Find notable cyber news and cases, enriched with sources, timelines, and signals.

GootLoader malware activity with WOFF2 font filename obfuscation

Malware Activity
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

The GootLoader loader has resurfaced with a new WOFF2 font-based filename obfuscation trick that hides payload names and helps it evade analysis. Huntress observed three infections since October 27, 2025, and two progressed to hands-on-keyboard intrusions with domain controller compromise within 17 hours. The malware still uses WordPress comment endpoints and XOR-encrypted ZIP payloads to deliver code, while the follow-on Supper backdoor adds remote control, SOCKS5 proxying, and lateral-movement capability.

Related Happenings

GodDamn ransomware PoisonX BYOVD activity

Malware Activity
H score15 First: 09.07.2026 13:43 Last: 09.07.2026 13:43 Sources 1

About this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...

WordPress malware hides C2 data in Steam Community comments

Malware Activity
H score16 First: 01.06.2026 20:04 Last: 01.06.2026 20:04 Sources 1

About this happening: A **WordPress malware** operation has been uncovered on **approximately 1,980 websites**, raising the risk of hidden **command-and-control (C2)** traffic and persistent page injec...

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
H score20 First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

ClickFix MacSync social-engineering campaign targeting macOS users

Campaign
H score38 First: 16.03.2026 13:41 Last: 16.03.2026 13:41 Sources 1

About this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...

LummaStealer infection surge via CastleLoader

Malware Activity
H score30 First: 11.02.2026 19:02 Last: 11.02.2026 19:02 Sources 1

About this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...

Latest development: 06.03.2026 08:44

Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

Timeline

  1. 11.11.2025 17:44 2 articles · 8mo ago

    Huntress reports renewed GootLoader activity with WOFF2 filename obfuscation

    Initial Disclosure

    Huntress reports renewed GootLoader activity, observing three infections since October 27, 2025; two progressed to hands-on-keyboard intrusions with domain controller compromise within 17 hours of initial infection. The loader uses custom WOFF2 fonts with glyph substitution to obfuscate filenames, exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads with unique keys per file, and uses a ZIP evasion trick that shows a harmless-looking .TXT file in VirusTotal, Python's ZIP utilities, or 7-Zip while extracting a JavaScript payload in Windows File Explorer. The JavaScript payload can deploy Supper for remote control, SOCKS5 proxying, and WinRM-based lateral movement to a Domain Controller.

    Show sources