Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

GootLoader

120
Global rank
98 infographic chevron month
Month rank
99 infographic chevron week
Week rank
0
IOCs

GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.

Loader
Type
Unknown
Origin
1 November, 2020
First seen
13 March, 2025
Last seen

How to analyze GootLoader with ANY.RUN

Type
Unknown
Origin
1 November, 2020
First seen
13 March, 2025
Last seen

IOCs

Domains
thetripgoeson.com
filorga.com
serialowy.pl
skymedia360.com
1worldsync.com
breadoflifetabernacle.com
hcss.nl
shareddata.org
dunkandjump.com
nickthomm.com
beechdesigngroup.com
assistironline.net
dentalofficeathens.gr
burmancoffee.com
tonyevers.com
lyngsfjord.com
dexacoin.net
aracelicolin.org.mx
hozoboz.com
labbunnies.eu
Last Seen at

Recent blog posts

post image
New Pre-Installed Dev Tools for Deep Sandbox...
watchers 463
comments 0
post image
AI Safety: Key Threats and Solutions 
watchers 549
comments 0
post image
5 Common Evasion Techniques in Malware 
watchers 750
comments 0

What is GootLoader malware?

GootLoader is a loader malware initially designed to distribute the GootKit banking trojan. Operated by the UNC2565 threat group, today it functions as initial-access-as-a-service software, catering to cybercriminals who aim to deploy their malware, like Cobalt Strike, on already infected machines. While GootKit has been in circulation since 2014, GootLoader was introduced more recently in 2021. Campaigns involving GootLoader target users visiting hijacked WordPress websites and online forums. Attackers inject malicious code into these pages, deceiving visitors into downloading fake legal documents, which, in reality, turn out to be malicious files designed to infect their systems of GootLoader.

GootLoader analysis inside ANY.RUN Sandbox GootLoader analysis inside the ANY.RUN sandbox

To observe the entire GootLoader infection process, use ANY.RUN’s Interactive Sandbox that provides a safe virtual environment for hands-on analysis of cyber threats.

Check out this sandbox session showing the detonation of a GootLoader sample.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

GootLoader malware technical details

GootLoader employs a multi-stage execution process, characterized by several advanced capabilities:

  • Memory-only execution: The second stage of GootLoader deploys entirely in memory without writing to disk, making it difficult for traditional antivirus solutions to detect.
  • Encryption and obfuscation: The malware utilizes encryption and obfuscation techniques to conceal its activities and avoid detection by security tools.
  • External payload fetching: The second-stage payload is typically fetched from an external URL hardcoded in the malware, ensuring that the malicious code is not stored locally on the infected machine. See how you can easily extract hardcoded data with the ANY.RUN sandbox.
  • Evasion techniques: GootLoader performs evasion by sleeping, which helps it avoid detection by delaying its activities and blending in with legitimate processes.
  • Persistence mechanisms: To ensure it remains active on the infected system, GootLoader modifies the registry and adds an autorun entry, allowing it to execute automatically on system startup.
  • Process injection: The malware uses process injection to hijack legitimate Windows utilities with malicious code, further complicating detection and analysis.
  • Malware deployment: GootLoader is capable of dropping various types of malware, including GootKit and Cobalt Strike, expanding its potential for damage and data exfiltration.
  • Lateral movement: The latest versions of GootLoader are equipped with the ability to move laterally within a network, spreading the infection to other connected devices.

GootLoader execution process

GootLoader's infection process involves several steps. It usually starts when someone visits a compromised website and downloads a malicious archive, often disguised as a legitimate document like a template or contract. This archive typically contains a JavaScript file.

GootLoader graph inside ANY.RUN Sandbox GootLoader process graph inside the ANY.RUN sandbox

When the file is opened, the first stage of infection begins. It uses Windows Script Host (wscript) to run an obfuscated JavaScript payload. This payload creates a scheduled task to ensure the infection persists, leading to the execution of a second obfuscated JavaScript file stored on the disk.

GootLoader process inside ANY.RUN Sandbox GootLoader script execution inside the ANY.RUN sandbox

In the second stage, the execution shifts from wscript to cscript, which runs as a child process. This allows a PowerShell script to run, further deobfuscating and executing more malicious code. The PowerShell script collects information from the infected system, such as operating system details, running processes, and environment variables. It can also check the system's location and use sleep commands. The collected information is then compressed, encoded, and sent to a command-and-control (C2) server.

GootLoader Suricata inside ANY.RUN Sandbox Suricata IDS detection of GootLoader inside the ANY.RUN sandbox

The third stage involves executing additional payloads, which might include components like a Cobalt Strike beacon or other malware. These payloads are often written into Windows Registry keys to ensure they persist and remain active even after the system is rebooted. GootLoader's use of obfuscation techniques makes it hard for traditional security methods to detect. Its sophisticated infection process highlights its effectiveness as a persistent threat to enterprise environments.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Collect Cyber Threat Intelligence on GootLoader

To stay informed about the latest GootLoader samples and attacks, use Threat Intelligence Lookup from ANY.RUN. This tool lets you access a large database filled with findings from millions of malware analyses done in the ANY.RUN sandbox.

With over 40 search options, including IPs, domains, file names, and process details, you can easily find relevant information about threats like GootLoader.

GootLoader search in TI Lookup GootLoader search results in TI Lookup

You can search directly by the threat name or use related clues like hash values or network connections. By entering a query like threatName:"GootLoader" AND domain:"", you'll get a list of files, events, domain names, and other data from GootLoader samples. These results, along with sandbox sessions, help you understand the malware's behavior in detail.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

GootLoader malware distribution methods

GootLoader uses SEO poisoning to rank attacker-controlled websites high in search results, ensuring that potential victims are more likely to encounter these malicious sites.

Once victims visit these websites, they are prompted to download files such as contract templates and other legal documents that appear legitimate and relevant to them.

These files are usually archives containing .js scripts that serve as the first stage of the GootLoader infection. By disguising malicious files as legitimate documents, the attackers increase the likelihood of successful infection.

Conclusion

GootLoader’s ability to evade detection through memory-only execution, encryption, and process injection makes it a serious threat for traditional security measures. The use of SEO poisoning to distribute the malware further complicates efforts to prevent its spread, as it targets unsuspecting users searching for legitimate information.

To proactively identify and mitigate the risks associated with GootLoader, organizations can use tools such as the interactive malware sandbox from ANY.RUN. This sandbox provides a controlled environment for analyzing suspicious files, allowing security teams to detect and understand the behavior of GootLoader and other malicious software.

Sign up for a free ANY.RUN account to analyze your first file or URL now

HAVE A LOOK AT

Backdoor screenshot
Backdoor
backdoor
A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.
Read More
Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More