GootLoader, a JavaScript-based malware loader, returned with new obfuscation techniques. It uses custom WOFF2 fonts and exploits WordPress comment sections to deliver malicious payloads. Security firm Huntress observed rapid network compromises, highlighting the threat’s sophistication.
GootLoader activity, attributed to threat actor Hive0127 (UNC2565), surged in October 2025 after a brief lull. Huntress recorded three infections since October 27. Two led to “hands-on keyboard” intrusions and domain controller compromises within 17 hours, demonstrating the attacks’ speed and severity. The malware’s latest version hides filenames using WOFF2 font glyph substitution, complicating detection.
GootLoader’s renewed stealth comes from its innovative use of Web Open Font Format 2.0 (WOFF2). Attackers weaponize this web font technology, typically used for efficient compression. Huntress security researcher Anna Pham noted that GootLoader “leverages custom WOFF2 fonts with glyph substitution to obfuscate filenames,” according to a company blog post. This technique alters character appearance, masking malicious files. The malware also exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads, each with a unique key.
GootLoader traditionally operates as a JavaScript-based malware loader. Attackers distribute it primarily through SEO poisoning tactics, manipulating search results to direct users to compromised websites. After gaining initial access, the malware delivers additional malicious payloads, often leading to ransomware deployment. GootLoader shifted its persistence mechanism from scheduled tasks to the Windows Startup folder. It still uses Windows 8.3 short filenames to evade detection.
A GootLoader infection can have significant impact. Microsoft reported in September 2024 that the group Storm-0494 often takes over from GootLoader intrusions. Storm-0494 deploys backdoors like Supper (SocksShell or ZAPCAT) and AnyDesk for remote access, further compromising networks. These attack chains often end with various ransomware deployments, including INC, Rhysida, BlackCat, Zeppelin, and Quantum Locker. Vanilla Tempest (DEV-0832) has delivered these payloads since 2022.
GootLoader’s evolution highlights the constant battle between malware developers and security researchers. Staying ahead requires continuous adaptation of defensive strategies against sophisticated obfuscation and delivery methods.