GootLoader.

A long-running JavaScript-based initial-access loader operated by UNC2565, dropped via SEO-poisoned legal/contract template downloads and used to stage REvil, Cobalt Strike, IcedID, and ransomware affiliates. It belongs to the Malware category of cybersecurity.

A long-running JavaScript-based initial-access loader operated by UNC2565, dropped via SEO-poisoned legal/contract template downloads and used to stage REvil, Cobalt Strike, IcedID, and ransomware affiliates.

GootLoader is a JavaScript-based malware loader, active since 2020 and tracked by Mandiant as part of the UNC2565 cluster, evolved from the older Gootkit banking trojan codebase. Its hallmark distribution technique is SEO poisoning: operators compromise WordPress sites and stuff them with realistic-looking pages such as 'free contract template', 'NDA sample', or 'agreement form X PDF', often topping Google results for niche legal-document queries. Victims who download the 'document' actually receive a ZIP containing a JavaScript that, on execution via WSH, deploys a heavily obfuscated multi-stage loader with .NET and PowerShell components. Subsequent payloads have included REvil, Cobalt Strike, IcedID, BlackCat, and other ransomware affiliates' tools, making GootLoader a persistent initial-access pipeline for the broader RaaS ecosystem. Defenses focus on web-content filtering of newly registered or low-reputation domains hosting SEO-poisoned content, blocking WSH execution of `.js` from user folders, and EDR detection on the loader's stable PowerShell command lines.

Defences for GootLoader typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: GootKit Loader, UNC2565.