"The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress. The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of initial infection. "GootLoader is back and now leveraging custom WOFF2 fonts with glyph substitution to obfuscate filenames," security researcher Anna Pham said,"
"In a report published last September, Microsoft revealed the threat actor referred to as Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, leveraging the access to drop a backdoor called Supper (aka SocksShell or ZAPCAT), as well as AnyDesk for remote access. These attack chains have led to the deployment of INC ransomware. It's worth noting that Supper has also been grouped together with Interlock RAT (aka NodeSnake), another malware primarily associated with Interlock ransomware."
GootLoader resurfaced after a March activity spike, with three infections observed since October 27, 2025, two leading to hands-on-keyboard intrusions and domain controller compromise within 17 hours. The loader now uses custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads with unique keys per file. GootLoader is affiliated with Hive0127 (UNC2565) and is distributed via SEO poisoning and malicious Google Ads redirecting victims to compromised WordPress sites. Access has been used by Storm-0494 and Vanilla Tempest to deploy Supper backdoors, AnyDesk, and INC ransomware, with overlaps among Interlock- and Vice Society‑related tooling.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]