TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Gootloader | Threat Detection Overview

2025-11-05 · Read original ↗

ATT&CK techniques detected

26 predictions
T1055.001Dynamic-link Library Injection
99%
“backdoor deliberately uses these native ntdll. dll functions instead of higher - level apis like loadlibrarya to bypass user - mode hooks commonly placed by security tools, and sandboxes that typically monitor the more frequently used kernel32 api calls. the backdoor first attemp…”
T1059.001PowerShell
99%
“( the default for double - clicked vbscript files ), the wrapper creates a wscript. shell object and uses the exec ( ) method to launch powershell with the command " powershell & powershell " ( back in 2022, gootloader launched powershell with command “ powershell ” ). while the …”
T1003.006DCSync
96%
“privileged account notes. it ' s a quick way to find potentially valuable information that may have been carelessly documented in ad : - this command enumerates all windows server machines in the ad domain, displaying their hostname, dns name, operating system version, and last l…”
T1573.001Symmetric Cryptography
95%
“and places it directly in the message header. each message begins with a 12 - byte header : the encryption key is randomly generated for each message and transmitted in the header. as mentioned above, the encryption and decryption use the same stateful xor cipher : the cipher use…”
T1573.001Symmetric Cryptography
94%
“##emory call, providing the necessary executable permissions for the reconstructed code to run, making the subsequent protection changes unnecessary. further hunting with the yara rule revealed additional samples using the same obfuscation. these samples are attributed to oysterl…”
T1027.007Dynamic API Resolution
89%
“assembly code rather than being stored in the header. the obfuscated backdoor also leverages api hashing to obfuscate the api calls. the backdoor uses a simple multiplicative hash algorithm to obfuscate api function names, where each character in the function name string is proce…”
T1059.001PowerShell
87%
“. to extract window titles, it converts each process object to csv format using convertto - csv, then parses the 26th field, which corresponds to the mainwindowtitle property in powershell ' s process object serialization. this reveals what the user is actively working on — open …”
T1055.001Dynamic-link Library Injection
87%
“##protect with page _ execute permissions ) and transfers control flow to it, causing the backdoor to execute the shellcode. the reconstructed shellcode contains the lzma decompression routine for the final payload. figure 9 : the reconstructed code containing the lzma decompress…”
T1059.001PowerShell
76%
“access and begin ransomware preparation. despite sophisticated initial obfuscation, threat actors follow repeatable patterns : ad enumeration ( kerberoasting, spn scanning ), domain - wide local admin scanning, lateral movement via winrm, privileged account creation, and volume s…”
T1486Data Encrypted for Impact
75%
“woff2 fonts that perform glyph substitution by transforming gibberish characters in source code into legitimate - looking filenames when rendered in browsers. the infection operates through a well - established criminal partnership : storm - 0494 handles gootloader operations and…”
T1055.001Dynamic-link Library Injection
72%
“harder to identify which api calls are actually significant to the malware ' s core functionality versus which are just noise, forcing analysts to spend more time distinguishing meaningful behavior from deliberate obfuscation. figure 8 : code with api hammering ( on the left ), c…”
T1547.009Shortcut Modification
71%
“launching javascript files under the same folder, where the shortcuts reside ( % appdata % < folder _ name > ) — emc controlcenter. js and adaptive algorithms. js. the shortcut files reference their targets using windows 8. 3 short filenames ( e. g., molecu1. lnk instead of molec…”
T1027Obfuscated Files or Information
70%
“file masquerades as jquery v3. 0. 0 while embedding heavily obfuscated malicious code in lots of noisy string fragments ; small helper functions slice and reassemble those fragments using index math and backward loops, then run predictable, reversible string transforms ( unescape…”
T1189Drive-by Compromise
69%
“gootloader | threat detection overview overview gootloader is a sophisticated javascript - based malware loader that threat actors commonly use to gain initial access. this malware is typically delivered when users visit compromised websites, with threat actors leveraging seo poi…”
T1003.003NTDS
64%
“##script file disguised as a. txt file. however, when extracted using the default windows zip utility, it directly drops the javascript file in executable form. - the threat actor achieved lateral movement to a domain controller in under one hour following the initial gootloader …”
T1547.009Shortcut Modification
58%
“domain from 10 using get - random. the beaconing mechanism leverages an infinite loop with a 20 - second beacon interval via system. threading. autoresetevent, where the loop condition ensures execution never terminates. upon successful c2 communication, the script executes recei…”
T1059.001PowerShell
54%
“file masquerades as jquery v3. 0. 0 while embedding heavily obfuscated malicious code in lots of noisy string fragments ; small helper functions slice and reassemble those fragments using index math and backward loops, then run predictable, reversible string transforms ( unescape…”
T1078.002Domain Accounts
53%
“infections, including two that led to hands - on - keyboard intrusions with domain controller compromise occurring within 17 hours of initial infection. key takeaways - gootloader is back and now leveraging custom woff2 fonts with glyph substitution to obfuscate filenames - explo…”
T1087.002Domain Account
46%
“properly monitored by an endpoint solution. when gootloader brings friends case # 1 approximately 20 minutes after the initial javascript execution, the threat actor performed reconnaissance from one of the four dropped supper socks5 backdoors. why the threat actor decided to dro…”
T1558.003Kerberoasting
44%
“infections, including two that led to hands - on - keyboard intrusions with domain controller compromise occurring within 17 hours of initial infection. key takeaways - gootloader is back and now leveraging custom woff2 fonts with glyph substitution to obfuscate filenames - explo…”
T1027Obfuscated Files or Information
43%
“harder to identify which api calls are actually significant to the malware ' s core functionality versus which are just noise, forcing analysts to spend more time distinguishing meaningful behavior from deliberate obfuscation. figure 8 : code with api hammering ( on the left ), c…”
T1505.003Web Shell
40%
“them with a newly generated key and writes the encrypted values to a file ( we observed the files named s01bafg and orl under % temp % folder ). this persistence mechanism ensures the backdoor maintains an updated list of fallback servers even if the primary c2 becomes unreachabl…”
T1558.004AS-REP Roasting
37%
“infections, including two that led to hands - on - keyboard intrusions with domain controller compromise occurring within 17 hours of initial infection. key takeaways - gootloader is back and now leveraging custom woff2 fonts with glyph substitution to obfuscate filenames - explo…”
T1055.012Process Hollowing
36%
“+ m " and “ control + alt + g ” ) assigned to them, which allow the loader to execute upon the user pressing these specific key combinations. figure 7 : overview of the shortcut file using lecmd tool before diving into the hands - on keyboard activity we observed, let ' s look at…”
T1003OS Credential Dumping
33%
“infections, including two that led to hands - on - keyboard intrusions with domain controller compromise occurring within 17 hours of initial infection. key takeaways - gootloader is back and now leveraging custom woff2 fonts with glyph substitution to obfuscate filenames - explo…”
T1608.006SEO Poisoning
31%
“gootloader | threat detection overview overview gootloader is a sophisticated javascript - based malware loader that threat actors commonly use to gain initial access. this malware is typically delivered when users visit compromised websites, with threat actors leveraging seo poi…”

Summary

Gootloader returns with new obfuscation techniques, including custom WOFF2 fonts and updated persistence mechanisms, while continuing its partnership with Vanilla Tempest for ransomware deployment. Dive in and discover what Huntress is seeing.