Gootloader Malware Threat Intel Advisory

CloudSEK threat intelligence advisory on Gootloader malware, Javascript-based infection framework, uses new techniques to deliver payload.
Updated on
May 22, 2023
Published on
March 9, 2021
Subscribe to the latest industry news, threats and resources.
Advisory Type
Malware Intelligence
Malware Type
Malware Name
Target OS
Targeted Countries
North America, South Korea, Germany, France

Executive Summary

Gootloader is a Javascript-based infection framework that has a new mechanism of delivering its payload. The operators of this malware have compromised over 400 servers that host legitimate websites; they edit the content of the compromised websites to start seemingly legitimate discussions with the help of key words that answer users’ queries.   Gootloader operators leverage SEO (Search Engine Optimization) techniques that allow Google to index the compromised websites to help them appear as part of its search results. The attack vector works for certain countries and for certain search engines (such as Google). And in case the search didn’t match the criteria of the loader, the search result will be legitimate webpages. The Gootlaoder malware delivers fileless GootKit RAT, REvil ransomware, CobaltStrike, and Kronos Trojan.  

Technical Details

  • The initial payload is a single javascript file within a zip file. This in turn is provided as a downloadable link on the same forum thread that potential victims visit. The javascript payload is twice obfuscated to avoid detection by end-point protection tools.
  • After running the script, it connects to the C2 server to receive a sequence of numbers that represent the ASCII characters of the second stage payload which will be loaded directly into the memory leaving no traces for its existence into the system.
  • The second payload, after decoding numeric values to text, and  it writes keys/ values in the registry under the HKCU/ Software hive.
  • Also it creates an autorun for a PowerShell script, which runs each time the system boots, and decodes and runs the .NET loader payload.
  • The PowerShell script creates a registry run key as a failsafe mechanism to execute the payload in the next reboot.
  • The .Net loader contains a Delphi-based loader. The loader has two sequences of hexadecimal numbers in its code, for two executable files. The first file is a legitimate executable that the loader runs. With the help of the process hollowing technique, the loader performs hollowing on the second executable file, which loads the Delphi component. The second executable is thus the final malicious payload which can be REvil, GootKit, Kronos, or CobaltStrike.


  • This malware leverages SEO techniques to lure potential victims to visit compromised websites.
  • Gootloader uses obfuscation techniques to avoid detection by AV.
  • It also uses fileless technique to deliver other strains of malware that leads to further attacks.


  • Double check the first search result when visiting any website. Check the domain name and the content of webpages, especially if it is inconsistent with the domain name.
  • Avoid clicking and downloading any suspicious documents provided in suspicious web pages.
  • Use anomaly detection tools to detect malicious behaviors to prevent such attacks.

Tactics, Techniques and Procedure

T1590.005 Gather Victim Network Information: IP Addresses
Resource Development
T1584.004 Compromise Infrastructure: Server
T1059.007 Command and Scripting Interpreter: JavaScript/JScript
T1059.001 Command and Scripting Interpreter: PowerShell
T1204.002 User Execution: Malicious File
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defence Evasion
T1140 Deobfuscate/Decode Files or Information
T1112 Modify Registry
T1055.012 Process Injection: Process Hollowing

Indicators of Compromise


Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations