Gootloader is a malware campaign and initial-access platform active since at least January 2021. It has been described as an "Initial Access as a Service" operation targeting enterprise and government organizations worldwide, with observed targeting of military, financial, chemistry, banking, automotive, investment, and energy sectors, primarily in the US, Canada, Germany, and South Korea. The campaign uses a large delivery network of compromised high-traffic websites, including sites running old or vulnerable CMS versions, and relies heavily on SEO poisoning and tailored filenames as social engineering lures. The lures are adapted to the interests and search behavior of targeted professionals, and the campaign uses geofencing to selectively deliver payloads to specific countries. Observed tradecraft includes highly obfuscated JavaScript droppers, multi-stage JavaScript and PowerShell execution, fileless payload delivery, sandbox evasion, unique per-victim download URLs and query parameters, registry-based payload storage, PowerShell reflection, and process hollowing into legitimate processes such as ImagingDevices.exe. The JavaScript loader has been observed checking for Active Directory domain membership before continuing, indicating a focus on enterprise environments using Active Directory. The campaign also uses a two-level delivery network in which compromised sites redirect victims to second-level domains for payload delivery. Payloads associated with Gootloader include Cobalt Strike Beacon, Gootkit, Kronos, REvil, and BlueCrab. The content notes that its payloads are often associated with ransomware operators and other cybercrime groups, and that infrastructure overlaps with other Cobalt Strike-centric campaigns suggest affiliate use. Public reporting cited in the content states that over 900 unique JavaScript droppers were identified between January and April 2021 and that around 700 compromised websites were used in delivery. The content also notes that Gootloader has resurfaced with new capabilities. Known alias in the provided content: gootloader.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
27 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Gootloader is referenced as returning to activity, typically known for delivering malware payloads via compromised websites and SEO poisoning.
A named threat using browser redirects or SEO poisoning to drive users to malicious content.
Gootloader is an 'Initial Access as a Service' platform that compromises high-traffic websites to deliver malicious JavaScript loaders via SEO poisoning and social engineering. It targets enterprise and government sectors, delivering a variety of malware payloads (including ransomware and infostealers) for affiliate cybercrime groups. The campaign is highly selective, using geofencing, Active Directory checks, and robust evasion techniques.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.