GootKit

GootKit is a banking Trojan that also functions as an information stealer and remote access Trojan (RAT). The provided content describes it as highly evasive and capable of establishing a persistent foothold on victim systems, enabling follow-on exploitation including deployment of Cobalt Strike, ransomware, and other tooling. It has also been referenced as an e-banking Trojan and associated with HVNC-style fraud activity in broader banking-malware tradecraft.

The malware is closely associated with GootLoader delivery chains. Multiple sources in the content state that GootLoader historically loaded GootKit, and recent investigations describe first-stage obfuscated JavaScript downloaded via SEO poisoning and trojanized search-engine results, often from compromised websites, leading to second-stage JavaScript associated with GootKit. In one 2024 case, a malicious ZIP downloaded from a compromised site contained a JavaScript payload that dropped a larger script under AppData\Roaming\Notepad++, created scheduled-task persistence, executed via WScript/CScript, and spawned PowerShell. Network behavior included HTTP requests to multiple domains at /xmlrpc.php with Base64-encoded host enumeration data, including USERNAME and USERDOMAIN values. Sophos classified related artifacts as JS/Drop-DIJ and JS/Gootkit-AW. Example observed artifacts included the URL hxxps://ledabel[.]be/en/are-bengal-cats-legal-in-australia-understanding-the-laws-and-regulations/, redirect to hxxps://www[.]chanderbhushan[.]com/doc[.]php, ZIP file Are_bengal_cats_legal_in_australia_33924.zip, dropped script paths under C:\Users<Username>\AppData\Roaming\Notepad++, and scheduled task names such as Business Aviation and Destination Branding.

The content also ties GootKit to criminal distribution ecosystems. Storm-0324 has distributed GootKit as a first-stage payload since at least 2016 alongside other malware families, using phishing and exploit-kit-based delivery chains. Microsoft notes detections including Trojan:Win32/Gootkit. Other content states criminal operators have used the Cutwail spambot and the RIG and Nebula exploit kits to distribute GootKit, and that developers/operators updated configuration files to improve targeting and expanded target lists for video-capture capability in 2017. Emotet has also been observed delivering GootKit as a third-party payload.

High-confidence behaviors and characteristics directly mentioned in the content include: banking credential theft/e-banking fraud functionality; info-stealing and RAT capability; persistence establishment; use in multi-stage JavaScript and PowerShell infection chains; scheduled-task persistence; host enumeration and outbound C2/call-home traffic; and use as a precursor or enabler for later ransomware activity. Targeting in the provided material is opportunistic rather than sector-specific, though GootLoader-linked campaigns delivering GootKit have affected sectors including legal, healthcare, financial, technology, manufacturing, education, and government, with activity observed globally and specifically in North America, Europe, and Australia.