{
	"id": "189e45c1-a8d8-4d4e-a2bf-2dbf13702538",
	"created_at": "2026-04-06T00:20:05.511609Z",
	"updated_at": "2026-04-10T13:11:19.800902Z",
	"deleted_at": null,
	"sha1_hash": "ef70cb68538de6855eb82dada8a7590acf8e3b5d",
	"title": "Dissecting GootLoader With Node.js",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1286428,
	"plain_text": "Dissecting GootLoader With Node.js\r\nBy Riley Porter, Mark Lim\r\nPublished: 2024-07-03 · Archived: 2026-04-05 23:14:27 UTC\r\nExecutive Summary\r\nThis article shows how to circumvent anti-analysis techniques from GootLoader malware while using Node.js\r\ndebugging in Visual Studio Code. This evasion technique used by GootLoader JavaScript files can present a\r\nformidable challenge for sandboxes attempting to analyze the malware.\r\nSandboxes with limited computing resources can struggle to analyze a large volume of binaries. Malware often\r\ntakes advantage of this to evade analysis by delaying its malicious actions, which is commonly described as\r\n“sleeping.”\r\nGootLoader is a backdoor and loader malware that its operators have actively distributed through fake forum\r\nposts. The infection process of GootLoader starts with a JavaScript file.\r\nPalo Alto Networks customers are better protected from these threats through our Next-Generation Firewall with\r\nCloud-Delivered Security Services including Advanced WildFire, as well as through Cortex XDR. If you think\r\nyou might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response\r\nteam.\r\nRelated Unit 42 Topics GootLoader, Evasion, Memory Detection\r\nBackground\r\nGootkit was first reported in 2014, and it underwent many changes over time. In 2020, at least one source\r\nidentified a JavaScript-based type of malware named Gootkit Loader, which its operators distributed through fake\r\nforum posts. The group behind this campaign has kept the same distribution tactic and as of 2024 they continue\r\nusing fake forum posts that are nearly identical in appearance.\r\nMany security vendors shorten Gootkit Loader to GootLoader when referring to these JavaScript files. While the\r\noriginal Gootkit malware was a Windows executable, GootLoader is JavaScript-based malware, and it can deliver\r\nother types of malware, including ransomware.\r\nSince January 2024, we have investigated several GootLoader samples. The infection chain is shown below in\r\nFigure 1.\r\nhttps://unit42.paloaltonetworks.com/javascript-malware-gootloader/\r\nPage 1 of 6\n\nFigure 1. Flowchart for a GootLoader infection we saw in March 2024.\r\nSandboxing is a widely adopted method of identifying malicious binaries that involves analyzing the behavior of\r\nbinaries within a controlled environment. Sandboxes encounter hurdles when analyzing a large volume of binaries\r\nwith limited computing resources.\r\nMalware often exploits these challenges by intentionally delaying malicious actions within the sandbox to conceal\r\nits true intent. These delaying actions are commonly described as the malware sleeping.\r\nCommon Ways for JavaScript Malware to Sleep\r\nThe most common way for malware to sleep is to simply call the methods Wscript.sleep() or setTimeout().\r\nHowever, many sandboxes easily detect these methods. In the following paragraphs we dissect one of the least-mentioned methods GootLoader uses to evade detection.\r\nStepping Into the Code\r\nIn this section we leverage Node.js debugging in Visual Studio Code to analyze the following GootLoader file on\r\na Windows host:\r\nSHA256 hash: c853d91501111a873a027bd3b9b4dab9dd940e89fcfec51efbb6f0db0ba6687b\r\nFile size: 860,920 bytes\r\nFile name: what cards are legal in goat format 35435.js\r\nFirst submitted to VirusTotal: Jan. 9, 2024\r\nIn our debugging endeavor for GootLoader files, we use a Windows host with Node.js JavaScript runtime and\r\nVisual Studio Code installed. In this environment, we can step through the code using Node.js debugging in the\r\nVisual Studio Code editor.\r\nhttps://unit42.paloaltonetworks.com/javascript-malware-gootloader/\r\nPage 2 of 6\n\nThis environment offers an effective approach to comprehend the malware's flow control and execution logic.\r\nTypically, Windows Script Host (wscript.exe) runs standalone JavaScript files in a Windows environment.\r\nHowever, by employing Node.js and Visual Studio Code, we can step through the JavaScript file's execution, set\r\nbreakpoints in the code and use the immediate window to evaluate expressions. While this approach offers\r\nsignificant advantages, certain JavaScript functions might not be supported by Node.js.\r\nAs an obfuscation technique, the authors of GootLoader have interwoven lines of GootLoader code among\r\nlegitimate JavaScript library code. Throughout our debugging process, we observed the code execution that\r\nappeared to be seemingly stuck within the confines of a particular loop. Below, Figure 2 shows a snippet of code\r\nfrom one of these loops.\r\nFigure 2. Code execution from a GootLoader sample that appeared to be stuck in a loop when\r\nanalyzing the file using Node.js debugging in Visual Studio Code.\r\nTo gain a better understanding of these loops, let's delve into the surrounding code from the loop in Figure 2.\r\nBelow, Figure 3 shows an isolated rendition of the original code that we will focus on.\r\nhttps://unit42.paloaltonetworks.com/javascript-malware-gootloader/\r\nPage 3 of 6\n\nFigure 3. Code loop from Figure 2.\r\nIn Figure 3, the while function within the code causes an infinite loop, because the variable jobcv is consistently\r\nassigned the value 1. Additionally, the variable oftenfs acts as a counter, which has been initialized with the value\r\n8242.\r\nThe pivotal line within this loop is rangez=(horseq7[oftenfs](oftenfs));. The successful execution of this line relies\r\non the function array horsqe7 pointing to an actual function. The loop persists until the counter oftenfs reaches the\r\nvalue 2597242, at which the function array horsqe7 references the sleepy function.\r\nThis made the code appear to be stuck in a loop, because within our analysis environment, it took over 10 minutes\r\nfor the counter oftenfs to attain the value 2597242.\r\nNext, we stepped into the sleepy function. Inside the sleepy function, we observed a familiar function array name\r\nfrom Figure 3. This function array, horseq7, is assigned with a function named indicated6 as shown below in\r\nFigure 4.\r\nFigure 4. Finding the horseq7 function array name inside the sleepy function.\r\nAfter more delays, code execution will land inside the indicate6 function. This time the lclft4 function is assigned\r\ninto the function array horseq7 as shown below in Figure 5.\r\nFigure 5. Inside the indicate6 function.\r\nAgain with more delays, code execution will reach the course83 function shown below in Figure 6. The function\r\ncourse83 is where the actual malicious code begins execution.\r\nFigure 6. Inside the course83 function.\r\nFinally, debugging the course83 function unveils and deobfuscates JavaScript code that initiates GootLoader's\r\nmalicious functions. Below, Figure 7 shows a section of the deobfuscated malicious GootLoader code.\r\nhttps://unit42.paloaltonetworks.com/javascript-malware-gootloader/\r\nPage 4 of 6\n\nFigure 7. Snippet of deobfuscated malicious GootLoader code.\r\nThe creators of GootLoader employed time-consuming while loops with arrays of functions to deliberately delay\r\nthe execution of malicious code. This method effectively implements an evasion technique, inducing sleep periods\r\nto obfuscate the malicious nature of GootLoader.\r\nTable 1 lists the counter values and their assigned functions in the order they were called from the GootLoader\r\nJavaScript code.\r\nCounter Value Function Name\r\n2597242 sleepy\r\n5210044 indicate6\r\n6001779 lclft4\r\n6690534 course83\r\nTable 1. Counter values and their assigned functions from the GootLoader sample.\r\nConclusion\r\nLeveraging our insights gained from analyzing the evasion technique used by GootLoader, we can enhance our\r\nability to detect, analyze and develop effective countermeasures against malicious software. Through continuous\r\ncollaboration and knowledge sharing, we can collectively stay ahead of cybercriminals to help safeguard our\r\ndigital systems and networks.\r\nPalo Alto Networks customers are better protected from GootLoader and similar threats through the following\r\nproducts:\r\nNext-Generation Firewall with Cloud-Delivered Security Services including Advanced WildFire detect the\r\nfiles mentioned within this report as malicious.\r\nhttps://unit42.paloaltonetworks.com/javascript-malware-gootloader/\r\nPage 5 of 6\n\nThe script described is prevented by Behavioral Threat Protection as part of Cortex XDR.\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 Hashes of GootLoader JavaScript Files\r\nb939ec9447140804710f0ce2a7d33ec89f758ff8e7caab6ee38fe2446e3ac988\r\nc853d91501111a873a027bd3b9b4dab9dd940e89fcfec51efbb6f0db0ba6687b\r\nSource: https://unit42.paloaltonetworks.com/javascript-malware-gootloader/\r\nhttps://unit42.paloaltonetworks.com/javascript-malware-gootloader/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/javascript-malware-gootloader/"
	],
	"report_names": [
		"javascript-malware-gootloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434805,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef70cb68538de6855eb82dada8a7590acf8e3b5d.pdf",
		"text": "https://archive.orkl.eu/ef70cb68538de6855eb82dada8a7590acf8e3b5d.txt",
		"img": "https://archive.orkl.eu/ef70cb68538de6855eb82dada8a7590acf8e3b5d.jpg"
	}
}