{
	"id": "d85d416a-4cb3-416b-b83b-2042d910f098",
	"created_at": "2026-04-06T00:14:54.802939Z",
	"updated_at": "2026-04-10T03:35:59.564997Z",
	"deleted_at": null,
	"sha1_hash": "b90e0383ccdb5d9969bc606609a2ff21b0096309",
	"title": "GootKit (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97532,
	"plain_text": "GootKit (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 18:27:47 UTC\r\nGootkit is a banking trojan consisting of an x86 loader and a payload embedding nodejs as well as a set of js\r\nscripts. The loader downloads the payload, stores it in registry and injects it in a copy of the loader process. The\r\nloader also contains two encrypted DLLs intended to be injected into each browser process launched in order to\r\nplace the payload in man in the browser and allow it to apply the webinjects received from the command and\r\ncontrol server on HTTPx exchanges. This allows Gootkit to intercept HTTPx requests and responses, steal their\r\ncontent or modify it according to the webinjects.\r\n2023-01-09 ⋅ Trendmicro ⋅ Fe Cureg, Hitomi Kimura, Ryan Maglaque, Trent Bessell\r\nGootkit Loader Actively Targets Australian Healthcare Industry\r\nGootLoader GootKit 2022-09-22 ⋅ deepwatch ⋅\r\nIs Gootloader Working with a Foreign Intelligence Service?\r\nGootKit 2022-07-27 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama\r\nGootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike\r\nCobalt Strike GootKit Kronos REvil SunCrypt 2022-05-09 ⋅ The DFIR Report ⋅ The DFIR Report\r\nSEO Poisoning – A Gootloader Story\r\nGootLoader LaZagne Cobalt Strike GootKit 2022-03-22 ⋅ Red Canary ⋅ Red Canary\r\n2022 Threat Detection Report\r\nFAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT 2021-11-26 ⋅ Twitter\r\n(@jhencinski) ⋅ Jon Hencinski\r\nTwitter Thread on weelky MDR recap from expel.io\r\nGootKit Squirrelwaffle 2021-11-10 ⋅ Blackberry ⋅ Codi Starks, Ryan Chapman\r\nREvil Under the Microscope\r\nGootKit REvil 2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel\r\nThe State of SSL/TLS Certificate Usage in Malware C\u0026C Communications\r\nAdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex\r\nFindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT\r\nRockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader 2021-06-07 ⋅ Kaspersky ⋅\r\nAnton Kuzmenko\r\nGootkit: the cautious Trojan\r\nGootKit 2021-03-02 ⋅ Github (microsoft) ⋅ Microsoft\r\nMicrosoft-365-Defender-Hunting-Queries for hunting Gootkit malware delivery and C2\r\nGootKit 2021-03-02 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence\r\nTweet on Gootkit malware campaign\r\nGootKit 2021-03-01 ⋅ Sophos Labs ⋅ Andrew Brandt, Gabor Szappanos\r\n“Gootloader” expands its payload delivery options\r\nGootKit 2021-02-02 ⋅ ⋅ CRONUP ⋅ Germán Fernández\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit\r\nPage 1 of 3\n\nDe ataque con Malware a incidente de Ransomware\r\nAvaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire\r\nDownloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX\r\nREvil Ryuk SDBbot SmokeLoader TrickBot Zloader 2021-01-19 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan\r\nWireshark Tutorial: Examining Emotet Infection Traffic\r\nEmotet GootKit IcedID QakBot TrickBot 2020-12-11 ⋅ Trend Micro ⋅ Marc Lanzendorfer\r\nInvestigating the Gootkit Loader\r\nGootKit 2020-11-30 ⋅ Malwarebytes ⋅ hasherezade, Jérôme Segura\r\nGerman users targeted with Gootkit banker or REvil ransomware\r\nGootKit REvil 2020-04-13 ⋅ Blackberry ⋅ Masaki Kasuya, Tatsuya Hasegawa\r\nThreat Spotlight: Gootkit Banking Trojan\r\nAzorult GootKit 2019-10-02 ⋅ Dissecting Malware ⋅ Marius Genheimer\r\nNicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)\r\nFTCODE JasperLoader GootKit 2019-08-29 ⋅ SentinelOne ⋅ Daniel Bunce\r\nGootkit Banking Trojan | Part 2: Persistence \u0026 Other Capabilities\r\nGootKit 2019-08-15 ⋅ SentinelOne ⋅ Daniel Bunce\r\nGootkit Banking Trojan | Deep Dive into Anti-Analysis Features\r\nGootKit 2019-08-15 ⋅ Sentinel LABS ⋅ Daniel Bunce\r\nGootkit Banking Trojan | Deep Dive into Anti-Analysis Features\r\nGootKit 2019-03-23 ⋅ Open Malware ⋅ Danny Quist\r\nReverse Engineering Gootkit with Ghidra Part I\r\nGootKit 2019-02-14 ⋅ Certego ⋅ Matteo Lodi\r\nMalware Tales: Gootkit\r\nGootKit 2018-11-01 ⋅ ⋅ CERT La Poste ⋅ Christophe Rieunier, Thomas Dubier\r\nAnalyse du malware bancaire Gootkit et de ses mécanismes de protection\r\nGootKit 2018-05-20 ⋅ Youtube (OALabs) ⋅ Sergei Frankoff\r\nUnpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg\r\nGootKit 2018-03-04 ⋅ Youtube (OALabs) ⋅ Sergei Frankoff\r\nUnpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request\r\nCold$eal GootKit 2018-02-13 ⋅ Juniper ⋅ Paul Kimayong\r\nNew Gootkit Banking Trojan variant pushes the limits on evasive behavior\r\nGootKit 2017-03-01 ⋅ SecurityIntelligence ⋅ Gadi Ostrovsky, Limor Kessem\r\nGootKit Developers Dress It Up With Web Traffic Proxy\r\nGootKit 2016-12-01 ⋅ US-CERT ⋅ US-CERT\r\nAlert (TA16-336A): Avalanche (crimeware-as-a-service infrastructure)\r\nGootKit 2016-10-27 ⋅ Kaspersky Labs ⋅ Alexey Shulmin, Sergey Yunakovsky\r\nInside the Gootkit C\u0026C server\r\nGootKit 2016-07-08 ⋅ SecurityIntelligence ⋅ Limor Kessem\r\nGootKit: Bobbing and Weaving to Avoid Prying Eyes\r\nGootKit 2015-04-13 ⋅ CERT Societe Generale ⋅ CERT Societe Generale\r\nAnalyzing Gootkit's persistence mechanism (new ASEP inside!)\r\nGootKit 2015-03-30 ⋅ Trend Micro ⋅ Cedric Pernet, Dark Luo\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit\r\nPage 2 of 3\n\nFake Judicial Spam Leads to Backdoor with Fake Certificate Authority\r\nGootKit 2014-04-09 ⋅ Dr.Web ⋅ Dr.Web\r\nBackDoor.Gootkit.112—a new multi-purpose backdoor\r\nGootKit 2012-08-01 ⋅ Kaspersky ⋅ Marta Janus\r\n“RunForestRun”, “gootkit” and random domain name generation\r\nRunForestRun GootKit\r\n[TLP:WHITE] win_gootkit_auto (20251219 | Detects win.gootkit.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit"
	],
	"report_names": [
		"win.gootkit"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc289ba8-bc61-474c-8462-a3f7179d97bb",
			"created_at": "2022-10-25T16:07:24.450609Z",
			"updated_at": "2026-04-10T02:00:04.996582Z",
			"deleted_at": null,
			"main_name": "Avalanche",
			"aliases": [],
			"source_name": "ETDA:Avalanche",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434494,
	"ts_updated_at": 1775792159,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b90e0383ccdb5d9969bc606609a2ff21b0096309.pdf",
		"text": "https://archive.orkl.eu/b90e0383ccdb5d9969bc606609a2ff21b0096309.txt",
		"img": "https://archive.orkl.eu/b90e0383ccdb5d9969bc606609a2ff21b0096309.jpg"
	}
}