GootLoader
GootLoader とは何ですか?
GootLoaderA long-running JavaScript-based initial-access loader operated by UNC2565, dropped via SEO-poisoned legal/contract template downloads and used to stage REvil, Cobalt Strike, IcedID, and ransomware affiliates.
GootLoader is a JavaScript-based malware loader, active since 2020 and tracked by Mandiant as part of the UNC2565 cluster, evolved from the older Gootkit banking trojan codebase. Its hallmark distribution technique is SEO poisoning: operators compromise WordPress sites and stuff them with realistic-looking pages such as 'free contract template', 'NDA sample', or 'agreement form X PDF', often topping Google results for niche legal-document queries. Victims who download the 'document' actually receive a ZIP containing a JavaScript that, on execution via WSH, deploys a heavily obfuscated multi-stage loader with .NET and PowerShell components. Subsequent payloads have included REvil, Cobalt Strike, IcedID, BlackCat, and other ransomware affiliates' tools, making GootLoader a persistent initial-access pipeline for the broader RaaS ecosystem. Defenses focus on web-content filtering of newly registered or low-reputation domains hosting SEO-poisoned content, blocking WSH execution of `.js` from user folders, and EDR detection on the loader's stable PowerShell command lines.
● 例
- 01
A paralegal Googles 'sample independent contractor agreement template' and downloads a `.zip` from a compromised dentistry blog, kicking off the GootLoader chain.
- 02
An EDR rule flags wscript.exe spawning an outbound HTTPS connection from `%AppData%\Roaming\<random>\` — the canonical GootLoader stage.
● よくある質問
GootLoader とは何ですか?
A long-running JavaScript-based initial-access loader operated by UNC2565, dropped via SEO-poisoned legal/contract template downloads and used to stage REvil, Cobalt Strike, IcedID, and ransomware affiliates. サイバーセキュリティの マルウェア カテゴリに属します。
GootLoader とはどういう意味ですか?
A long-running JavaScript-based initial-access loader operated by UNC2565, dropped via SEO-poisoned legal/contract template downloads and used to stage REvil, Cobalt Strike, IcedID, and ransomware affiliates.
GootLoader はどのように機能しますか?
GootLoader is a JavaScript-based malware loader, active since 2020 and tracked by Mandiant as part of the UNC2565 cluster, evolved from the older Gootkit banking trojan codebase. Its hallmark distribution technique is SEO poisoning: operators compromise WordPress sites and stuff them with realistic-looking pages such as 'free contract template', 'NDA sample', or 'agreement form X PDF', often topping Google results for niche legal-document queries. Victims who download the 'document' actually receive a ZIP containing a JavaScript that, on execution via WSH, deploys a heavily obfuscated multi-stage loader with .NET and PowerShell components. Subsequent payloads have included REvil, Cobalt Strike, IcedID, BlackCat, and other ransomware affiliates' tools, making GootLoader a persistent initial-access pipeline for the broader RaaS ecosystem. Defenses focus on web-content filtering of newly registered or low-reputation domains hosting SEO-poisoned content, blocking WSH execution of `.js` from user folders, and EDR detection on the loader's stable PowerShell command lines.
GootLoader からどのように防御しますか?
GootLoader に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。
GootLoader の別名は何ですか?
一般的な別名: GootKit Loader, UNC2565。
● 関連用語
- malware№ 692
ローダ
攻撃の後続段階に向けて環境を整え、追加ペイロード(多くはメモリ上)を読み込んで実行するマルウェア。
- defense-ops№ 597
イニシャルアクセスブローカー(IAB)
企業ネットワークへの不正アクセス手段を入手し、ランサムウェアアフィリエイトなど他の犯罪者へ売却することに特化したサイバー犯罪の専門家。
- malware№ 1006
ランサムウェア・アズ・ア・サービス(RaaS)
ランサムウェアの開発・運営チームがマルウェアとインフラを攻撃実行役のアフィリエイトに貸し出し、身代金を分配する犯罪ビジネスモデル。
- defense-ops№ 215
Cobalt Strike
商用の敵対者シミュレーション プラットフォームで、レッドチーム業務に広く用いられる一方、攻撃者によりポストエクスプロイトや C2 に頻繁に悪用される。
- malware№ 564
IcedID / BokBot
2017 年に登場したモジュール型バンキングトロイ兼ローダーで、Conti や Quantum などのランサムウェア展開の前哨として広く使われた。
- attacks№ 398
ドライブバイダウンロード
侵害された、または悪意のあるウェブサイトを訪れるだけで、利用者の端末にマルウェアが密かにインストールされる攻撃。