Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GootLoader malware activity with WOFF2 font filename obfuscation

Malware Activity
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The GootLoader loader has resurfaced with a new WOFF2 font-based filename obfuscation trick that hides payload names and helps it evade analysis. Huntress observed three infections since October 27, 2025, and two progressed to hands-on-keyboard intrusions with domain controller compromise within 17 hours. The malware still uses WordPress comment endpoints and XOR-encrypted ZIP payloads to deliver code, while the follow-on Supper backdoor adds remote control, SOCKS5 proxying, and lateral-movement capability.

Related Happenings

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

Open Happening

ClickFix MacSync social-engineering campaign targeting macOS users

Campaign
First: 16.03.2026 13:41 Last: 16.03.2026 13:41 Sources 1

About this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...

Open Happening

LummaStealer infection surge via CastleLoader

Malware Activity
First: 11.02.2026 19:02 Last: 11.02.2026 19:02 Sources 1

About this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...

Latest development: 06.03.2026 08:44

Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

Open Happening

CoolClient backdoor variant adds browser login theft and clipboard monitoring

Malware Activity
First: 28.01.2026 00:26 Last: 28.01.2026 00:26 Sources 1

About this happening: The **CoolClient backdoor** used by **Mustang Panda** has been updated in a new variant that steals **browser login data** and monitors the **clipboard**, adding **active window t...

Open Happening

PDFSider malware deployed for stealthy Windows backdoor access

Malware Activity
First: 19.01.2026 23:00 Last: 19.01.2026 23:00 Sources 1

About this happening: The **PDFSider** malware is being used to deliver payloads on **Windows systems**, giving attackers a stealthy backdoor for **long-term covert access** and raising the risk of ran...

Open Happening

Timeline

  1. 11.11.2025 17:44 2 articles · 6mo ago

    Huntress reports renewed GootLoader activity with WOFF2 filename obfuscation

    Initial Disclosure

    Huntress reports renewed GootLoader activity, observing three infections since October 27, 2025; two progressed to hands-on-keyboard intrusions with domain controller compromise within 17 hours of initial infection. The loader uses custom WOFF2 fonts with glyph substitution to obfuscate filenames, exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads with unique keys per file, and uses a ZIP evasion trick that shows a harmless-looking .TXT file in VirusTotal, Python's ZIP utilities, or 7-Zip while extracting a JavaScript payload in Windows File Explorer. The JavaScript payload can deploy Supper for remote control, SOCKS5 proxying, and WinRM-based lateral movement to a Domain Controller.

    Show sources
    Open in new tab