Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites


Level 76
Content Creator
Malware Hunter
Aug 17, 2014
A framework notorious for delivering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads.

"The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft," Sophos researchers Gabor Szappanos and Andrew Brandt said in a write-up published today.

"In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself."

Dubbed "Gootloader," the expanded malware delivery system comes amid a surge in the number of infections targeting users in France, Germany, South Korea, and the U.S.

First documented in 2014, Gootkit is a Javascript-based malware platform capable of carrying out an array of covert activities, including web injection, capturing keystrokes, taking screenshots, recording videos, as well as email and password theft.

Over the years, the cybercrime tool has evolved to gain new information-stealing features, with the Gootkit loader repurposed in combination with REvil/Sodinokibi ransomware infections reported last year.

While campaigns using social engineering tricks to deliver malicious payloads are a dime a dozen, Gootloader takes it to the next level.

The infection chain resorts to sophisticated techniques that involve hosting malicious ZIP archive files on websites belonging to legitimate businesses that have been gamed to appear among the top results of a search query using manipulated search engine optimization (SEO) methods. [...]


New Member
Mar 31, 2021
Thank you for sharing this! It's really annoying to see people spamming around nonsense links everywhere and I think I found the reason behind it. I thought myself that it's normal as well. I do believe in the power of SEO and the actual traffic that it can drive to your online business, but there are much better to achieve that instead of infecting everyone with malware.