After a seven-month silence, Gootloader malware has made a striking return with an upgraded campaign that blends deception and technical precision. Security researchers report that the attackers now rely on fake legal template sites, advanced evasion tricks, and fresh persistence methods to slip past modern defenses. What once began as a simple loader has evolved into a refined infection chain capable of delivering a wide range of follow-up payloads.
How the Infection Begins
The new campaign starts where Gootloader has always excelled, search manipulation. Attackers create websites that mimic legitimate platforms offering contracts, legal agreements, or policy templates. These pages are carefully optimized to appear at the top of search results, tricking users who are looking for genuine forms.
Once on the page, visitors see a familiar “Download Document” button. Clicking it delivers a ZIP archive that hides a malicious JavaScript file. When the victim extracts the archive through Windows Explorer, the loader executes automatically. The script then connects to remote servers, fetching additional tools such as backdoors, data harvesters, or ransomware loaders.
Advanced Evasion Tactics
This latest version of Gootloader malware demonstrates how far attackers are willing to go to stay undetected. One of its most creative defenses lies in the use of a custom web font that replaces normal text with altered glyphs. To human eyes, the page looks legitimate, but automated scanners see only meaningless symbols. This subtle shift prevents analysts and search filters from detecting suspicious keywords or commands embedded in the code.
Another major innovation is the use of malformed ZIP archives. These archives behave differently depending on how they are opened. Windows Explorer exposes the true JavaScript payload, while many analysis tools only display an innocent-looking text file. This inconsistency allows the infection to slip through many antivirus and sandbox systems without detection.
Attackers also replaced their old persistence technique. Instead of scheduled tasks, they now rely on shortcut (LNK) files planted in the Startup folder. These files use short, cryptic names and even custom hotkeys to quietly reload the malware every time the system restarts.
What Happens After Infection
Once the loader is active, operators waste no time. They begin mapping the network, collecting credentials, and moving laterally through systems using WinRM. In many observed cases, the infection eventually leads to the deployment of the Supper SOCKS5 backdoor, a stealthy tool that enables remote access and continuous control over compromised machines. This swift post-exploitation phase allows threat actors to steal data or stage ransomware attacks within hours of initial compromise.
How to Defend Against the Threat
Traditional signature-based defenses struggle against these adaptive techniques. Security teams should focus on behavioral indicators instead: ZIP files containing JavaScript payloads, script-based PowerShell execution, and unusual startup shortcuts are all strong warning signs. Filtering access to unknown “document template” sites and inspecting embedded web fonts for obfuscation can also help block initial infection.
User awareness plays an equally important role. Employees should be trained to download legal or business templates only from verified sources, never from random search results. Each avoided click can prevent a potential intrusion.
Final Thoughts
The new Gootloader malware campaign highlights how persistent and innovative threat actors can be. By combining search engine deception, font-based obfuscation, and advanced archive manipulation, the group behind Gootloader has built a campaign that tests the limits of modern detection tools. Organizations that adapt quickly, focusing on behavioral analysis, strict download policies, and better user training, will stand the best chance of stopping it before it spreads again.
