GootLoader malware activity with WOFF2 font filename obfuscation
Malware Activity
Summary
Hide ▲
Show ▼
The GootLoader loader has resurfaced with a new WOFF2 font-based filename obfuscation trick that hides payload names and helps it evade analysis. Huntress observed three infections since October 27, 2025, and two progressed to hands-on-keyboard intrusions with domain controller compromise within 17 hours. The malware still uses WordPress comment endpoints and XOR-encrypted ZIP payloads to deliver code, while the follow-on Supper backdoor adds remote control, SOCKS5 proxying, and lateral-movement capability.
Related Happenings
GodDamn ransomware PoisonX BYOVD activity
Malware Activity
H score15
First: 09.07.2026 13:43
Last: 09.07.2026 13:43
Sources 1
About this happening:
The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
GodDamn ransomware PoisonX BYOVD activity
Malware ActivityAbout this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
WordPress malware hides C2 data in Steam Community comments
Malware Activity
H score16
First: 01.06.2026 20:04
Last: 01.06.2026 20:04
Sources 1
About this happening:
A **WordPress malware** operation has been uncovered on **approximately 1,980 websites**, raising the risk of hidden **command-and-control (C2)** traffic and persistent page injec...
WordPress malware hides C2 data in Steam Community comments
Malware ActivityAbout this happening: A **WordPress malware** operation has been uncovered on **approximately 1,980 websites**, raising the risk of hidden **command-and-control (C2)** traffic and persistent page injec...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
H score20
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
ClickFix MacSync social-engineering campaign targeting macOS users
Campaign
H score38
First: 16.03.2026 13:41
Last: 16.03.2026 13:41
Sources 1
About this happening:
A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
ClickFix MacSync social-engineering campaign targeting macOS users
CampaignAbout this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
LummaStealer infection surge via CastleLoader
Malware Activity
H score30
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
Timeline
-
11.11.2025 17:44 2 articles · 8mo ago
Huntress reports renewed GootLoader activity with WOFF2 filename obfuscation
Initial DisclosureHuntress reports renewed GootLoader activity, observing three infections since October 27, 2025; two progressed to hands-on-keyboard intrusions with domain controller compromise within 17 hours of initial infection. The loader uses custom WOFF2 fonts with glyph substitution to obfuscate filenames, exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads with unique keys per file, and uses a ZIP evasion trick that shows a harmless-looking .TXT file in VirusTotal, Python's ZIP utilities, or 7-Zip while extracting a JavaScript payload in Windows File Explorer. The JavaScript payload can deploy Supper for remote control, SOCKS5 proxying, and WinRM-based lateral movement to a Domain Controller.
Show sources
- GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites — thehackernews.com — 11.11.2025 17:44
- GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites — thehackernews.com — 11.11.2025 17:44