Fast Facts

• GootLoader, a malware loader linked to ransomware, is active again after a period of dormancy.
• The malware now uses custom fonts to hide file names on compromised WordPress sites.
• Victims download ZIP files that appear as harmless text, but actually contain dangerous JavaScript code.
• Attackers leverage SEO poisoning, making their traps appear in search results for odd legal or business queries.
• Recent attacks allowed hackers to seize control of domain controllers within 24 hours of initial breach.

The Art of Digital Deception

Imagine opening a door labeled “Guide to Florida HOA Meetings,” only to find a masked intruder waiting inside. That’s the chilling reality behind the latest wave of GootLoader attacks, where cybercriminals have mastered the art of hiding in plain sight. This notorious malware loader - once a familiar name in the world of ransomware - has returned, but with a new bag of tricks that would impress even the most seasoned illusionist.

From Ransomware Courier to Master of Disguise

First spotted in 2020, GootLoader originally acted as a delivery service for ransomware and banking trojans, often sneaking in through compromised websites. Its operators, now known as Hive0127 (or UNC2565), became infamous for using “SEO poisoning” - a tactic where malicious sites are rigged to appear high in Google results for very specific, often legal-themed queries. Unsuspecting users searching for things like “committee meeting minutes template” would stumble onto a poisoned site, inadvertently downloading malware instead of helpful documents.

What sets this new wave apart is its technical sleight of hand. According to cybersecurity firm Huntress, GootLoader’s latest campaigns embed a custom web font (WOFF2) directly into hacked WordPress pages. This font doesn’t just change how text looks - it swaps out symbols so that gibberish on the page is magically rendered as believable file names in your browser. But copy the name or inspect the code, and you’ll see only nonsense. It’s a digital mask, powered by a clever encoding method called Z85, which compresses and hides the real payload.

ZIP Files That Aren’t What They Seem

The deception doesn’t end with the website. The ZIP files offered for download are also booby-trapped. When scanned with common security tools like VirusTotal or opened with utilities like 7-Zip, these files appear to be harmless text documents. But extract them with Windows Explorer and a malicious JavaScript file springs to life, launching the malware. This trick buys attackers precious hours or days before defenders catch on, increasing the odds of a successful breach.

In recent cases, attackers have been able to seize control of crucial systems - like domain controllers, the digital “keys to the kingdom” - in less than 24 hours. The speed and sophistication of these attacks echo similar file-masquerading campaigns, such as those seen with Emotet and QBot, but GootLoader’s unique use of visual misdirection marks a new evolution in cybercrime theater.

Why It Matters

This isn’t just a technical curiosity - it’s a warning shot for businesses, law firms, and anyone seeking documents online. As attackers get more creative, the line between safe and suspicious grows ever blurrier. The market for such advanced malware is thriving underground, fueled by a cat-and-mouse game between hackers and defenders. GootLoader’s latest act is a reminder: not every file is what it seems, and not every search result is your friend.

WIKICROOK

• GootLoader: GootLoader is malware that secretly installs other threats, like ransomware or banking trojans, by tricking users into downloading infected files.
• SEO Poisoning: SEO Poisoning is when attackers manipulate search results to promote malicious websites, tricking users into visiting harmful or fraudulent pages.
• WOFF2 Font: WOFF2 Font is a compressed web font format that enables custom fonts on websites and can also be used to conceal real file names.
• Z85 Encoding: Z85 Encoding is a method that converts binary data into a compact, readable text format, making it easier to hide or transmit within text files.
• Domain Controller: A Domain Controller is a central server in Windows networks that manages user authentication, security policies, and access to network resources.