What We Do
How We Do
Get Started
Security advisories

Increase in GootLoader Malware

January 6, 2022 | 2 MINS READ

Speak With A Security Expert Now



eSentire has identified an increase in the GootLoader malware impacting organizations in the Legal services industry. GootLoader is an initial access malware that leads to the Gootkit Remote Access Trojan (RAT). It is delivered through drive-by social engineering attacks. This malware has been observed as a precursor to other threats including the Cobalt Strike red-team tool and the REvil ransomware.

Organizations are strongly encouraged to review the recommendations section of this advisory and ensure employees are aware of best security practices when searching for online documents.

What we’re doing about it

What you should do about it

Additional information

The threat actors behind this campaign employ Search Engine Optimization (SEO) poisoning in order to direct users searching for specific document templates to a malicious version (see Figure 1). Downloading and opening the malicious file leads to the deployment of GootLoader. Recently observed malicious templates focus on “agreements” as a key term, but other keywords are likely in use. The full infection chain can be found below.

Typical Infection Process:

  1. User performs a web search for a document or document template
  2. User clicks on search result leading to GootLoader landing page
  3. Landing page presents a fake web forum and link to the requested document
  4. User clicks on the presented link, receives a Zip archive
  5. User opens the archive, finds a JavaScript file (.js extension) disguised as the requested document
  6. User executes the JavaScript file by double-clicking it
  7. Windows executes the JavaScript file using the Windows script host process, resulting in execution of the GootLoader malware

Quickly identifying and remediating GootLoader infections is critical in preventing follow on attacks and the deployment of more damaging malware such as ransomware. Additional details on GootLoader tactics can be found in the eSentire report “GootLoader Hackers Poison Websites Globally in Order to Infect Business Professionals with Ransomware, Intrusion Tools and Bank Trojans”.

Indicators of Compromise
human-to-dust[.]dePayload Delivery
szandyhercegno[.]huPayload Delivery
jonathanbartz[.]comCommand and Control

Figure 1: GootLoader Infection Process – Search Engine results leading to GootLoader distribution page and corresponding Zip archive leading to malicious Java Script.


[1] https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide#block-javascript-or-vbscript-from-launching-downloaded-executable-content
[2] https://www.esentire.com/security-advisories/gootloader-hackers-poison-websites-globally

View Most Recent Advisories