The GootLoader malware family has made a sharp comeback in late 2025 after a quiet spell. In its latest campaign, it’s using clever obfuscation techniques—and WordPress sites—to deliver malicious payloads with record speed.
What’s Happening?
- Researchers at Huntress Labs observed infections beginning October 27 2025, after roughly a nine-month lull.
- In at least two cases, threat actors breached the domain controller of the target within 17 hours of initial infection.
- The malware is delivered via malicious JavaScript that hides its true intent using a custom web-font (.woff2) trick. When the raw HTML is viewed, filenames appear gibberish. When rendered in the browser, they look legitimate.
- The target vector: compromised or malicious WordPress sites (and legitimately indexed pages) via SEO-poisoning. Visitors click what appear to be trusted documents—contract templates, PDFs, HOA guides, etc.—but instead download the loader.
How the Attack Works – Step by Step
- SEO poisoning / malvertising: The attacker either compromises a WordPress site or uses one under their control, then injects content (e.g., “Florida HOA Committee Meeting Guide.pdf”) with links/prominence so it appears in search results. (e.g., “missouri cover utility easement roadway”)
- Download trap: The victim clicks the link/download button, and the site serves a ZIP archive or similar disguised payload, often via a comment endpoint like
/wp-comments-post.php. The ZIP may appear to unpack a benign file but actually runs a loader script. - Font trick obfuscation: In the HTML source it may say something like
›μI€vSO₽*'Oaμ==…, but when the browser loads the custom font the string becomes something likeFlorida_HOA_Committee_Meeting_Guide.pdf. This hides the true filename and payload path from analysis. - Loader executes: The loader runs JScript/PowerShell and drops more payloads (e.g., SOCKS5 proxies, backdoors). It creates persistence (Startup folder shortcuts, scheduled tasks) and begins reconnaissance.
- Rapid escalation & lateral movement: Attackers enumerate Active Directory, move laterally (via WinRM, PowerShell), create new privileged accounts, compromise domain controllers—all possibly within hours.
- Hand-off for ransomware / data theft: Once full access is gained, the environment is handed over to ransomware gangs (e.g., Vanilla Tempest, also known as Rhysida) who deploy ransomware, steal data, encrypt systems.
Why This Variant Is Dangerous
- Evasion: The font-based obfuscation bypasses many static scanners that look for keywords like “invoice” or “contract.pdf” in HTML. But the browser renders it as legitimate.
- Speed: Domain controller compromise in under 17 hours (in some cases as low as ~1 hour). That gives defenders extremely little time to detect, respond and contain.
- Trusted vector: WordPress sites and search engine results evoke trust. Victims believe they are downloading a safe business document.
- Stepping-stone to bigger threats: GootLoader doesn’t always directly deploy ransomware—it often delivers access that is sold or handed off to full threat operations.
Real-World Statistics & Trends
- According to Red Canary’s 2025 threat detection report, GootLoader ranked #8 among detected malware families and was seen in ~2.4 % of customer incidents.
- Huntress observed three confirmed infections since late October 2025, with two resulting in domain controller compromise within 17 hours.
- Earlier data (2021–2023) showed GootLoader operating via tens of thousands of compromised pages and documents, particularly targeting legal/business-document searches.
Example Filenames & Indicators
- Filenames used in attacks include:
florida_building_code_requirements_for_sheds(9306).zip,can_a_minor_be_an_independent_contractor_in_florida(72777).zip - Downloads via
/wp-comments-post.phpor other comment endpoints on WordPress sites. - In HTML source you might see gibberish strings that render as plausible filenames when fonts load.
- Persistence via Startup folder shortcuts using Windows 8.3 short filenames (e.g.,
MOLECU1.LNK) rather than scheduled tasks.
Defending Against GootLoader — What to Do
Preventive Measures
- Limit or monitor downloads from unknown WordPress sites or odd document-sharing domains.
- Restrict execution of JScript (wscript/cscript) and untrusted PowerShell on endpoints.
- Patch and secure WordPress installations: update core/themes/plugins, disable comment endpoints if unnecessary.
- Block or review search-engine traffic that leads to downloads from suspect domains.
- Harden startup persistence: look for unexpected .lnk files in Startup, unexpected scheduled tasks.
Detection & Monitoring
- Monitor for:
- POST requests to
/wp-comments-post.phpfollowed by ZIP downloads. - Browser processes launching
wscript.exeorcscript.exeto execute*.jsfrom%AppData%. - Windows processes creating Startup folder .lnk files or using 8.3 filenames.
- Outbound connections to unusual domains or over non-standard TLS flows (proxy / SOCKS5) .
- POST requests to
- Leverage EDR/SIEM rules for suspicious execution chains: Browser → wscript → cscript → PowerShell or WinRM lateral move.
- Maintain a list of known C2 domains/IPs tied to GootLoader and block/monitor accordingly.
Incident Response
- If you suspect compromise:
- Isolate the host immediately.
- Collect artifacts: Startup folder, %AppData% folder, registry Run keys, task scheduler entries.
- Reset privileged accounts, enable MFA, assume lateral movement occurred.
- Perform full forensic review including AD enumeration logs, account creation events, unusual SMB/WinRM traffic.
- Consider wipe & rebuild if domain controller was compromised—this is often faster than trust rebuilding after ransomware-grade breach.
Key Takeaway
GootLoader’s resurgence is a stark reminder: attackers adapt quickly and will exploit any vector that appears trusted—like WordPress sites and “business document” downloads. The use of custom fonts to hide malicious filenames is a clever twist, but the core goal remains the same: get initial access, move fast, and hand off to ransomware or data theft operations.
Defenders must be equally agile—monitor browser download behaviors, secure WordPress endpoints, detect early post-exploitation behaviors, and respond aggressively. Every hour counts.