{
	"id": "b26893ae-6ff7-4fab-b1d2-daff2a2d7526",
	"created_at": "2026-04-06T00:07:53.905538Z",
	"updated_at": "2026-04-10T03:33:12.677449Z",
	"deleted_at": null,
	"sha1_hash": "f4af0ed1d818560f0d84266436ccfe4ee67fcc74",
	"title": "Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7234850,
	"plain_text": "Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER\r\nOperations | Mandiant\r\nBy Mandiant\r\nPublished: 2023-01-26 · Archived: 2026-04-05 14:03:49 UTC\r\nWritten by: Govand Sinjari, Andy Morales\r\nSince January 2021, Mandiant Managed Defense has consistently responded to GOOTLOADER infections. Threat actors\r\ncast a widespread net when spreading GOOTLOADER and impact a wide range of industry verticals and geographic\r\nregions. We currently only attribute GOOTLOADER malware and infrastructure to a group we track as UNC2565, and we\r\nbelieve it to be exclusive to this group.\r\nBeginning in 2022, UNC2565 began incorporating notable changes to the tactics, techniques, and procedures (TTPs) used in\r\nits operations. These changes include the use of multiple variations of the FONELAUNCH launcher, the distribution of new\r\nfollow-on payloads, and changes to the GOOTLOADER downloader and infection chain, including the introduction of\r\nGOOTLOADER.POWERSHELL. These changes are illustrative of UNC2565’s active development and growth in\r\ncapabilities.\r\nMandiant’s observation of post-compromise GOOTLOADER activity has largely been limited to internal reconnaissance, as\r\nthese intrusions have been quickly detected and mitigated.\r\nThis blog post will also cover the various methods used by the malware to obscure its code, as well as provide scripts that\r\ncan automate the deobfuscation process.\r\nInfection Chain\r\nGOOTLOADER infections begin with the user searching for business-related documents online, like templates, agreements,\r\nor contracts. The victim is lured into visiting a compromised website and downloading a malicious archive that contains a\r\nJavaScript file known as GOOTLOADER.\r\nSuccessful execution of the GOOTLOADER file will download additional payloads, FONELAUNCH and Cobalt Strike\r\nBEACON or SNOWCONE that will be stored in the registry. These payloads are executed via PowerShell in the later\r\nstages.\r\nSince late 2020, GOOTLOADER campaigns have implemented relatively consistent infection chains. However, the\r\ninfection chain incorporated notable shifts starting in mid-November 2022. Prior to November 2022, the typical\r\nGOOTLOADER infection chain consisted of the following:\r\n1. The user visits an UNC2565-compromised site (usually related to business documents) and downloads a malicious\r\nZIP archive.\r\n2. The malicious ZIP file is saved to the user's Downloads folder.\r\n3. The user opens the ZIP file and clicks the .JS file inside.\r\n4. The JS file is launched using WScript.exe.\r\n5. The WScript.exe process reaches out to three hard coded domains and downloads two payloads that are saved to the\r\nregistry.\r\n6. WScript.exe stores the first registry payload (FONELAUNCH) as a value in the path HKCU\\SOFTWARE\\Microsoft\\\r\n\u003cSTRING\u003e\\%USERNAME%0.\r\n7. WScript.exe stores the second registry payload (usually BEACON) as a value in the\r\npath HKCU\\SOFTWARE\\Microsoft\\\u003cSTRING\u003e\\%USERNAME%.\r\n8. WScript.exe executes a PowerShell script that decodes and executes the first payload. This payload is a .NET-based\r\nlauncher that Mandiant tracks as FONELAUNCH.\r\n9. WScript.exe executes a PowerShell command that creates a scheduled task which executes the same PowerShell\r\nscript mentioned in the previous step. The current account username will be used for the task name, and the task will\r\nbe set to run when the user logs in.\r\n10. The first registry payload (FONELAUNCH) decodes and executes the second registry payload, which contains\r\nCobalt Strike BEACON or SNOWCONE malware.\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 1 of 15\n\nFigure 1: GOOTLOADER attack chain\r\nIn November 2022, Managed Defense observed a new variant of GOOTLOADER, tracked as\r\nGOOTLOADER.POWERSHELL, leveraging a new infection chain. This new variant writes a second .JS file to disk and\r\ncreates a scheduled task to execute it. The script reaches out to 10 hard coded URLs. The URL request contains encoded\r\ndata about the host such as running processes and local drives. Follow up activity is similar to previous GOOTLOADER\r\nversions where payloads are written to the registry. The attack chain of this new variant is listed as follows:\r\n1. The user visits an UNC2565-compromised site (usually related to business documents) and downloads a malicious\r\nZIP archive.\r\n2. The malicious ZIP file is saved to the user's Downloads folder.\r\n3. The user opens the ZIP file and clicks the .JS file inside. This is a trojanized JavaScript library containing an\r\nobfuscated JScript file, which will ultimately execute GOOTLOADER.POWERSHELL. Recently observed\r\ntrojanized JavaScript libraries include jQuery, Chroma.js, and Underscore.js.\r\n4. The JS file is launched using WScript.exe.\r\n5. The WScript.exe process creates an inflated file with a .LOG extension\r\nto C:\\Users\\%USERNAME%\\AppData\\Roaming\\\u003cRANDOM_DIRECTORY\u003e\\\u003cHARD_CODED_FILE_NAME\u003e.\r\nThe dropper writes more obfuscated JScript code followed by a padding of random characters to increase the file\r\nsize.\r\n6. The .LOG file is renamed with a .JS file extension.\r\n7. The dropper creates a scheduled task that executes the new JScript file. The scheduled task is executed immediately\r\nafter creation but also serves as a persistence mechanism to run the second JScript file at the next logon.\r\n8. WScript.exe and CScript.exe launch a PowerShell process that reaches out to 10 hard coded domains.\r\nVictim information collected includes environment variables, Windows OS version, filenames, and running\r\nprocesses. This information is Gzip compressed, Base64 encoded, and sent to the command and control (C2)\r\nserver in the Cookie header.\r\n9. The C2 returns a payload, which is executed using the Invoke-Expression PowerShell cmdlet. This leads to the\r\ndownload of two payloads into registry keys: FONELAUNCH and a secondary payload to be executed by\r\nFONELAUNCH (mirroring steps 6 through 10 of the previous infection chain).\r\nFigure 2: GOOTLOADER.POWERSHELL attack chain\r\nThe Evolution of GOOTLOADER Obfuscation\r\nIn addition to observing GOOTLOADER.POWERSHELL, several variants of FONELAUNCH, and a new infection chain,\r\nMandiant has also observed an evolution in the methods used to obfuscate GOOTLOADER. Mandiant currently tracks three\r\nobfuscation variants that have been leveraged. Beginning in early 2021, GOOTLOADER was distributed as a small JS file\r\nwith one obfuscated block of code (MD5: ab1171752af289e9f85a918845859848). These samples have been tracked as\r\nobfuscation variant 1 (Figure 3).\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 2 of 15\n\nFigure 3: GOOTLOADER obfuscation variant 1 in February 2021\r\nAround October 2021, Managed Defense observed GOOTLOADER embedded within trojanized jQuery libraries instead of\r\nbeing on its own, likely in attempt to evade detection and hinder analysis (MD5: 82607b68e061abb1d94f33a2e06b0d20).\r\nThese samples have been tracked as obfuscation variant 2 (Figure 4).\r\nFigure 4: GOOTLOADER obfuscation variant 2 in October 2021\r\nIn August 2022, Managed Defense observed new samples with slight variations in the obfuscation code. These new samples\r\nspread the obfuscated string variables throughout the file rather than having them all on the same line (MD5:\r\nd3787939a5681cb6d6ac7c42cd9250b5). These GOOTLOADER samples trojanized jit.js file rather than jQuery (Figure 5).\r\nFigure 5: GOOTLOADER obfuscation variant 2 in August 2022\r\nBeginning in November 2022, Managed Defense observed a new obfuscation variant, tracked as variant 3, with modified\r\ninfection that is more complex than the previous variants. This new variant contains additional string variables that are used\r\nin a second deobfuscation stage. This new variant has been observed trojanizing several legitimate JavaScript libraries,\r\nincluding jQuery, Chroma.js, and Underscore.js (MD5: ea2271179e75b652cafd8648b698c6f9).\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 3 of 15\n\nFigure 6: GOOTLOADER obfuscation variant 3 in November 2022\r\nGOOTLOADER Obfuscation Variant Comparison\r\nTable 1 compares different obfuscation variants of the GOOTLOADER JavaScript files based on samples observed by\r\nMandiant.\r\n   Variant 1 Variant 2 Variant 3\r\nFirst\r\nObserved\r\nFeb 2021 Oct 2021 Nov 2022\r\nMalicious\r\nCode\r\nOne obfuscated\r\nblock of code, easily\r\nrecognizable.\r\nMalicious code has been nested\r\nwithin the file. Early samples\r\nhad all the variables in one\r\nblock of code, later samples\r\nspread the code throughout the\r\nfile.\r\nMalicious code has been nested throughout\r\nthe file. Additional string variables added\r\nfor the second deobfuscation iteration.\r\nPayload\r\n(See\r\nInfection\r\nChain)\r\nGOOTLOADER GOOTLOADER GOOTLOADER.POWERSHELL\r\nTable 1: Comparison between different GOOTLOADER obfuscation variants\r\nFileless Registry Payloads\r\nThe successful execution of GOOTLOADER will result in the download of two additional payloads, FONELAUNCH and\r\nan in-memory dropper that typically delivers BEACON, to the registry paths in Figure 7. These are registry resident\r\nmalware samples stored in the Windows registry to remain persistent and evade detection. GOOTLOADER subsequently\r\nlaunches these payloads in memory.\r\nHKCU\\SOFTWARE\\Microsoft\\Phone\\%USERNAME%0 (FONELAUNCH)\r\nHKCU\\SOFTWARE\\Microsoft\\Phone\\%USERNAME% (Secondary registry payload)\r\n \r\nHKCU\\SOFTWARE\\Microsoft\\Personalization\\%USERNAME%0 (FONELAUNCH)\r\nHKCU\\SOFTWARE\\Microsoft\\Personalization\\%USERNAME% (Secondary registry payload)\r\n \r\nHKCU\\SOFTWARE\\Microsoft\\Fax\\%USERNAME%0 (FONELAUNCH)\r\nHKCU\\SOFTWARE\\Microsoft\\Fax\\%USERNAME% (Secondary registry payload)\r\n \r\nHKCU\\SOFTWARE \\Microsoft\\Personalization\\\u003cRANDOM_STRING\u003e (FONELAUNCH \u0026 The secondary registry payload)\r\nFigure 7: Payloads downloaded to the registry hive by GOOTLOADER\r\nThe second stage PowerShell script attempts to create a scheduled task (Figure 8) that launches the malicious payloads that\r\nwere saved to the registry (Figure 9).\r\nFigure 8: Second stage PowerShell script that creates a scheduled task for malware persistence\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 4 of 15\n\nFigure 9: The Base64 data from Figure 8 is a PowerShell script that reconstructs and executes the first registry payload.\r\nThe PowerShell script performs the following steps to execute the FONELAUNCH malware in memory:\r\n1. Query the HKCU\\SOFTWARE\\Microsoft\\Phone\\%USERNAME%0 registry key\r\n2. Merge all the registry values together (usually 7 entries)\r\n3. Replace the \"#\" character with the string \"1000\"\r\n4. Convert the data from hex to bytes\r\n5. Load the payload (FONELAUNCH) into memory and execute it\r\nFONELAUNCH\r\nFONELAUNCH is one of the payloads written into the registry by GOOTLOADER. It is a .NET-based loader that loads an\r\nencoded payload from the registry into memory.\r\nSince May 2021 Mandiant has observed UNC2565 use three different variants of FONELAUNCH, distinguished by their\r\nloading mechanism (Table 2). The evolution of FONELAUNCH variants over time has allowed UNC2565 to distribute and\r\nexecute a wider variety of payloads, including DLLs, .NET binaries, and PE files.\r\nFONELAUNCH.FAX reads and decodes data from the HKCU\\SOFTWARE\\Microsoft\\Fax\\%USERNAME% registry\r\nkey. The returned content is expected to be a .NET assembly, which is loaded at runtime into memory.\r\nFONELAUNCH.FAX establishes its persistence by creating a registry key in the current user registry hive\r\n(Figure 10) (MD5: d6220ca85c44e2012f76193b38881185).\r\nFONELAUNCH.PHONE mainly reads and decodes data placed in a specific registry key. The returned data is\r\nexpected to be a DLL, which is loaded via a publicly available DynamicDllLoader project.\r\nInitial samples of FONELAUNCH.PHONE read and decoded data from the\r\nHKCU\\SOFTWARE\\Microsoft\\Phone\\%USERNAME% registry key (MD5:\r\n35238d2a4626e7a1b89b13042f9390e9).\r\nStarting in October 2022 a subset of FONELAUNCH.PHONE samples read and decoded data from the\r\nHKCU\\SOFTWARE\\Microsoft\\Personalization\\%USERNAME% registry key.\r\nFONELAUNCH.DIALTONE reads and decodes data from the HKCU\\SOFTWARE\\Microsoft\\%USERNAME%\r\nregistry key. The returned content is expected to be a PE file, which is injected into a separate process and executed\r\n(MD5: aef6d31b3249218d24a7f3682a00aa10). Notably, all incidents in which FONELAUNCH.DIALTONE was\r\ndeployed have led to the execution of SNOWCONE.GZIPLOADER.\r\n  FONELAUNCH.FAX FONELAUNCH.PHONE FONELAUNC\r\nFirst\r\nObserved May 2021 September 2021  May 2022\r\nObserved\r\nRegistry\r\nPaths\r\nHKCU\\SOFTWARE\\Microsoft\\Fax\\%USERNAME%\r\nHKCU\\SOFTWARE\\Microsoft\\Phone\\%USERNAME%\r\n HKCU\r\n\\SOFTWARE\\Microsoft\\Personalization\\%USERNAME%\r\nHKCU\\SOFTW\r\nSupported\r\nPayload\r\n.NET DLL PE\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 5 of 15\n\nPersistence RunOnce registry key None None\r\nTable 2: Comparison between FONELAUNCH variants\r\nFigure 10: FONELAUNCH.FAX persistence mechanism\r\nOpening FONELAUNCH with dnSpy reveals a substitution cipher key that can be used to decode the second registry\r\npayload located in the HKCU\\SOFTWARE\\Microsoft\\Phone\\%USERNAME% registry key.\r\nFigure 11: The dnSpy screenshot shows the substitution table and loading function\r\nThe Secondary Registry Payload\r\nThe secondary registry payload written into the registry by GOOTLOADER is a memory-only dropper written in .NET or\r\nC++ that decodes an embedded payload located in a randomly named function and executes it. Opening the .NET secondary\r\nregistry payload with dnSpy reveals that it will be decoded and eventually launched in memory (Figure 12). Mandiant has\r\nobserved that in most cases, this is a Cobalt Strike BEACON payload.\r\nFigure 12: dnSpy screenshot showing the payload that will be launched in memory\r\nDeobfuscating GOOTLOADER\r\nYou can download all scripts mentioned in this blog post from the Gootloader repository on GitHub.\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 6 of 15\n\nGOOTLOADER Obfuscation Variant 1\r\nAs mentioned previously, deobfuscation of GOOTLOADER obfuscation variant 1 is straight-forward. Two iterations of the\r\nPython function in Figure 13 deobfuscate the contents of the JavaScript file.\r\nFigure 13: deobfuscation function\r\nThe function in the red box contains the relevant code from GOOTLOADER 1 that must be deobfuscated (Figure 14).\r\nFigure 14: GOOTLOADER obfuscation variant 1 JS sample\r\nThe result of the first deobfuscation iteration is shown in Figure 15.\r\nFigure 15: First GOOTLOADER deobfuscation iteration\r\nDeobfuscating the code in single quotes again results in the decoded script. Figure 16 shows the result after using the\r\nCyberChef “Generic Code Beautify” recipe.\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 7 of 15\n\nFigure 16: Using CyberChef to beautify the code\r\nGOOTLOADER Obfuscation Variant 2\r\nDespite ultimately using the same decoding function, the updated variant of GOOTLOADER hides itself within over 10,000\r\nlines of code for additional obfuscation.\r\nThe regex expression “.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*(\\n.*\\=.*\\+.*)*” can be used to find the relevant code block.\r\nFigure 17: Malicious code in the GOOTLOADER obfuscation variant 2 JS file sample\r\nAs shown in Figure 17, the code populates several variables and then concatenates them together. Using the\r\nGOOTLOADER 1 script would not work here since there is no “single” string in the obfuscated code.\r\nTruncated sample of the formula:\r\nwabjrw = siyiqs+ektlkoi+nknhti+idkbqxaw+pqxyicj+vzphnjxnkwqcf+yycsvqac+udazlru+rnoyxn+pdolnhb+oznmgnee;\r\nThe following code block shows a different GOOTLOADER variant that uses multiple equals statements to further\r\nobfuscate the code:\r\nSdcsd= sdcdscs+sdcsdc; wabjrw =ujmlmdcd+sdcsd\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 8 of 15\n\nLater samples spread the relevant code throughout the file rather than having it on a single line. However, the variables are\r\nstill being set in the same order (from the top of the file down) so it is possible to automate the deobfuscation of the script.\r\nAnother distinction between samples is the comment block at the top of the file. Early samples contain “jQuery JavaScript\r\nLibrary” (MD5: 82607b68e061abb1d94f33a2e06b0d20) whereas later samples contain “Copyright © 2011 Sencha In–. -\r\nAuthor: Nicolas Garcia Belmonte” (MD5: d3787939a5681cb6d6ac7c42cd9250b5) (Figure 18 and Figure 19).\r\nFigure 18: Early GOOTLOADER obfuscation variant 2 JS file header\r\nFigure 19: Later GOOTLOADER obfuscation variant 2 JS file header\r\nManually calculating the result of the concatenated variable would be time consuming since there are many variables, and\r\nthey are declared out of order. A better approach is to have a script run the string concatenation code and deobfuscate the\r\nresult.\r\nThe manual deobfuscation script requires manually finding the relevant code block in the JavaScript file and entering it into\r\nthe script. This is useful since minor changes in the GOOTLOADER script could break a fully automated script. Detailed\r\ndeobfuscation instructions can be found in the Gootloader GitHub page.\r\nAutomated Deobfuscation of GOOTLOADER Obfuscation Variant 2 JS\r\nRather than manually finding the relevant code, the \"GootLoaderAutoJsDecode.py\" script can be used to automate the entire\r\nprocess. The script uses the file headers to differentiate between samples and adjust the regex search accordingly. Passing\r\nthe JavaScript file as a parameter to the script will return a list of all malicious domains, and the deobfuscated code will be\r\nwritten to the file \"DecodedJsPayload.js_\". The script can be found in the Gootloader GitHub page.\r\npython GootLoaderAutoJsDecode.py evil.js\r\nFigure 20: Result of the decoding script\r\nGOOTLOADER Obfuscation Variant 3\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 9 of 15\n\nUnlike previous variants, GOOTLOADER obfuscation variant 3 leverages two obfuscated JavaScript files during its\r\nexecution. These samples use a similar method of deobfuscation where multiple string variables are concatenated and\r\ndecoded. However, an additional decoding routine is used to decode the second file that is dropped (Figure 21). Manually\r\ndecoding these samples is possible but too cumbersome, using an automated script is preferred.\r\nFigure 21: Python version of the decoding routine\r\nAutomated Deobfuscation of GOOTLOADER Obfuscation Variant 3 JS\r\nThe “GootLoaderAutoJsDecode.py” script can also be used to decode GOOTLOADER obfuscation variant 3 samples. The\r\nscript uses the new decoding routine to deobfuscate the first file and saves all the relevant output to\r\n“GootLoader3Stage2.js_” which is passed back into the script for decoding. Once the script completes, the output is saved to\r\n“DecodedJsPayload.js_”, which will resemble Figure 22. The script can be found in the Gootloader GitHub page.\r\nFigure 22: Decoded output showing the C2 domains\r\nReconstructing the Registry Payloads\r\nIt is possible to reconstruct the registry payloads depending on where their data resides.\r\nOff Host — Python Script + CSV\r\nThe script “GootloaderRegDecode.py”, combined with a CSV registry export, can be used to automatically reconstruct the\r\npayloads. The script provides details on how the CSV file must be formatted, one or both registry payloads can be processed\r\nat the same time.\r\nGootloaderRegDecode.py Payload-1-and-2-Reg-Export.csv\r\nGootloaderRegDecode.py Payload-1-Reg-Export.csv\r\nGootloaderRegDecode.py Payload-2-Reg-Export.csv\r\nBoth payloads will be saved to the current directory and an MD5 hash for each payload will be provided.\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 10 of 15\n\nThis script was tested using a registry export from Redline and Trellix HX triage packages. The script should work with\r\nother EDRs directly or with slight modification.\r\nOff Host — CyberChef + Reg Export\r\nCyberChef can be used to extract the payloads from a registry export.\r\n1. Create separate .reg exports of the HKCU\\SOFTWARE\\Microsoft\\Phone\\%USERNAME%0 and\r\nHKCU\\SOFTWARE\\Microsoft\\Phone\\%USERNAME% registry keys. The following commands can be used:\r\nreg export HKCU\\SOFTWARE\\Microsoft\\Phone\\%USERNAME%0\\ reg_stage1.reg\r\nreg export HKCU\\SOFTWARE\\Microsoft\\Phone\\%USERNAME%\\ reg_stage2.reg\r\n2. Import the file into CyberChef.\r\n3. Load the appropriate CyberChef recipe (GootloaderCyberChef-Stage1.recipie) (GootloaderCyberChef-Stage2.recipie).\r\n4. Save the output.\r\nOn Host — PowerShell Script\r\nThe script “GootloaderWindowsRegDecode.ps1” can be run on a host that currently has the registry keys present. The script\r\ncan be executed against the current user, or another user that exists on the system.\r\n#Run against the current user account\r\nGootloaderWindowsRegDecode.ps1\r\n#Run against the JSmith user account\r\nGootloaderWindowsRegDecode.ps1 -User JSmith\r\nBoth payloads will be saved to the current directory and an MD5 hash for each payload will be provided.\r\nTechnical Indicators\r\nGOOTLOADER ZIP file\r\n1011b2cbe016d86c7849592a76b72853\r\n80a79d0c9cbc3c5188b7a247907e7264\r\nbee08c4481babb4c0ac6b6bb1d03658e\r\nGOOTLOADER JS file\r\n82607b68e061abb1d94f33a2e06b0d20\r\n961cd55b17485bfc8b17881d4a643ad8\r\naf9b021a1e339841cfdf65596408862d\r\nd3787939a5681cb6d6ac7c42cd9250b5\r\nea2271179e75b652cafd8648b698c6f9\r\nab1171752af289e9f85a918845859848\r\nRegistry Payload 1 (FONELAUNCH)\r\nFONELAUNCH.FAX\r\nd6220ca85c44e2012f76193b38881185\r\nFONELAUNCH.PHONE\r\n35238d2a4626e7a1b89b13042f9390e9\r\n53c213b090784a0d413cb00c27af6100\r\n7352c70b2f427ef4ff58128a428871d3\r\na0b7da124962b334f6c788c27beb46e3\r\na4ee41bd81dc3b842ddb2952d01f14ed\r\nd401dc350aff1e3fd4cc483238208b43\r\nec17564ac3e10530f11a455a475f9763\r\nf9365bf8d4b021a873eb206ec98453d9\r\naec78c1ef489f3f4b621037113cbdf81\r\nFONELAUNCH.DIALTONE\r\n08fa99c70e90282d6bead3bb25c358dc\r\naef6d31b3249218d24a7f3682a00aa10\r\nRegistry Payload 2\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 11 of 15\n\nCobalt Strike BEACON\r\n04746416d5767197f6ce02e894affcc7\r\n2eede45eb1fe65a95aefa45811904824\r\n3d768691d5cb4ae8943d8e57ea83cac1\r\n84f313426047112bce498aad97778d38\r\n92a271eb76a0db06c94688940bc4442b\r\nSNOWCONE\r\n328b032c5b1d8ad5cf57538a04fb02f2\r\n7a1369922cfb6d00df5f8dd33ffb9991\r\nNetwork Indicators\r\njonathanbartz[.]com\r\njp[.]imonitorsoft[.]com\r\njunk-bros[.]com\r\nkakiosk[.]adsparkdev[.]com\r\nkepw[.]org\r\nkristinee[.]com\r\nlakeside-fishandchips[.]com\r\nCobalt Strike Beacon Backdoor\r\nhxxps://108.61.242[.]65/dot.gif\r\nhxxps://108.61.242[.]65/submit.php\r\nhxxps://146.70.78[.]43/fwlink\r\nhxxps://146.70.78[.]43/submit.php\r\nhxxps://87.120.254[.]39/ga.js\r\nhxxps://87.120.254[.]39/submit.php\r\nhxxps://45.150.108[.]213/ptj\r\nhxxps://45.150.108[.]213/submit.php\r\nhxxps://92.204.160[.]240/load\r\nhxxps://92.204.160[.]240/submit.php\r\nMore atomic indicators may be found in our Mandiant Advantage portal.\r\nYARA Rules\r\nThe following YARA rules are not intended to be used on production systems or to inform blocking rules without first being\r\nvalidated through an organization's own internal testing processes to ensure appropriate performance and limit the risk of\r\nfalse positives. These rules are intended to serve as a starting point for hunting efforts to identify FONELAUNCH and\r\nGOOTLOADER.POWERSHELL samples; however, they may need adjustment over time if the malware family changes.\r\nrule M_Launcher_FONELAUNCH_1\r\n{\r\n meta:\r\n author = \"Mandiant”\r\n description = \"Hunting rule looking for FONELAUNCH.FAX samples.”\r\n md5 = \"d6220ca85c44e2012f76193b38881185\"\r\n strings:\r\n $str_method_a = \"OpenSubKey\" ascii\r\n $str_namespace = \"System.Reflection\" ascii\r\n $str_method_b = \"[Environment]::GetEnvironmentVariable(\" wide\r\n \r\n $ilasmx86_sequence_encoding_a = { 0A 06 02 7D [3] 04 00 16 06 }\r\n $ilasmx86_sequence_encoding_b = { 72 [3] 70 72 [3] 70 6F ?? 00 00 0A }\r\n condition:\r\n uint16(0) == 0x5A4D and all of ($str_*) and\r\n (\r\n $ilasmx86_sequence_encoding_a and #ilasmx86_sequence_encoding_b \u003e= 16\r\n )\r\n}\r\nFONELAUNCH.FAX YARA rule\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 12 of 15\n\nrule M_Launcher_FONELAUNCH_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for FONELAUNCH.DIALTONE samples.\"\r\n md5 = \"aef6d31b3249218d24a7f3682a00aa10\"\r\n strings:\r\n $ilasmx86_sequence_fprototype_a = { 1F 30 20 1B 00 10 00 28 }\r\n $ilasmx86_sequence_fprototype_b = { 26 11 ?? 11 ?? 07 6A 20 ?? 30 00 00 1F 40 28 }\r\n $ilasmx86_sequence_encoding_a = { 0A 06 02 7D [3] 04 00 16 06 }\r\n $ilasmx86_sequence_encoding_b = { 72 [3] 70 72 [3] 70 6F ?? 00 00 0A }\r\n condition:\r\n uint16(0) == 0x5A4D and all of ($ilasmx86_sequence_fprototype_*) and\r\n (\r\n $ilasmx86_sequence_encoding_a and #ilasmx86_sequence_encoding_b \u003e= 16\r\n )\r\n}\r\nFONELAUNCH.DIALTONE YARA rule\r\nrule M_Launcher_FONELAUNCH_3\r\n{\r\n meta:\r\n author = “Mandiant”\r\n description = “Hunting rule looking for FONELAUNCH.PHONE samples.”\r\n md5 = \"ec17564ac3e10530f11a455a475f9763\"\r\n \r\n strings:\r\n $str_winfunction = \"LoadLibrary\" ascii\r\n $str_registrykey = \"SOFTWARE\\\\\" wide\r\n $str_constant = \"PAGE_EXECUTE_READWRITE\" ascii\r\n $ilasmx86_sequence_encoding_a = { 0A 06 02 7D [3] 04 00 16 06 }\r\n $ilasmx86_sequence_encoding_b = { 72 [3] 70 72 [3] 70 6F ?? 00 00 0A }\r\n condition:\r\n uint16(0) == 0x5A4D and all of ($str_*) and\r\n (\r\n $ilasmx86_sequence_encoding_a and #ilasmx86_sequence_encoding_b \u003e= 16\r\n )\r\n}\r\nFONELAUNCH.PHONE YARA rule\r\nrule M_Downloader_GOOTLOADER_POWERSHELL\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for GOOTLOADER.POWERSHELL samples.\"\r\n md5 = \"2567a2bca964504709820de7052d3486\"\r\n strings:\r\n $ps_object_a = \".IsLink\" ascii\r\n $ps_object_b = \".IsFolder\" ascii\r\n $ps_object_c = \".IsFileSystem\" ascii\r\n $ps_code_parseresponse = \"[1] -replace\" ascii nocase\r\n $ps_code_httpheader = \".Headers.Add(\\\"Cookie:\" ascii nocase\r\n $ps_code_concatenatedata = \"([String]::Join(\\\"|\" ascii nocase\r\n condition:\r\n all of ($ps_code_*) and any of ($ps_object_*)\r\n}\r\nGOOTLOADER.POWERSHELL YARA rule\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 13 of 15\n\nimport \"pe\"\r\nrule M_Hunting_Win_FONELAUNCH\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for suspicious version information metadata observed in FONELAUNCH samples\"\r\n md5 = \"35238d2a4626e7a1b89b13042f9390e9\"\r\n strings:\r\n $m1 = { 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 70 00 6F 00 77 00 65 00 72 0\r\n $m2 = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 70 0\r\n \r\n condition:\r\n filesize \u003c 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and (pe.version_info[\"OriginalFilen\r\n}\r\nFONELAUNCH YARA rule\r\nDetection Techniques\r\nProduct Signature\r\nTrellix Endpoint Security\r\nSUSPICIOUS POWERSHELL USAGE B (METHODOLOGY)\r\nPowershell Encoded Command\r\nJS loader extracted from ZIP file\r\nPotential GootLoader File\r\nCRITICAL: JS loader extracted from ZIP file\r\nTrellix Endpoint Security\r\n(Hunting)\r\nWSCRIPT WRITES LARGE REG KEY VALUE (METHODOLOGY)\r\nEXPLORER LAUNCHING WSCRIPT (METHODOLOGY)\r\nFILEWRITE TO ARCHIVE (FILETRACKER)\r\nMicrosoft Defender for\r\nEndpoint\r\nSuspicious PowerShell command line\r\nSuspicious file launch\r\nSuspicious JavaScript process\r\nAn active 'Gootkit' malware in a PowerShell script was detected while\r\nexecuting via AMSI\r\nAn active 'Gootkit' malware in a PowerShell script was prevented from\r\nexecuting via AMSI\r\nTrellix Network Security\r\nDownloader.JS.GOOTLOADER\r\nBackdoor.BEACON\r\nM.Malicious.SSL.Certificate.[CobaltStrike]\r\nM.Malicious.SSL.Certificate.[146473198]\r\nMalware Definitions\r\nBEACON\r\nBEACON is a backdoor written in C/C++ that is part of the Cobalt Strike framework. Supported backdoor commands\r\ninclude shell command execution, file transfer, file execution, and file management. BEACON can also capture keystrokes\r\nand screenshots as well as act as a proxy server. BEACON may also be tasked with harvesting system credentials, port\r\nscanning, and enumerating systems on a network. BEACON communicates with a C2 server via HTTP or DNS.\r\nFONELAUNCH\r\nFONELAUNCH is a .NET-based loader that loads an encoded payload from registry into memory.\r\nGOOTLOADER\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 14 of 15\n\nGOOTLOADER is a JavaScript downloader that comes in an obfuscated form. It downloads another JavaScript file which\r\ndrops and executes the intended payload.\r\nGOOTLOADER.POWERSHELL\r\nGOOTLOADER.POWERSHELL is a variant of the GOOTLOADER downloader that was rewritten in PowerShell and\r\nretrieves payloads via HTTP. Prior to obtaining the payload, the downloader collects specific victim host information,\r\nincluding current Windows OS version, environment variables, list of files and running processes, and sends this\r\ninformation to one of ten hard-coded C2 URLs. We have observed instances where several decoy URLs were distributed\r\namongst the list of hard-coded C2s.\r\nSNOWCONE\r\nSNOWCONE is a family of downloaders that retrieve their next stage payloads via HTTP and have historically been\r\nobserved to download ICEDID.\r\nAcknowledgements\r\nNg Choon Kiat, David Lindquist, Yash Gupta, Jonathan Lepore, Tufail Ahmed and Moritz Raabe\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nhttps://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations"
	],
	"report_names": [
		"tracking-evolution-gootloader-operations"
	],
	"threat_actors": [
		{
			"id": "fc7f0460-0a66-4178-9c5b-75abb22b87b0",
			"created_at": "2023-11-08T02:00:07.15123Z",
			"updated_at": "2026-04-10T02:00:03.427759Z",
			"deleted_at": null,
			"main_name": "UNC2565",
			"aliases": [
				"Hive0127"
			],
			"source_name": "MISPGALAXY:UNC2565",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434073,
	"ts_updated_at": 1775791992,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f4af0ed1d818560f0d84266436ccfe4ee67fcc74.pdf",
		"text": "https://archive.orkl.eu/f4af0ed1d818560f0d84266436ccfe4ee67fcc74.txt",
		"img": "https://archive.orkl.eu/f4af0ed1d818560f0d84266436ccfe4ee67fcc74.jpg"
	}
}