GootLoader.

A long-running JavaScript-based initial-access loader operated by UNC2565, dropped via SEO-poisoned legal/contract template downloads and used to stage REvil, Cobalt Strike, IcedID, and ransomware affiliates. Es gehört zur Kategorie Schadsoftware der Cybersicherheit.

A long-running JavaScript-based initial-access loader operated by UNC2565, dropped via SEO-poisoned legal/contract template downloads and used to stage REvil, Cobalt Strike, IcedID, and ransomware affiliates.

GootLoader is a JavaScript-based malware loader, active since 2020 and tracked by Mandiant as part of the UNC2565 cluster, evolved from the older Gootkit banking trojan codebase. Its hallmark distribution technique is SEO poisoning: operators compromise WordPress sites and stuff them with realistic-looking pages such as 'free contract template', 'NDA sample', or 'agreement form X PDF', often topping Google results for niche legal-document queries. Victims who download the 'document' actually receive a ZIP containing a JavaScript that, on execution via WSH, deploys a heavily obfuscated multi-stage loader with .NET and PowerShell components. Subsequent payloads have included REvil, Cobalt Strike, IcedID, BlackCat, and other ransomware affiliates' tools, making GootLoader a persistent initial-access pipeline for the broader RaaS ecosystem. Defenses focus on web-content filtering of newly registered or low-reputation domains hosting SEO-poisoned content, blocking WSH execution of `.js` from user folders, and EDR detection on the loader's stable PowerShell command lines.

Schutzmaßnahmen gegen GootLoader kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.

Übliche alternative Bezeichnungen: GootKit Loader, UNC2565.