Gootloader malware back for the attack, serves up ransomware

Steven

Gootloader malware back for the attack, serves up ransomware

Summary

Gootloader, a long-running JavaScript-based loader used to deliver ransomware, has resurfaced. Security company Huntress observed three infections since 27 October 2025, two of which led to rapid hands-on-keyboard intrusions and domain controller compromise in as little as 17 hours. Operators identified are Storm-0494 for initial access and Vanilla Tempest (aka Rhysida) for post-exploitation and ransomware deployment. The campaign uses SEO poisoning, WordPress comment abuse to hide encrypted payloads, and novel obfuscation via custom WOFF2 web fonts to mask filenames.

Key Points

  • Three new Gootloader infections detected by Huntress since 27 Oct 2025; two escalated to full intrusions.
  • Threat actors operate as a partnership: Storm-0494 delivers initial access; Vanilla Tempest performs post-exploitation and deploys ransomware.
  • Attack chain is fast β€” domain controller compromise observed within 17 hours of initial execution.
  • Gootloader hides payloads using WordPress comment endpoints and obfuscates filenames with embedded custom WOFF2 fonts.
  • The loader drops persistence and remote access tools (eg. multiple instances of the Supper SOCKS5 backdoor) within 10–20 minutes of execution.
  • Attackers used Windows Remote Management and Impacket to move laterally and locate backup snapshots before preparing ransomware.
  • Huntress has published IOCs and YARA rules for the TextShell obfuscator and Supper backdoor to help defenders hunt for infections.

Content summary

Huntress attributed recent infections to a Gootloader campaign operated by Storm-0494 that hands off compromised environments to the Vanilla Tempest ransomware group. The loader frequently arrives via SEO-poisoned search results and serves an encrypted JavaScript payload via compromised WordPress pages. A distinctive innovation in this wave is the use of custom WOFF2 fonts that render readable filenames in the browser while showing gibberish in source views, thwarting simple inspection. After execution the malware quickly establishes persistence and drops Supper SOCKS5 backdoors. In the documented incidents attackers performed reconnaissance from backdoors, then used Windows Remote Management and Impacket to reach and abuse a Domain Controller, locate backups, and prepare for encryption and backup removal. Huntress published detection artefacts and YARA rules to aid detection and response.

Context and relevance

This resurgence matters because it highlights the speed and operational maturity of modern ransomware ecosystems: specialised initial-access operators hand environments to extortion groups, enabling rapid escalation to encryption-ready states. Techniques like SEO poisoning, delivery through legitimate CMS comment endpoints, and font-based obfuscation make detection harder for defenders who rely on simple source analysis or signature-based controls. The campaign underscores the need for layered defences, timely EDR/NGAV detection, network segmentation, strict privilege management, and monitoring for lateral-movement tools such as Impacket and WinRM activity.

Why should I read this?

Look β€” if you run IT, security or manage backups, this is the kind of threat that eats your weekend. Gootloader is back, it’s cleverer (hello WOFF2 font tricks), and it moves fast. Read this to know what to hunt for, where the windows for response are measured in hours, and which IOCs and YARA rules Huntress released to help you catch it before it gets to your domain controllers.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/11/06/gootloader_back_ransomware/