Hive0127

Hive0127, also tracked as UNC2565, is the threat actor affiliated with GootLoader activity described in the reporting. Huntress attributed a surge in GootLoader activity in October 2025 to this actor after a brief lull. GootLoader is a JavaScript-based malware loader commonly distributed through SEO poisoning, including search-result manipulation and redirects to compromised WordPress sites hosting malicious ZIP archives. Reported delivery and evasion techniques in this activity include abuse of WordPress comment endpoints to serve XOR-encrypted ZIP payloads with unique keys, use of custom WOFF2 fonts with glyph substitution to obfuscate filenames shown to victims, continued use of Windows 8.3 short filenames for evasion, and a persistence change from scheduled tasks to the Windows Startup folder. Huntress observed three infections since October 27, 2025; two escalated to hands-on-keyboard intrusions and domain controller compromise within 17 hours. The reporting states that GootLoader infections associated with this actor often serve as initial access leading to additional payloads and follow-on activity, including Storm-0494 hand-offs, deployment of the Supper backdoor (also known as SocksShell or ZAPCAT), use of AnyDesk, and ransomware outcomes including INC, Rhysida, BlackCat, Zeppelin, and Quantum Locker.