheduled task was scheduled to execute on. If we look\r\nunder LogonTrigger, we can see it is enabled and can conclude that the scheduled task will trigger when a\r\nparticular user logs on to the machine (the UserID has been redacted):\r\n[Image: Fig2]\r\nWhat other TTPs can we find? We can see GootLoader runs other actions or commands, including scheduled tasks\r\nin unexpected locations. Adversaries love to tuck malware into unlikely locations where users pay little attention.\r\nWhen was the last time you stored an important document in the appdata/roaming directory, which is normally a\r\nhidden folder? This is an area to focus on.\r\nWe can pay less attention to arguments or file names used by an adversary. If an adversary is smart, the same file\r\nname not will not be repeated, as it’s an indicator of compromise (IoC) that can be easily changed for a new attack\r\non a new target. By focusing on the behavior (scheduling a task) and the location (an odd directory), it’s possible\r\nto repeatedly catch GootLoader as opposed to concentrating detection efforts using an atomic or point-in-time\r\nartifact, such as a file name, hash, IP address, etc.\r\nWe don’t have to rely on external open source reports, however, to understand the TTPs of GootLoader.\r\nGootLoader is one of dozens of malware families tracked by Intel 471’s Malware Intelligence team. The team\r\ntracks malware families and infection campaigns and emulates malware to understand new behaviors. This\r\nintelligence can then be applied to threat hunting. Since Intel 471 acquired Cyborg Security in May 2024, we have\r\nbeen using data collected about malware such as GootLoader to write threat hunting packages. These packages,\r\nwhich are part of the HUNTER platform, are pre-written queries that are applicable to searching for possible signs\r\nof an infection within a wide range of endpoint detection and response (EDR), extended detection and response\r\n(XDR), logging and security information and event management (SIEM) platforms.\r\nThe advantage of the pre-written aspect for security teams is it allows threat hunters to focus on executing current\r\nhunts based on fresh intelligence from recent malware campaigns rather than researching and writing the queries.\r\nSince we have access to Malware Intelligence, we can improve the relevancy of our threat hunt packages to more\r\nclosely match the current threat environment and lessen dependence on aging open source intelligence. This is not\r\nto slight or discount the value of open source intelligence. It’s extremely valuable, and sharing by the threat\r\nintelligence community strengthens the defenses of all. However, open source intelligence is also available to\r\nthreat actors who may read the same blogs, social media feeds and vendor reports. Some actors may subsequently\r\nmake changes to avoid detection.\r\nFor those who are not Intel 471 customers yet, we’ve made a GootLoader hunt query available as part of the\r\nCommunity Edition of HUNTER, which is free.\r\n[Image: Fig3 - The threat hunt titled “Scheduled Task Executing from Abnormal Location” is available in the\r\nHUNTER Community Edition.]\r\nhttps://intel471.com/blog/threat-hunting-case-study-tracking-down-gootloader\r\nPage 2 of 3\n\nEarlier, we referred to GootLoader’s tendency to hide scheduled tasks in abnormal locations. One of the threat\r\nhunts included in the HUNTER Community Edition is titled “Scheduled Task with Abnormal Location in\r\nDetails.” If we click on the hunt package, we can see that this type of threat hunt is not only applicable to\r\nGootLoader, but also other types of malware, including the Spectre remote access trojan (RAT), the Lumma\r\ninformation stealer and various ransomware strains including MedusaLocker, Nokoyawa, Quantum and LockBit\r\n3.0.\r\nIf we scroll down to the query logic table, we can identify the field-value relationships that we will be analyzing in\r\ncertain fields (see: screenshot below). First, we have a scheduled task, which is event_id 4698. This is the native\r\nWindows logging event ID that captures scheduled tasks.\r\n[Image: Fig4]\r\nNext we can look at the message field, which captures information in the native Windows event log. These are\r\nlocations where GootLoader potentially may be active. Going further down, we have excluded \\Windows\r\nDefender\\ and \\Microsft\\Windows\\Applications. Those are locations that ScheduledTasks often reference, which\r\ncould result in an overwhelming number of false positives.\r\nTo see how this hunt works in practice, let’s switch to Splunk. The data that is visible in the screenshot below\r\nreflects the logic of the query.\r\n[Image: Splunk]\r\nHere we have task arguments containing users, which checks off in the task arguments field that we created by\r\nusing some regular expression. We also see the users and the event code 4689 specifically. Additionally, we see\r\nthe task arguments contain a batch (.bat) file that's running in the \\Users\\James Murphy\\AppData\\Local\\Temp\r\ndirectory. We see the command contains command.exe, and the task name is \\DailyBackup.\r\nThere are multiple routes that can be taken next based on this data. If this is completely abnormal in your\r\nenvironment, it may be time to alert the incident response and digital forensics team and let them know a\r\ncomputer is likely compromised. Another route would be to pivot from the scheduled task to process creation and\r\nfigure out if the file executed. It would be possible to write another query for process creation events to see if\r\nAutoLogoff.bat exists in any command-line arguments or parent command-line arguments.\r\nWe hope this post furthers an understanding of GootLoader and how this malware can be proactively hunted for in\r\nan environment. This guide to GootLoader threat hunting is also available on video here. Also, register for the\r\nCommunity Edition of our threat hunting platform, HUNTER471, where a number of free sample threat hunts are\r\navailable. Stay safe and happy hunting!\r\nSource: https://intel471.com/blog/threat-hunting-case-study-tracking-down-gootloader\r\nhttps://intel471.com/blog/threat-hunting-case-study-tracking-down-gootloader\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://intel471.com/blog/threat-hunting-case-study-tracking-down-gootloader"
	],
	"report_names": [
		"threat-hunting-case-study-tracking-down-gootloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434239,
	"ts_updated_at": 1775826709,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b82030c39edb363e8489cf9dc1efb54e699b4f79.pdf",
		"text": "https://archive.orkl.eu/b82030c39edb363e8489cf9dc1efb54e699b4f79.txt",
		"img": "https://archive.orkl.eu/b82030c39edb363e8489cf9dc1efb54e699b4f79.jpg"
	}
}