{
	"id": "3f9c00d7-7ee1-49aa-89ed-3b5a264049c8",
	"created_at": "2026-04-10T03:20:37.395358Z",
	"updated_at": "2026-04-10T13:12:38.368188Z",
	"deleted_at": null,
	"sha1_hash": "fd870bc7e357a63634fb2f0e639a1e6da8f41fcf",
	"title": "The Goot cause: Detecting Gootloader and its follow-on activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 127294,
	"plain_text": "The Goot cause: Detecting Gootloader and its follow-on activity\r\nBy Anna Seitz\r\nPublished: 2022-05-12 · Archived: 2026-04-10 03:03:28 UTC\r\nThe Goot cause: Detecting Gootloader and its follow-on activity\r\nGootloader is a pervasive and enduring threat affecting enterprise organizations. Read on for context on recent\r\niterations of this threat and high-fidelity opportunities to detect known behaviors.\r\nOriginally published May 12, 2022. Last modified May 8, 2025.\r\nEDITOR’S NOTE: On November 18, 2022, we made substantial updates to the Execution section of this article\r\n(and minor changes to the Persistence and Detection sections) to reflect operational changes we’ve observed in\r\nGootloader campaigns in recent days and weeks. We used a strikethrough to call out the no-longer relevant TTPs\r\nin the Execution section and noted where the net new content starts thereafter. New detection opportunities are\r\nnoted as such.\r\nOver the past several years, Red Canary has routinely detected activity involving a threat known as Gootloader:\r\nmalware that can deliver additional payloads, siphon data from victims, and stealthily persist in a compromised\r\nenvironment. Gootloader was originally delivered via spam campaigns and older exploit kits. We’ve increasingly\r\nobserved Gootloader operators using search engine optimization (SEO) poisoning tactics to gain access to victims’\r\nenvironments and initiate multi-pronged intrusions involving follow-on payloads such as Cobalt Strike and\r\nGootkit.\r\nGootloader specifically represents a significant threat to enterprise environments because it is designed to deliver\r\nadditional malware. We included it as a highlighted threat in our 2022 Threat Detection Report, and it boasts a\r\nregular presence in our monthly top 10 rankings for Intelligence Insights. Despite the high volume of Gootloader\r\ninfections, there is relatively little reporting available on complete intrusion chains.\r\nDistinguishing Gootloader from Gootkit\r\nWe historically referred to both Gootloader and Gootkit under the same name of “Gootkit,” but after realizing\r\nothers in the community tracked these as different threats, we decided to do the same. Separating the initial\r\ndelivery and loader distinctly from the payload also allows us to better track variations in follow-on activity. We\r\ndecided to impose an analytic boundary (see below for the full intrusion chain) between Gootloader and Gootkit\r\nafter the execution of the .NET DLL module commonly observed in intrusion chains involving these threats. This\r\ndivision is consistent with parameters outlined by researchers from Kaspersky and allows us to account for\r\nvariations in activity observed after Gootloader more precisely. Though Gootkit may be a follow-on payload,\r\nwe’ve also observed other activity following Gootloader infections, including Cobalt Strike beacons and the Osiris\r\nbanking trojan.\r\nhttps://redcanary.com/blog/gootloader\r\nPage 1 of 10\n\nBelow you’ll find our analysis on Gootloader, the most prolific piece of the intrusion chain, and its capabilities.\r\nWe’re also including a graphic to highlight the boundary between Gootloader and its following payloads, along\r\nwith supplemental malware analysis.\r\nInitial access\r\nGootloader operators compromise legitimate infrastructure, such as WordPress blogs, and seed those sites with\r\ncommon keywords. Operators then use SEO techniques in an attempt to direct anyone entering those keywords\r\ninto a search engine to a site that lures users to download a ZIP file containing the initial Gootloader script.\r\nPrevious work from Sophos and other organizations covers this aspect of Gootloader in great detail. From our own\r\ninvestigations, we’ve discovered trends relating to possible search terms that lead users to Gootloader. It’s not\r\nclear if operators are specifically targeting individuals in specific functions across specific organizations, or if they\r\ncast a more opportunistic net, using common terms that potential victims may be more likely to seek out on their\r\nown.\r\nThe majority of the Gootloader campaigns we’ve observed involved initial malicious ZIP files containing the\r\nword “agreement” in the file name. We can identify victims’ search queries based on the name of the malicious\r\nZIP file that contains the Gootloader script. The malicious ZIP name is usually the user’s search query terms\r\njoined by dashes. For example, if a user searched for “mortgage subordination agreement,” the downloaded ZIP\r\nwould be named mortgage_subordination_agreement.zip .\r\nhttps://redcanary.com/blog/gootloader\r\nPage 2 of 10\n\nFigure 1: Gootloader intrusion chain\r\nExecutive Summary: 2024 Threat Detection Report\r\nhttps://redcanary.com/blog/gootloader\r\nPage 3 of 10\n\nLearn more\r\nhttps://redcanary.com/blog/gootloader\r\nPage 4 of 10\n\nhttps://redcanary.com/blog/gootloader\r\nPage 5 of 10\n\nExecution\r\nThe first stage of Gootloader on the endpoint is a JScript file extracted from a ZIP file and executed via\r\nwscript.exe . While these JScript files have been a common Gootloader entry point since December 2020, the\r\nscripts changed around October 2021 to masquerade as legitimate jQuery JavaScript library files. To achieve this\r\nmasquerading, the adversary creates scripts by mixing malicious Gootloader code with benign jQuery library\r\ncode, producing a file around 296KB in size.  [Note: the following two sentences were added on November 18,\r\n2020 to reflect recent operational changes we’ve observed in recent Gootloader campaigns] While these\r\nJavaScript files have been a common entry point since December 2020, the adversary has changed them slightly\r\nto masquerade as legitimate code. First we observed malicious Gootloader code spliced together with code from\r\nthe jQuery JavaScript library to inflate file size and hinder analysis. Starting in November 2022, we began\r\nobserving Gootloader code getting spliced together with code from another JavaScript library named\r\nUnderscore.JS. In both iterations, the malicious code and harmless library code were combined together into the\r\nmalicious “agreement” files that executed on victim systems.\r\nGootloader queries the value of the USERDNSDOMAIN environment variable, which is a simple check to determine\r\nif the affected host is part of an Active Directory domain. This means that the malware specifically targets\r\nbusiness or enterprise victims that use Active Directory. On systems where the check passes, Gootloader pulls\r\ndown an additional JScript stage that executes in the same wscript.exe process. That stage contains two\r\nembedded payloads: a .NET DLL component and a Cobalt Strike beacon or other malware component. During\r\nexecution, these two payloads are written into Windows Registry keys to enable persistence.\r\nNOTE: We added the following behavioral descriptions and images to the Execution section of this article on\r\nNovember 18, 2022 to reflect recent operational changes we’ve observed in recent Gootloader campaigns.\r\nLately we’ve observed Gootloader writing a randomly named JavaScript file (initially with the extension .log )\r\nto appdata\\roaming using variations of random naming conventions. Interestingly, part of the file path almost\r\nalways seems to include the name of a legitimate software or security product. We’ve changed most of the\r\nfilenames included here to protect the innocent, but we found numerous examples—like the following—in a\r\npublic malware sandbox.\r\nLog\r\nC:\\Users\\Admin\\AppData\\Roaming\\Sun\\Financial Support.log\r\nC:\\Users\\Admin\\AppData\\Roaming\\Sun\\Virtual Currency.log\r\nJS\r\nSun\\Broker Price Opinion.js\r\nSun\\Progress Billing.js\r\nhttps://redcanary.com/blog/gootloader\r\nPage 6 of 10\n\nwscript.exe executes the initial JavaScript dropper ( how do I withdraw funds (epl).js ), unpacks a second\r\n.js file ( choice showing.js ), and then creates a scheduled task. This initiates a chain of execution where\r\ncscript.exe executes the second .js file along with an instance of PowerShell without any command line,\r\nwhich, in turn, passes an encoded command into a second PowerShell instance. The scheduled task is a\r\npersistence mechanism intended to run these commands again the next time the user logs in (more on this in the\r\nPersistence section).\r\nIt’s worth noting that .js file referenced in the cscript.exe command line (as shown in the images included in\r\nthis article) does not match the actual file name (i.e., CHOICE~1.JS != Choice Showing.js ). However, they are\r\nin fact the same file, but one is leveraging a Windows shortname).\r\nPersistence\r\nThe first PowerShell command referenced above retrieves the .NET DLL from the Windows Registry, reflectively\r\nloads it, and executes a function within the DLL named Test() .\r\nsleep -s 83;$opj=Get-ItemProperty -path (\"hk\"+\"cu:\\sof\"+\"tw\"+\"are\\mic\"+\"ros\"+\"oft\\Phone\\\"+[Environment]::(\"use\"\r\nThe second PowerShell command establishes persistence via a scheduled task using a combination of cmdlets.\r\nThe execution of the .NET DLL module is one of the main differentiators between traditional Gootkit and the\r\nhttps://redcanary.com/blog/gootloader\r\nPage 7 of 10\n\ninitial Gootloader. [Note: the following sentences were added on November 18, 2022]. The initial instance of\r\nwscript.exe establishes persistence by creating a scheduled task to execute when the affected user logs in. It\r\npicks up execution at the cscript.exe stage.\r\n$a=\"[Base64 code]...\";$u=$env:USERNAME;Register-ScheduledTask $u -In (New-ScheduledTask -Ac (New-ScheduledTaskA\r\nFollow-on payload\r\nIn the .NET DLL module, the adversary implements code to pull an obfuscated payload (such as Cobalt Strike)\r\nfrom a Windows Registry key, remove the obfuscation, and then execute its contents. The decoding part is fairly\r\nstraightforward, using text replacement to shield the malware from cursory inspection. Follow-on payloads vary\r\nand have included Cobalt Strike, Gootkit, and Osiris. In the event Cobalt Strike is the follow-on payload, see our\r\nmalware analysis for more details.\r\nRed Canary recommends detecting Gootloader activity to catch this threat early in the intrusion chain. One\r\npotential detection idea is to look for the execution of PowerShell with the encoded command switch ( -enc ),\r\nwhich you can find here. See below for additional opportunities to identify Gootloader or follow-on activity in\r\nyour environment.\r\nNew detection opportunity: wscript.exe spawning cscript.exe and PowerShell\r\nThis detection opportunity identifies the chain of process executions—whereby wscript.exe spawns\r\ncscript.exe and cscript.exe spawns powershell.exe —described in the Execution section that we updated\r\non November 18, 2022.\r\nparent_process == ( wscript.exe )\r\n\u0026\u0026\r\nprocess == ( cscript.exe )\r\n\u0026\u0026\r\nchild_process == ( powershell.exe )\r\nDetection opportunity: Windows Script Host ( wscript.exe ) executing content from a user’s\r\nAppData folder\r\nThis detection opportunity identifies the Windows Script Host, wscript.exe , executing a JScript file from the\r\nuser’s AppData folder. This works well to detect instances where a user has double-clicked into a Gootloader ZIP\r\nfile and then double-clicked on the JScript script to execute it.\r\nprocess == ( wscript.exe )\r\n\u0026\u0026\r\nhttps://redcanary.com/blog/gootloader\r\nPage 8 of 10\n\nprocess_command_line_includes == appdata\\*.js\r\nDetection opportunity: PowerShell ( powershell.exe ) performing a reflective load of a .NET\r\nassembly\r\nThis detection opportunity identifies PowerShell loading a .NET assembly into memory for execution using the\r\nSystem.Reflection capabilities of the .NET Framework. This detects PowerShell loading the .NET component\r\nof Gootloader and multiple additional threats in the wild.\r\nprocess == ( powershell.exe )\r\n\u0026\u0026\r\nprocess_command_line_includes == Reflection.Assembly AND Load AND byte[]\r\nDetection opportunity: Rundll32 ( rundll32.exe ) with no command-line arguments\r\nThis detection opportunity identifies rundll32.exe executing with no command-line arguments as an injection\r\ntarget like we usually see for Cobalt Strike beacon injection. The beacon distributed by Gootloader in this instance\r\nused rundll32.exe , as do many other beacons found in the wild.\r\nprocess == rundll32.exe\r\n\u0026\u0026\r\ncommand_line_includes (“”)*\r\n\u0026\u0026\r\nhas_network_connection\r\n||\r\nhas_child_process\r\n*Note: “” indicates a blank command line.\r\nMitigation advice\r\nYou can prevent Gootloader from executing by changing the default file association for JScript files on your\r\nWindows systems. Consider using a Group Policy Object to associate JScript files with notepad.exe instead of\r\nwscript.exe . This will make the malicious scripts open in Notepad when a victim double-clicks on the file. For\r\nsuccessful execution, the victim would have to manually issue a wscript.exe command instead.\r\nAdditionally, a little bit of education can help mitigate Gootloader. In all of the instances we observed, victims\r\nwere seeking legal agreement documents via Google searches. Documenting safe places to obtain legal documents\r\ncan help prevent users from downloading potentially malicious files.\r\nRelated Articles\r\nSubscribe to our blog\r\nhttps://redcanary.com/blog/gootloader\r\nPage 9 of 10\n\nYou'll receive a weekly email with our new blog posts.\r\nSource: https://redcanary.com/blog/gootloader\r\nhttps://redcanary.com/blog/gootloader\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://redcanary.com/blog/gootloader"
	],
	"report_names": [
		"gootloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775791237,
	"ts_updated_at": 1775826758,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fd870bc7e357a63634fb2f0e639a1e6da8f41fcf.pdf",
		"text": "https://archive.orkl.eu/fd870bc7e357a63634fb2f0e639a1e6da8f41fcf.txt",
		"img": "https://archive.orkl.eu/fd870bc7e357a63634fb2f0e639a1e6da8f41fcf.jpg"
	}
}