GootLoader
GootLoader 是什么?
GootLoaderA long-running JavaScript-based initial-access loader operated by UNC2565, dropped via SEO-poisoned legal/contract template downloads and used to stage REvil, Cobalt Strike, IcedID, and ransomware affiliates.
GootLoader is a JavaScript-based malware loader, active since 2020 and tracked by Mandiant as part of the UNC2565 cluster, evolved from the older Gootkit banking trojan codebase. Its hallmark distribution technique is SEO poisoning: operators compromise WordPress sites and stuff them with realistic-looking pages such as 'free contract template', 'NDA sample', or 'agreement form X PDF', often topping Google results for niche legal-document queries. Victims who download the 'document' actually receive a ZIP containing a JavaScript that, on execution via WSH, deploys a heavily obfuscated multi-stage loader with .NET and PowerShell components. Subsequent payloads have included REvil, Cobalt Strike, IcedID, BlackCat, and other ransomware affiliates' tools, making GootLoader a persistent initial-access pipeline for the broader RaaS ecosystem. Defenses focus on web-content filtering of newly registered or low-reputation domains hosting SEO-poisoned content, blocking WSH execution of `.js` from user folders, and EDR detection on the loader's stable PowerShell command lines.
● 示例
- 01
A paralegal Googles 'sample independent contractor agreement template' and downloads a `.zip` from a compromised dentistry blog, kicking off the GootLoader chain.
- 02
An EDR rule flags wscript.exe spawning an outbound HTTPS connection from `%AppData%\Roaming\<random>\` — the canonical GootLoader stage.
● 常见问题
GootLoader 是什么?
A long-running JavaScript-based initial-access loader operated by UNC2565, dropped via SEO-poisoned legal/contract template downloads and used to stage REvil, Cobalt Strike, IcedID, and ransomware affiliates. 它属于网络安全的 恶意软件 分类。
GootLoader 是什么意思?
A long-running JavaScript-based initial-access loader operated by UNC2565, dropped via SEO-poisoned legal/contract template downloads and used to stage REvil, Cobalt Strike, IcedID, and ransomware affiliates.
GootLoader 是如何工作的?
GootLoader is a JavaScript-based malware loader, active since 2020 and tracked by Mandiant as part of the UNC2565 cluster, evolved from the older Gootkit banking trojan codebase. Its hallmark distribution technique is SEO poisoning: operators compromise WordPress sites and stuff them with realistic-looking pages such as 'free contract template', 'NDA sample', or 'agreement form X PDF', often topping Google results for niche legal-document queries. Victims who download the 'document' actually receive a ZIP containing a JavaScript that, on execution via WSH, deploys a heavily obfuscated multi-stage loader with .NET and PowerShell components. Subsequent payloads have included REvil, Cobalt Strike, IcedID, BlackCat, and other ransomware affiliates' tools, making GootLoader a persistent initial-access pipeline for the broader RaaS ecosystem. Defenses focus on web-content filtering of newly registered or low-reputation domains hosting SEO-poisoned content, blocking WSH execution of `.js` from user folders, and EDR detection on the loader's stable PowerShell command lines.
如何防御 GootLoader?
针对 GootLoader 的防御通常结合技术控制与运营实践,详见上方完整定义。
GootLoader 还有哪些其他名称?
常见的别称包括: GootKit Loader, UNC2565。
● 相关术语
- malware№ 692
加载器(Loader)
一种为攻击下一阶段做准备并将后续载荷(通常直接在内存中)加载执行的恶意软件。
- defense-ops№ 597
初始访问经纪人(IAB)
专门获取企业网络未授权访问权并出售给其他犯罪者(尤其是勒索软件附属者)的网络犯罪专家。
- malware№ 1006
勒索软件即服务(RaaS)
一种犯罪商业模式,勒索软件运营者将其恶意软件和基础设施租赁给执行攻击的关联方(affiliate),并按比例分成。
- defense-ops№ 215
Cobalt Strike
一款商业化的对手模拟平台,广泛用于红队行动,也常被攻击者滥用于后渗透与命令控制。
- malware№ 564
IcedID / BokBot
2017 年首次出现的模块化银行木马与加载器,后来成为 Conti、Quantum 等团伙部署勒索软件的主要先导工具。
- attacks№ 398
路过式下载
用户仅仅访问被攻陷或恶意网站,设备便被悄无声息地安装恶意软件的攻击。