"The websites are promoted in search engines either via ads or through search engine optimization (SEO) poisoning, which ranks a website higher in the results for a particular keyword, like legal documents and agreements. In the past, these websites would display fake message boards that pretended to discuss users' query, with some posts recommending (malicious) document templates that could be downloaded. The SEO campaigns later switched to using websites that pretend to offer free templates for various legal documents."
"When a visitor clicked the "Get Document" button, the site checked if they were a legitimate user and, if so, downloaded an archive containing a malicious document with a .js extension. For example, the archive could include a file named mutual_non_disclosure_agreement.js. Gootloader would execute when launching the document and downloaded additional malware payloads onto the device, including Cobalt Strike, backdoors, and bots that provided initial access to corporate networks. Other threat actors then used this access to deploy ransomware or conduct other attacks."
Gootloader is a JavaScript-based malware loader deployed via compromised or attacker-controlled websites. The operation uses search engine ads and SEO poisoning to promote fake sites that mimic legal document templates and message boards to trick users into downloading malicious archives. Clicking 'Get Document' yields an archive containing a .js document that executes and fetches additional payloads such as Cobalt Strike, backdoors, and bots. Those payloads provide initial access to corporate networks that other actors use to deploy ransomware or conduct further attacks. A researcher filing abuse reports caused a pause on March 31, 2025; the campaign resumed after seven months.
Read at BleepingComputer
Unable to calculate read time
Collection
[
|
...
]