{ "id": "c44b4036-c02c-455d-bf5b-5edc94739eef", "created_at": "2026-04-06T00:11:47.179529Z", "updated_at": "2026-04-10T03:33:45.561321Z", "deleted_at": null, "sha1_hash": "df6368bbb15e3bbcd9e0d48331e8072d545fff0c", "title": "Gootkit Loader Actively Targets Australian Healthcare Industry", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 73097, "plain_text": "Gootkit Loader Actively Targets Australian Healthcare Industry\r\nBy Hitomi Kimura, Fe Cureg, Trent Bessell ( words)\r\nPublished: 2023-01-09 · Archived: 2026-04-05 20:34:45 UTC\r\nKey findings\r\nUse of SEO poisoning targeting the Australian healthcare industry\r\nThe samples we examined targeted the keywords “hospital”, “health”, “medical”, and “enterprise agreement”, paired with\r\nAustralian city names. Also targeted were names of specific healthcare providers across Australia. While continuously\r\ntargeting the legal sector with the keyword \"agreement,\" Gootkit loader has recently expanded its assaults to the healthcare\r\nindustry.\r\nIn October 2022, a private health insurance company in Australia reported a cyberattack resulting in a breach of\r\napproximately 9.7 million customer data. Although the recent campaign might remind us of this incident, the technique the\r\nmalicious actors used in the initial access to the insurance company's attack was not disclosed in its official website report.\r\nAs well, there is no evidence to suggest a possible link between the two campaigns, as dummy content for SEO poisoning\r\nmight have been hosted prior to the attack on the Australian healthcare organizations.\r\nAbuse of VLC Media Player \r\nThe abuse of VLC Media Player, a widely used legitimate tool, is another key feature of this attack. VLC Media Player is\r\none of the most popular pieces of software with over 3.5 billion downloads for Windows alone. In the past, there have been\r\nreports of a similar abuse by APT10. The malware authors sideloaded the following malicious DLL to abuse VLC Media\r\nPlayer and manipulated it as a part of Cobalt Strike:\r\n·       msdtc.exe (renamed “VLC Media Player” and a legitimate file)\r\n·       libvlc.dll (malicious, detected as Trojan.Win64.COBEACON.SWG)\r\nNeither were originally installed on the victim’s computer but were introduced by the malicious actor in the infection chain.\r\nTimeline analysis\r\nInitial access: Malicious file download by SEO poisoning\r\nAs previously reported by Red Canary, the malicious ZIP file name and the JavaScript (JS) file name that it contained used\r\nwords that were deemed as top search queries with a strong correlation to the word “agreement”. \r\nWe observed SEO poisoning in one of the cases that we probed. Two contaminated search results marked in red appeared on\r\nthe first page for search terms that include the word “agreement”. Here, we saw words related to Australia, such as the name\r\nof a local medical group and “Brisbane”, in addition to medical terms such as “hospital”, “nursing”, and “midwifery”.\r\nUpon accessing the site, the user is presented with a screen that has been made to look like a legitimate forum, as shown in\r\nFigure 3. Users are led to access the link so that the malicious ZIP file can be downloaded.\r\nFigure 4 shows one of the samples we identified during our investigation. We can see that the ZIP file and JS file names\r\ncontained keywords separated by a space or an underscore, with five random numbers for the ZIP and three or five letters for\r\nthe JS file, enclosed in parentheses and appended to the end of the file name. The name of the target organization can be\r\nfound in the names of the scheduled task that was created.\r\nNote that characteristics such as search words in the file names and scheduled task names help identify this threat. To this\r\nday, we continue to see a strong correlation between the word “agreement” and targeted medical domains in specific regions\r\nhttps://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html\r\nPage 1 of 5\n\n(confined to Australia in this campaign), as shown in Figure 2. Figure 4 shows a palpable correlation with generic words.\r\nEvasion\r\nSites that direct users to download malicious files due to SEO poisoning look like legitimate WordPress sites that have been\r\ncompromised and abused. Twitter user @GootLoader Sites pointed out that some compromised sites have already been\r\nabused for this purpose and that there is an analysis evasion mechanism. \r\nWe have indeed observed analysis evasion in the samples. The compromised site hosts several pages containing words\r\ncharacteristic of those used for SEO poisoning. Users unwittingly open the URL of a contaminated search result, and once\r\nthey access the counterfeit forum screen, they find that it displays SEO content when they access the same URL for a while.\r\nFile comparison\r\nIn addition, the malicious JavaScript inserts its code into a legitimate JS file at random segments on the compromised\r\nwebsites. Figure 6 shows an old JavaScript toolkit from here.\r\nThe entries in green represent the inserted function to the original JavaScript for malicious purposes.\r\nObfuscation\r\nObfuscation is not only a technique for evading analysis but also a useful way to help identify malicious actors. The\r\nobfuscation methods used in the samples also show features of Gootkit loader's current activities, which will help security\r\nteams to detect this threat.\r\nFigure 8 shows a part of the malicious JS file. The second anonymous function uses numbers, lowercase letters (from a to z),\r\nand uppercase letters (from A to Z) for obfuscation, with a few numbers and no readable words. The third anonymous\r\nfunction uses mainly lowercase letters (from a to z) and uppercase letters (from A to Z) for obfuscation. Numbers rarely\r\nappear but still seem to serve a function. In addition, the content to be executed is piped and shuffled with readable words,\r\nwhile other readable words can also be seen in some places.\r\nFigure 9 shows the pipe-separated and shuffled part of the executed content with readable words, deobfuscated by JS NICE.\r\nFirst stage of infection: Setting a scheduled task for persistence\r\nThe goal of the first stage of infection is to set a scheduled task for persistence.\r\nAfter the user downloads the malicious ZIP file and the JS inside it is executed, a scheduled task is created and executed in\r\nthe flow as shown in Figure 4. The JS file registered in the scheduled task will be called by wscript.exe as a short name for\r\nWindows 8.3.\r\nFor example, C:\\Users\\[username]\\AppData\\Roaming\\Entrust Security Store\\Object Relations.js was called as\r\nC:\\WINDOWS\\system32\\wscript.EXE OBJECT~1.JS.\r\nLike the initial JavaScript that was executed, this newly dropped JS file is also heavily obfuscated.\r\nAnother surprising feature of the JavaScript that was used is its unusually large file size at an estimated 50 megabytes. The\r\nlarge number of bytes is filled with a string of characters. The purpose is unclear, but it might be aimed at interfering with\r\nfile handling and analysis.\r\nHere is the execution chain of the script: \r\nScheduled task → wscript.exe → cscript.exe→ PowerShell\r\nThereafter, C\u0026C access is performed from the PowerShell.\r\nC\u0026C access\r\nhttps://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html\r\nPage 2 of 5\n\nA process launched from a scheduled task runs a PowerShell script and retrieves files for subsequent engagement from the\r\nserver that abused WordPress on the legitimate site.\r\nThe process has top-level domains for various countries and has the file name xmlrpc.php directly under it. It appears to\r\nhave 10 URLs per script, all of which are potential destinations. Several random attempts will be made from these.\r\nWaiting time\r\nThe second stage of infection takes place after the waiting time. While waiting, the scheduled task performed approximately\r\ntwo C\u0026C accesses per day, with no additional processes executed after the C\u0026C accesses. We observed the waiting time to\r\nbe several hours and in some cases, two days.\r\nThis latency, which clearly separates the initial infection stage from the second stage, is a distinctive feature of Gootkit\r\nloader's operation. Currently, operations in the second stage observed at the same season are similar. Therefore, it does not\r\nappear, for now, that multiple threat actors are entering the operation from this second stage.\r\nSecond stage of infection: Use of Cobalt Strike\r\nUpon successful connection to the C\u0026C server and when the waiting time is over, msdtc.exe and libvlc.dll are dropped. The\r\nfile name msdtc.exe impersonates the name of a legitimate Windows component; the entity is a legitimate VLC Media\r\nPlayer.\r\nThe legitimate file, msdtc.exe (which is VLC Media Player renamed) loads libvlc.dll with its function as a module related to\r\nCobalt Strike with the DLL sideloading technique. From this point onward, msdtc.exe acts as a part of Cobalt Strike while\r\nstill being a valid signed and legitimate executable program.\r\nPost-Cobalt Strike infection\r\nWe investigated the process memory dump of the msdtc.exe runtime that loads libvlc.dll with 1768.py, a tool to analyze\r\nCobalt Strike beacons created by Didier Stevens. The result shows that C\u0026C for this Cobalt Strike was\r\n193[.]106[.]191[.]187 and spawns to dllhost.exe.\r\nProcess injection\r\nWe took a closer look at the processes, particularly dllhost.exe and wabmig.exe, and found that they were spawned from the\r\nabused VLC Media Player that became the host to malicious code execution through process injection and then became a\r\nbeacon for Cobalt Strike and its subsequent activities.\r\nAbuse of legitimate tools\r\nNote that in addition to VLC Media player, which was introduced at the beginning of the second stage, both dllhost.exe and\r\nwabmig.exe, are legitimate files.\r\nThe abuse of legitimate tools has become a common practice, likely aiming for effects such as misleading,\r\nmisunderstanding, and being overlooked as power-consuming from the human perspective, as well as evading detection by\r\nantiviruses (both pattern detection and behavior monitoring) from the technical perspective.\r\nDiscovery\r\nThe malicious actors introduced the following additional tools to facilitate discovery:\r\nPSHound.ps1: Detected as HackTool.PS1.BloodHound.C for SharpHound and executed via Cobalt Strike.\r\nsoo.ps1: Detected as Trojan.Win32.FRS.VSNW0EK22\r\nMultiple outbound connections to internal machines toward ports 389, 445, and 3268\r\nPort 445: Remote network share SMB\r\nPort 389, 3268: LDAP ports\r\nhttps://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html\r\nPage 3 of 5\n\nCredential access\r\nThe file krb.txt was created by one of the injected processes that contains Kerberos hashes for several accounts. Given that\r\nwe did not see any dumping activity in the process telemetry, the dumping process transpired in the memory; it did not\r\nintroduce a new tool or an executable file to do the dumping.  \r\nImpact\r\nThe final payload is unknown for this case since we detected it and responded to it while it was in the middle of the infection\r\nchain.\r\nConclusion\r\nOur monitoring of Gootkit loader activity that uses SEO poisoning has revealed that the malicious actors behind it are\r\nactively implementing their campaign. The threats targeting specific job sectors, industries, and geographic areas are\r\nbecoming more aggressive. In addition to the continued targeting of the legal sector with the word \"agreement”, we also\r\nfound that the current operation has also clearly sharpened its targeting capability by including the words \"hospital\",\r\n\"health\", \"medical\", and names of Australian cities.\r\nThe abuse of VLC Media Player by APT10 has been reported in the past, which might have brought attention to some\r\nsecurity teams of such an abuse. DLL sideloading has become a classic method in APT operations, and it no longer comes as\r\na surprise for threat researchers to find it being used in similar campaigns. However, the abuse of legitimate tools has\r\nbecome commoditized today and has been observed in non-APT operations as well. \r\nTo mitigate the impact of cyberthreats, it is necessary to know that these tactics and techniques are in the wild. In this case,\r\nsearch engine results might be contaminated to download malicious files by SEO poisoning, and legitimate tools might\r\nperform malicious behavior because they have been abused. Therefore, security teams should always consider the possibility\r\nof DLL sideloading or the injection of malicious code, as the abuse of legitimate tools has become commonplace. \r\nGiven that technical solutions are updated as new attack methods are discovered, we recommend security teams to configure\r\ntheir security solutions and follow industry best practices. Moreover, if there is a gap between the trending tactics and the\r\ntechnical solutions due to timing, the security team's work, human observation, and decisions might be needed.\r\nEven if an organization’s security solutions are configured correctly, there might be instances when this is not enough to\r\nward off threats. Malicious actors can deploy new and more advanced variants of the malware using techniques that can\r\nevade detection, so your organization’s security operations center (SOC) team and threat analysts should be able to\r\neffectively spot any malicious activity in your network to address it in a timely manner.\r\nSecurity recommendations\r\nFor targeted industries:\r\nAs noted in this blog, Gootkit loader is currently targeting the Australian healthcare industry in addition to the legal sector. It\r\nis not easy to escape the methods of an adversary, but in this case, it might be effective to inform users that this is the case.\r\nNotifying people in the targeted legal sector and the Australian healthcare industry that their search results might be\r\npoisoned and training them by showing them the screenshots in Figures 2 and 3 might help mitigate damage. Along with\r\nthis, security products must be properly configured and kept up to date.\r\nFor security teams:\r\nWhen adversaries abuse a legitimate tool, the techniques they use can vary, but the malicious code must be prepared, loaded,\r\nand run. Legitimate tools themselves might be difficult to detect, but traditional antivirus software can detect the files\r\ncontaining malicious code, while extended detection and response (EDR) or human incident response can mitigate the\r\nimpact by spotting it.\r\nhttps://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html\r\nPage 4 of 5\n\nAs we saw in this case, one such event is the detection of libvlc.dll, which was sideloaded by VLC Media Player. This type\r\nof DLL sideloading is usually performed by a code-signed process loading an unsigned, unknown DLL. Observations done\r\nin this context can also help security teams to address the threat. \r\nThe process injection of the wabmig.exe tool is also another noteworthy technique in this operation. For process injection,\r\nthe malicious code does not exist as a standalone file but only in memory. Since wabmig.exe is a standard address book\r\nimport tool that comes with Windows, it is not expected to be used frequently in modern enterprise environments. For this\r\nreason, consider the launch of wabmig.exe itself as an initial sign of abuse. Note that abuse of wabmig.exe for the usage of\r\nCobalt Strike has also been reported in the Follina case from Microsoft.\r\nFor web administrators:\r\nMeanwhile, web administrators should keep in mind that running a vulnerable WordPress site can result in being part of\r\nsuch a threat. Therefore, following the latest security best practices when building a website is crucial. As described in\r\nHardening WordPress, do not get plug-ins or themes from untrusted sources. Restrict yourself to the WordPress.org\r\nrepository or well-known companies. And, of course, make sure your plug-ins are always updated.\r\nTo know if your website is affected by this threat, look at the number of pages with words like \"agreement\" that are being\r\ngenerated. If your site has a number of pages with such content, this can be an indication that the site has been compromised\r\nand you should act promptly to contain any damage that the attack might have caused.\r\nTrend Micro Solutions \r\nWe recommend security solutions that provide comprehensive protection for your enterprise to keep this and other threats at\r\nbay.  \r\nTrend Micro Vision One™ helps security teams gain an overall view of attempts in ongoing campaigns by providing them\r\nwith a correlated view of multiple layers such as email, endpoints, servers, and cloud workloads. Security teams can gain a\r\nbroader perspective and a better understanding of attack attempts and detect suspicious behavior that would otherwise seem\r\nbenign when viewed from a single layer alone. \r\nTrend Micro™ Managed XDR monitors and analyzes activity data from deployed Trend Micro XDR and protection\r\nsolutions 24/7. Email, endpoint, server, cloud workload, and network sources are correlated for stronger detection and\r\ngreater insight into the source and spread of complex targeted attacks.\r\nIndicators of Compromise\r\nFile name SHA256 Detection\r\nlibvlc.dll 7c2ea97f8fff301a03f36fb6b87d08dc81e948440c87c2805b9e4622eb4e1991 Trojan.Win64.COBEACON.SWG\r\nObject\r\nRelations.js\r\n6d549cd0b623f5623bb80cc344f6b73962d76b70a7cbd40ca8f1d96df7cce047 Trojan.JS.DOWNLOADER.AC\r\nPSHound.ps1 a9d2a52e418f5cc9f6943db00a350a5588c11943898d3d6d275e1b636b3cd7c8 HackTool.PS1.BloodHound.C \r\nso.ps1 57af5c9f715d5c516e1137b6d336bff7656e1b85695fff4c83fc5a78c11fdec6 Trojan.PS1.POWLOAD.TIAOEN\r\nSource: https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html\r\nhttps://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html" ], "report_names": [ "gootkit-loader-actively-targets-the-australian-healthcare-indust.html" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434307, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df6368bbb15e3bbcd9e0d48331e8072d545fff0c.pdf", "text": "https://archive.orkl.eu/df6368bbb15e3bbcd9e0d48331e8072d545fff0c.txt", "img": "https://archive.orkl.eu/df6368bbb15e3bbcd9e0d48331e8072d545fff0c.jpg" } }