{
	"id": "67199a00-7b14-4f9d-85ed-49c6fb6e0e26",
	"created_at": "2026-04-06T00:18:26.285864Z",
	"updated_at": "2026-04-10T03:24:24.484135Z",
	"deleted_at": null,
	"sha1_hash": "d63f80e1583e5f6d8b63a3d17cb2f5d844c2dfe2",
	"title": "Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1296043,
	"plain_text": "Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike\r\nBy By: Buddy Tancio, Jed Valderama Jul 27, 2022 Read time: 7 min (1896 words)\r\nPublished: 2022-07-27 · Archived: 2026-04-05 14:02:07 UTC\r\nCyber Threats\r\nGootkit has been known to use fileless techniques to drop Cobalt Strike and other malicious payloads. Insights from a recent\r\nattack reveal updates in its tactics.\r\n \r\nOur in-depth analysis of what began as an unusual PowerShell script revealed intrusion sets associated with Gootkit loader.\r\nIn the past, Gootkit used freeware installers to mask malicious files; now it uses legal documents to trick users into\r\ndownloading these files. We uncovered this tactic through managed extended detection and response (MxDR) and by\r\ninvestigating a flag for a PowerShell script that allowed us to stop it from causing any damage and dropping its payload.\r\nGootkit has been  known to use fileless techniques to deliver noteworthy threats such as the SunCrypt, and REvil\r\n(Sodinokibi) ransomware, Kronos trojans, and Cobalt Strike. In 2020, we reported on Gootkit capabilities. While it has kept\r\nmuch the same behavior as that in our previous report, updates reveal its continuing activity and development nearly two\r\nyears later.\r\nAttack overview\r\nHaving been associated with a variety of payloads, we can assume that Gootkit runs on an access-a-as-a-service model. It\r\ncan therefore be used by different groups to conduct their attacks, making it worth monitoring to prevent bigger threats from\r\nsuccessfully entering a system. \r\nFigure 1 illustrates its infection routine. It begins with a user searching for specific information in a search engine. In this\r\ncase, the user had searched for the keywords “disclosure agreement real estate transaction”. A website compromised by\r\nGootkit operators was among the results, meaning that the user did not open this compromised website by chance. Indeed,\r\nthe operators had tweaked the odds in their favor by using Search Engine Optimization (SEO) poisoning to make this\r\nwebsite rank high in the search results, leading the user to visit the compromised website. This also means that the website’s\r\nURL will not be available for long and that a full analysis would be difficult to conduct if not done immediately.\r\nFigure 1. The infection chain of Gootkit loader as seen by MxDR\r\nUpon opening the website, we found that it presented itself as an online forum directly answering the victim’s query. This\r\nforum housed a ZIP archive that contains the malicious .js file. When the user downloaded and opened this file, it spawned\r\nan obfuscated script which, through registry stuffing, installed a chunk of encrypted codes in the registry and added\r\nscheduled tasks for persistence. The encrypted code in the registry was then reflectively loaded through PowerShell to\r\nreconstruct a Cobalt Strike binary that runs directly in the memory filelessly. \r\nMuch of what we have just described is still in line with the behavior we reported in 2020, but with a few minor updates.\r\nThis indicates that Gootkit loader is still actively being developed and has proved successful in compromising unsuspecting\r\nhttps://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html\r\nPage 1 of 7\n\nvictims.\r\nTwo noticeable changes stand out:\r\nThe search term now leverages legal document templates instead of freeware installers.\r\nEncrypted registries now use custom text replacement algorithm instead of base64 encoding.\r\nThe compromised website\r\nFollowing the behavior of users, we can now look at the website visited in the attack. Threat actors have been known to\r\nsimply compromise a vulnerable or a misconfigured website to plant their malware or tools instead of creating or registering\r\na new one for their malicious operation. In the case of Gootkit, since it compromised a legitimate domain, the website used\r\nwas likely to pass reputation services. For an unsuspecting user, visiting the site would not arouse suspicion as it appears\r\nlike a harmless website for a singing and voice coach. \r\nFigure 2. Homepage of the legitimate compromised website\r\nPerforming Google search specifically on the downloaded file (“disclosure agreement real estate transaction”) shows that\r\nthe site’s content was unrelated to its owner and its purpose. Additionally, none of these search result links can be found by\r\nnavigating the site’s homepage itself. This is evidence that the website has been compromised, as it has allowed adversaries\r\nto inject or create new unrelated web content. We also found more evidence of vulnerabilities when we queried the IP\r\naddress via Shodan where the website was hosted.\r\nFigure 3. Google searches reveal unwanted contents in the website\r\nThis tactic is nothing new for Gootkit. Coupled with SEO poisoning, Gootkit operators can herd victims into a compromised\r\nwebsite and bait them into downloading a file they are looking for. For this incident, we were able to stop Gootkit loader in\r\nits tracks before it dropped its payload. However, the user had already visited the website, downloaded the malicious ZIP\r\nfile, and opened it. The unusual PowerShell script that resulted from these actions alerted us to possible malicious activity.\r\nhttps://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html\r\nPage 2 of 7\n\nIn this investigation, we try to piece together what would have happened if the PowerShell script had not been flagged and\r\nhad been allowed to run. \r\nInvestigation and analysis\r\nAs mentioned, the user visited the compromised website and downloaded the ZIP archive using Google Chrome. As logged\r\nby Trend Micro Vision OneTM, the exact URL they visited is as follows:\r\nhxxps://www[.]{domain name}[.]co[.]uk/forum[.]php?\r\nuktoz=znbrmkp\u0026iepdpjkwxusknzkq=3147417f829ff54ffe9acd67bbf216c217b16d47ac6a2e02c1b42f603121c9ad4b18757818e0bbdd5bab3aa154e57\r\nAs of writing, this URL is no longer accessible. However, we were able to analyze the ZIP archive downloaded by the user.\r\nAs mentioned, it was named disclosure agreement real estate transaction(8321).zip. In another instance, the JavaScript file\r\nwas named tenancy agreement between family members template(98539).zip. Both file names strongly suggest that Gootkit\r\nleverages keywords that refer to legal document templates, likely to lure users into downloading files. It’s important to note\r\nthat this chosen search term and topic is one of the notable changes from past campaigns.\r\nFigure 4. Vision One interface showing evidence of the user visiting the compromised website and\r\ndownloading the ZIP archive\r\nThe ZIP archive was successfully saved in the Downloads folder C:\\Users\\{username}\\Downloads\\disclosure agreement\r\nreal estate transaction (8321).zip. \r\nFigure 5. The ZIP archive successfully saved in the user’s Downloads folder\r\nThe user then opened the .js file inside the ZIP archive, which spawned an obfuscated PowerShell Script. The detected\r\ncommand line included wscript.exe, the default script interpreter of Windows operating systems. This command line runs\r\nthe malicious JavaScript file. The folder file path and the file name can be seen here:\r\nC:\\Windows\\System32\\WScript.exe \r\nC:\\Users\\{username}AppData\\Local\\Temp\\Temp1_disclosure agreement real estate\r\ntransaction(8321).zip\\disclosure_agreement_real_estate_transaction 3994.js\r\nhttps://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html\r\nPage 3 of 7\n\nFigure 6. Obfuscated PowerShell Script spawned through the .js file\r\nBy using Vision One’s AMSI Telemetry, the team was able to view the decoded script at runtime and build the order of\r\nevents that it generated. In the decoded script, there are three potentially compromised domains listed. The domains\r\nthemselves are legitimate websites. Gootkit only selects one and constructs the full URL to get the next stage of script\r\nexecution. The three domains are listed here:\r\nlearn[.]openschool.ua – Education\r\nlakeside-fishandchips[.]com – Restaurants and food\r\nkristinee[.]com  – Personal sites\r\nFigure 7. Decoded script logged by Vision One’s AMSI telemetry\r\nDecoding the script also led us to discover that two stages of script are used to complete the operation. The first stage script\r\ncarries out the following: \r\nIt checks for the registry HKCU\\PJZTLE and creates it if not found. This serves as an infection marker as we\r\ndiscussed in our previous blog.\r\nIt then checks if the current user is logged in to a domain that might be used to bypass sandbox tools.\r\nNext, it connects to the constructed URL to fetch the next script to be executed. For this case, it retrieved the second\r\nstage script from hxxps://learn[.]openschool[.]ua/test.php?mthqpllauigylit=738078785565141.\r\nIt then sleeps for 10 seconds before running the fetched codes.\r\nFigure 8. First stage script execution flow as logged by Vision One’s AMSI telemetry\r\nThe second stage script retrieved from the aforementioned compromised website accomplishes the listed information here:\r\nIt gets the current username via environment strings.\r\nIt checks the target registry and creates it if it does not exist. It performs registry stuffing for persistence, wherein two\r\nsets of registries are created, each containing encrypted binaries to be decoded and executed later:\r\nhttps://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html\r\nPage 4 of 7\n\nHKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Phone\\\\{loggedOnUser}\\\\{consecutive numbers},\r\nwhich contains binary payload encrypted using custom text replacement\r\nHKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Phone\\\\{loggedOnUser}0\\\\{consecutive numbers},\r\nwhich contains hex-encoded binary used to decode and execute the first registry\r\n \r\nFigure 9. Registry stuffing on \\\\Phone\\\\{loggedOnUser}\\\\ as logged by Vision One’s AMSI telemetry\r\nFigure 10. Registry stuffing on \\\\Phone\\\\{loggedOnUser}0\\\\ as logged by Vision One’s AMSI telemetry\r\nAfter these two stages, it finally executes two encrypted PowerShell scripts also logged by AMSI Telemetry. The first one\r\ndecrypts the binary of the registry \\\\Phone\\\\{loggedOnUser}0\\\\ and uses  to initiate a function named “Test”.\r\nFigure 11. Decoded first PowerShell script as logged by Vision One’s AMSI telemetry\r\nThe second PowerShell script installs persistence mechanism via Scheduled Task, where it assigns the username as its Task\r\nName.\r\nFigure 12. Decoded second PowerShell script as logged by Vision One’s AMSI telemetry\r\nThe scheduled task loads the binary on \\Phone\\{loggedOnUser}0 registry, which in turn decrypts and executes the final\r\npayload found in \\Phone\\{loggedOnUser} registry using the same reflective code loading technique. \r\nThe final payload for this instance was found to be a Cobalt Strike binary, which has also been spotted to connect to Cobalt\r\nStrike’s command-and-control (C\u0026C) server.\r\nThe Cobalt Strike payload\r\nThe Cobalt Strike binary reflectively loaded directly to the memory has been seen connecting to the IP address\r\n89[.]238[.]185[.]13. Using internal and external threat intelligence, the team validated that the IP address is a Cobalt Strike\r\nC\u0026C. Cobalt Strike, a tool used for post-exploitation activities, uses the beacon component as the main payload that allows\r\nthe execution of PowerShell scripts, logging keystrokes, taking screenshots, downloading files, and spawning other\r\npayloads.\r\nhttps://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html\r\nPage 5 of 7\n\nFigure 13. Cobalt Strike C\u0026C based on the graph from Virus Total\r\nSecurity recommendations\r\nOne key takeaway from this case is that Gootkit is still active and improving its techniques. This implies that this operation\r\nhas proven effective, as other threat actors seem to continue using it. Users are likely to encounter Gootkit in other\r\ncampaigns in the future, and it is likely that it will use new means of trapping victims. \r\nThis threat also shows that SEO poisoning remains an effective tactic in luring unsuspecting users. The combination of SEO\r\npoisoning and compromised legitimate websites can mask indicators of malicious activity that would usually keep users on\r\ntheir guard. Such tactics highlight the importance of user awareness and the responsibility of website owners in keeping\r\ntheir cyberspaces safe. \r\nOrganizations can help by conducting user security awareness training for their employees, which aims to empower people\r\nto recognize and protect themselves against the latest threats. In this instance, for example, the threat could have been\r\navoided earlier if the user had been more wary of downloading JavaScript files. On the other hand, website owners must\r\nmake better web hosting choices by opting for web host providers who emphasize security in their own servers.\r\nThis case highlights the importance of 24/7 monitoring. Notably, cross-platform XDR prevented this attack from escalating,\r\nsince we were able to isolate the affected machine quickly stopping the threat from inflicting further damage on the network.\r\nA Cobalt Strike payload, for example, can result in worse problems, such as the deployment of ransomware, credential\r\ndumping for lateral movement, and data exfiltration. Managed XDR service prevented all of this from being realized.\r\nOrganizations can consider Trend Micro Vision One, which offers the ability to detect and respond to threats across multiple\r\nsecurity layers. It can isolate endpoints, which are often the source of infection, until they are fully cleaned or the\r\ninvestigation is done.\r\nIndicators of compromise (IOCs)\r\nTrojan.BAT.POWLOAD.TIAOELD\r\ncbc8733b9079a2efc3ca1813e302b1999e2050951e53f22bc2142a330188f6d4\r\nf1ece614473c7ccb663fc7133654e8b41751d4209df1a22a94f4640caff2406d\r\nTrojan.PS1.SHELLOAD.BC\r\nhttps://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html\r\nPage 6 of 7\n\n8536bb3cc96e1188385a0e230cb43d7bdc4f7fe76f87536eda6f58f4c99fe96b\r\nURLs\r\nhxxps://www[.]{domain name}[.]co[.]uk/forum[.]php?\r\nuktoz=znbrmkp\u0026iepdpjkwxusknzkq=3147417f829ff54ffe9acd67bbf216c217b16d47ac6a2e02c1b42f603121c9ad4b18757818e0bbdd5bab3aa154\r\n= Disease vector\r\nhxxps://learn[.]openschool.ua/test[.]php?mthqpllauigylit=738078785565141 = Disease vector\r\n89[.]238[.]185[.]13 = C\u0026C server (Cobalt Strike IP address)\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html\r\nhttps://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html"
	],
	"report_names": [
		"gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434706,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d63f80e1583e5f6d8b63a3d17cb2f5d844c2dfe2.pdf",
		"text": "https://archive.orkl.eu/d63f80e1583e5f6d8b63a3d17cb2f5d844c2dfe2.txt",
		"img": "https://archive.orkl.eu/d63f80e1583e5f6d8b63a3d17cb2f5d844c2dfe2.jpg"
	}
}