GootLoader Resurfaces with New Font Obfuscation and ZIP Evasion Tactics

First reported

11.11.2025 17:44

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

GootLoader, a JavaScript-based malware loader, has resurfaced with new tactics to evade detection. The malware now uses custom WOFF2 fonts to obfuscate filenames and modifies ZIP files to appear harmless in analysis tools. Since October 27, 2025, three infections have been observed, two of which led to domain controller compromises within 17 hours. GootLoader, linked to the Hive0127 threat actor, exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads. The malware's latest campaign targets users searching for legal templates, redirecting them to compromised WordPress sites hosting malicious ZIP archives. The ZIP files are designed to evade static analysis by displaying harmless text in analysis tools while extracting malicious JavaScript files on Windows. The payload deploys the Supper backdoor, which provides remote control and SOCKS5 proxying capabilities. Threat actors have used this backdoor to move laterally to domain controllers and create admin-level user accounts.

Timeline

11.11.2025 17:44 1 articles · 23h ago

GootLoader Resurfaces with New Font Obfuscation and ZIP Evasion Tactics
GootLoader has resurfaced with new tactics, including the use of custom WOFF2 fonts to obfuscate filenames and modified ZIP files to evade detection. The malware exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads. The latest campaign targets users searching for legal templates, redirecting them to compromised WordPress sites hosting malicious ZIP archives. The ZIP files are designed to evade static analysis by displaying harmless text in analysis tools while extracting malicious JavaScript files on Windows. The payload deploys the Supper backdoor, which provides remote control and SOCKS5 proxying capabilities. Threat actors have used this backdoor to move laterally to domain controllers and create admin-level user accounts.
Show sources

GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites — thehackernews.com — 11.11.2025 17:44
Open in new tab

Information Snippets

GootLoader has resurfaced with new tactics, including custom WOFF2 fonts to obfuscate filenames and modified ZIP files to evade detection.
First reported: 11.11.2025 17:44

1 source, 1 article
Show sources
- GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites — thehackernews.com — 11.11.2025 17:44
Three GootLoader infections were observed since October 27, 2025, with two leading to domain controller compromises within 17 hours.
First reported: 11.11.2025 17:44

1 source, 1 article
Show sources
- GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites — thehackernews.com — 11.11.2025 17:44
GootLoader exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads with unique keys per file.
First reported: 11.11.2025 17:44

1 source, 1 article
Show sources
- GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites — thehackernews.com — 11.11.2025 17:44
The malware targets users searching for legal templates, redirecting them to compromised WordPress sites hosting malicious ZIP archives.
First reported: 11.11.2025 17:44

1 source, 1 article
Show sources
- GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites — thehackernews.com — 11.11.2025 17:44
The ZIP files display harmless text in analysis tools but extract malicious JavaScript files on Windows.
First reported: 11.11.2025 17:44

1 source, 1 article
Show sources
- GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites — thehackernews.com — 11.11.2025 17:44
The payload deploys the Supper backdoor, which provides remote control and SOCKS5 proxying capabilities.
First reported: 11.11.2025 17:44

1 source, 1 article
Show sources
- GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites — thehackernews.com — 11.11.2025 17:44
Threat actors have used the Supper backdoor to move laterally to domain controllers and create admin-level user accounts.
First reported: 11.11.2025 17:44

1 source, 1 article
Show sources
- GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites — thehackernews.com — 11.11.2025 17:44