What We Do
How we do it
Jan 13, 2022
GootLoader Hackers Are Compromising Employees of Law and Accounting Firms, Warns eSentire
GootLoader Gang Launches Wide-Spread Cyberattacks Enticing Legal and Accounting Employees to Download Malware eSentire, the industry’s leading Managed Detection and Response (MDR) cybersecurity provider, is warning law and accounting firms of a wide-spread GootLoader hacker campaign. In the past three weeks and as recently as January 6, eSentire’s threat hunters have intercepted and shut down…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Oct 28, 2021
Telarus and eSentire Expand Partnership to Safeguard Enterprises Globally Against Business Disrupting Ransomware and Zero-Day Attacks
London, UK and Sydney, Australia– Oct. 28, 2021 - eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announces the expansion of its partnership with Telarus, the largest privately-held distributor of business cloud infrastructure and contact centre services. Building on their mutual success across North America, Telarus will bring eSentire’s Managed…
Read More
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Security advisories — Jan 06, 2022

Increase in GootLoader Malware

Speak With A Security Expert Now


eSentire has identified an increase in the GootLoader malware impacting organizations in the Legal services industry. GootLoader is an initial access malware that leads to the Gootkit Remote Access Trojan (RAT). It is delivered through drive-by social engineering attacks. This malware has been observed as a precursor to other threats including the Cobalt Strike red-team tool and the REvil ransomware.

Organizations are strongly encouraged to review the recommendations section of this advisory and ensure employees are aware of best security practices when searching for online documents.

What we’re doing about it

What you should do about it

Additional information

The threat actors behind this campaign employ Search Engine Optimization (SEO) poisoning in order to direct users searching for specific document templates to a malicious version (see Figure 1). Downloading and opening the malicious file leads to the deployment of GootLoader. Recently observed malicious templates focus on “agreements” as a key term, but other keywords are likely in use. The full infection chain can be found below.

Typical Infection Process:

  1. User performs a web search for a document or document template
  2. User clicks on search result leading to GootLoader landing page
  3. Landing page presents a fake web forum and link to the requested document
  4. User clicks on the presented link, receives a Zip archive
  5. User opens the archive, finds a JavaScript file (.js extension) disguised as the requested document
  6. User executes the JavaScript file by double-clicking it
  7. Windows executes the JavaScript file using the Windows script host process, resulting in execution of the GootLoader malware

Quickly identifying and remediating GootLoader infections is critical in preventing follow on attacks and the deployment of more damaging malware such as ransomware. Additional details on GootLoader tactics can be found in the eSentire report “GootLoader Hackers Poison Websites Globally in Order to Infect Business Professionals with Ransomware, Intrusion Tools and Bank Trojans”.

Indicators of Compromise
human-to-dust[.]dePayload Delivery
szandyhercegno[.]huPayload Delivery
jonathanbartz[.]comCommand and Control

Figure 1: GootLoader Infection Process – Search Engine results leading to GootLoader distribution page and corresponding Zip archive leading to malicious Java Script.


[1] https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide#block-javascript-or-vbscript-from-launching-downloaded-executable-content
[2] https://www.esentire.com/security-advisories/gootloader-hackers-poison-websites-globally

View Most Recent Blogs