Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

GootLoader

115
Global rank
102 infographic chevron month
Month rank
131 infographic chevron week
Week rank
0
IOCs

GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.

Loader
Type
Unknown
Origin
1 November, 2020
First seen
30 January, 2025
Last seen

How to analyze GootLoader with ANY.RUN

Type
Unknown
Origin
1 November, 2020
First seen
30 January, 2025
Last seen

IOCs

Domains
thetripgoeson.com
filorga.com
serialowy.pl
skymedia360.com
1worldsync.com
breadoflifetabernacle.com
hcss.nl
shareddata.org
dunkandjump.com
nickthomm.com
beechdesigngroup.com
assistironline.net
dentalofficeathens.gr
burmancoffee.com
tonyevers.com
lyngsfjord.com
dexacoin.net
aracelicolin.org.mx
hozoboz.com
labbunnies.eu
Last Seen at

Recent blog posts

post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 533
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1403
comments 0
post image
Release Notes: System Updates, New YARA and S...
watchers 4980
comments 0

What is GootLoader malware?

GootLoader is a loader malware initially designed to distribute the GootKit banking trojan. Operated by the UNC2565 threat group, today it functions as initial-access-as-a-service software, catering to cybercriminals who aim to deploy their malware, like Cobalt Strike, on already infected machines. While GootKit has been in circulation since 2014, GootLoader was introduced more recently in 2021. Campaigns involving GootLoader target users visiting hijacked WordPress websites and online forums. Attackers inject malicious code into these pages, deceiving visitors into downloading fake legal documents, which, in reality, turn out to be malicious files designed to infect their systems of GootLoader.

GootLoader analysis inside ANY.RUN Sandbox GootLoader analysis inside the ANY.RUN sandbox

To observe the entire GootLoader infection process, use ANY.RUN’s Interactive Sandbox that provides a safe virtual environment for hands-on analysis of cyber threats.

Check out this sandbox session showing the detonation of a GootLoader sample.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

GootLoader malware technical details

GootLoader employs a multi-stage execution process, characterized by several advanced capabilities:

  • Memory-only execution: The second stage of GootLoader deploys entirely in memory without writing to disk, making it difficult for traditional antivirus solutions to detect.
  • Encryption and obfuscation: The malware utilizes encryption and obfuscation techniques to conceal its activities and avoid detection by security tools.
  • External payload fetching: The second-stage payload is typically fetched from an external URL hardcoded in the malware, ensuring that the malicious code is not stored locally on the infected machine. See how you can easily extract hardcoded data with the ANY.RUN sandbox.
  • Evasion techniques: GootLoader performs evasion by sleeping, which helps it avoid detection by delaying its activities and blending in with legitimate processes.
  • Persistence mechanisms: To ensure it remains active on the infected system, GootLoader modifies the registry and adds an autorun entry, allowing it to execute automatically on system startup.
  • Process injection: The malware uses process injection to hijack legitimate Windows utilities with malicious code, further complicating detection and analysis.
  • Malware deployment: GootLoader is capable of dropping various types of malware, including GootKit and Cobalt Strike, expanding its potential for damage and data exfiltration.
  • Lateral movement: The latest versions of GootLoader are equipped with the ability to move laterally within a network, spreading the infection to other connected devices.

GootLoader execution process

GootLoader's infection process involves several steps. It usually starts when someone visits a compromised website and downloads a malicious archive, often disguised as a legitimate document like a template or contract. This archive typically contains a JavaScript file.

GootLoader graph inside ANY.RUN Sandbox GootLoader process graph inside the ANY.RUN sandbox

When the file is opened, the first stage of infection begins. It uses Windows Script Host (wscript) to run an obfuscated JavaScript payload. This payload creates a scheduled task to ensure the infection persists, leading to the execution of a second obfuscated JavaScript file stored on the disk.

GootLoader process inside ANY.RUN Sandbox GootLoader script execution inside the ANY.RUN sandbox

In the second stage, the execution shifts from wscript to cscript, which runs as a child process. This allows a PowerShell script to run, further deobfuscating and executing more malicious code. The PowerShell script collects information from the infected system, such as operating system details, running processes, and environment variables. It can also check the system's location and use sleep commands. The collected information is then compressed, encoded, and sent to a command-and-control (C2) server.

GootLoader Suricata inside ANY.RUN Sandbox Suricata IDS detection of GootLoader inside the ANY.RUN sandbox

The third stage involves executing additional payloads, which might include components like a Cobalt Strike beacon or other malware. These payloads are often written into Windows Registry keys to ensure they persist and remain active even after the system is rebooted. GootLoader's use of obfuscation techniques makes it hard for traditional security methods to detect. Its sophisticated infection process highlights its effectiveness as a persistent threat to enterprise environments.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Collect Cyber Threat Intelligence on GootLoader

To stay informed about the latest GootLoader samples and attacks, use Threat Intelligence Lookup from ANY.RUN. This tool lets you access a large database filled with findings from millions of malware analyses done in the ANY.RUN sandbox.

With over 40 search options, including IPs, domains, file names, and process details, you can easily find relevant information about threats like GootLoader.

GootLoader search in TI Lookup GootLoader search results in TI Lookup

You can search directly by the threat name or use related clues like hash values or network connections. By entering a query like threatName:"GootLoader" AND domain:"", you'll get a list of files, events, domain names, and other data from GootLoader samples. These results, along with sandbox sessions, help you understand the malware's behavior in detail.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

GootLoader malware distribution methods

GootLoader uses SEO poisoning to rank attacker-controlled websites high in search results, ensuring that potential victims are more likely to encounter these malicious sites.

Once victims visit these websites, they are prompted to download files such as contract templates and other legal documents that appear legitimate and relevant to them.

These files are usually archives containing .js scripts that serve as the first stage of the GootLoader infection. By disguising malicious files as legitimate documents, the attackers increase the likelihood of successful infection.

Conclusion

GootLoader’s ability to evade detection through memory-only execution, encryption, and process injection makes it a serious threat for traditional security measures. The use of SEO poisoning to distribute the malware further complicates efforts to prevent its spread, as it targets unsuspecting users searching for legitimate information.

To proactively identify and mitigate the risks associated with GootLoader, organizations can use tools such as the interactive malware sandbox from ANY.RUN. This sandbox provides a controlled environment for analyzing suspicious files, allowing security teams to detect and understand the behavior of GootLoader and other malicious software.

Sign up for a free ANY.RUN account to analyze your first file or URL now

HAVE A LOOK AT

Meduza Stealer screenshot
Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels.
Read More
MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More
Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Play Ransomware screenshot
Play aka PlayCrypt ransomware group has been successfully targeting corporations, municipal entities, and infrastruction all over the world for about three years. It infiltrates networks via software vulnerabilities, phishing links and compromised websites. The ransomware abuses Windows system services to evade detection and maintain persistence. Play encrypts user files and steals sensitive data while demanding a ransom.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More