The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress.
The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of initial infection.
“GootLoader is back and now leveraging custom WOFF2 fonts with glyph substitution to obfuscate filenames,” security researcher Anna Pham said, adding the malware “exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads with unique keys per file.”
GootLoader, affiliated with a threat actor tracked as Hive0127 (aka UNC2565), is a JavaScript-based malware loader that’s often distributed via search engine optimization (SEO) poisoning tactics to deliver additional payloads, including ransomware.
In a report published last September, Microsoft revealed the threat actor referred to as Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, leveraging the access to drop a backdoor called Supper (aka SocksShell or ZAPCAT), as well as AnyDesk for remote access. These attack chains have led to the deployment of INC ransomware.
It’s worth noting that Supper has also been grouped together with Interlock RAT (aka NodeSnake), another malware primarily associated with Interlock ransomware. “While there is no direct evidence of Interlock using Supper, both Interlock and Vice Society have been associated with Rhysida at different times, suggesting possible overlaps in the broader cybercriminal ecosystem,” Foresecout noted last month.
Then, earlier this year, the threat actor behind GootLoader was found to have leveraged Google Ads to target victims looking for legal templates, such as agreements, on search engines to redirect them to compromised WordPress sites hosting malware-laced ZIP archives.
The latest attack sequence documented by Huntress shows that searches for terms like “missouri cover utility easement roadway” on Bing are being used to direct unsuspecting users to deliver the ZIP archive. What’s notable this time around is the use of a custom web font to obfuscate the filenames displayed on the browser so as to defeat static analysis methods.
“So, when the user attempts to copy the filename or inspect the source code – they will see weird characters like ‛›μI€vSO₽*’Oaμ==€‚‚33O%33‚€×:O[TM€v3cwv,,” Pham explained.
“However, when rendered in the victim’s browser, these same characters magically transform into perfectly readable text like Florida_HOA_Committee_Meeting_Guide.pdf. This is achieved through a custom WOFF2 font file that Gootloader embeds directly into the JavaScript code of the page using Z85 encoding, a Base85 variant that compresses the 32KB font into a 40K.”
Also observed is a new trick that modifies the ZIP file such that when opened with tools like VirusTotal, Python’s ZIP utilities, or 7-Zip, it unpacks as a harmless-looking .TXT file. On Windows File Explorer, the archive extracts a valid JavaScript file, which is the intended payload.
“This simple evasion technique buys the actor time by hiding the true nature of the payload from automated analysis,” a security researcher, who has long been tracking the malware under the pseudonym “GootLoader,” said of the evolution.
The JavaScript payload present within the archive is designed to deploy Supper, a backdoor capable of remote control and SOCKS5 proxying. In at least one instance, the threat actors are said to have used Windows Remote Management (WinRM) to move laterally to the Domain Controller and create a new user with admin-level access.
“The Supper SOCKS5 backdoor uses tedious obfuscation protecting simple functionality – API hammering, runtime shellcode construction, and custom encryption add analysis headaches, but the core capabilities remain deliberately basic: SOCKS proxying and remote shell access,” Huntress said.
“This ‘good enough’ approach proves that threat actors don’t need cutting-edge exploits when properly obfuscated bread-and-butter tools achieve their objectives.”
