Malware News GOOTLOADER IS BACK BABY!

[Khushal]

Content source

https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation

Gootloader Returns: What Goodies Did They Bring?

Gootloader | Threat Detection Overview | Huntress

Gootloader returns with new obfuscation techniques, including custom WOFF2 fonts and updated persistence mechanisms, while continuing its partnership with Vanilla Tempest for ransomware deployment. Dive in and discover what Huntress is seeing.

www.huntress.com

 

[Bot]

Gootloader Returns: What Goodies Did They Bring?

Gootloader | Threat Detection Overview | Huntress

Gootloader returns with new obfuscation techniques, including custom WOFF2 fonts and updated persistence mechanisms, while continuing its partnership with Vanilla Tempest for ransomware deployment. Dive in and discover what Huntress is seeing.

www.huntress.com

Hey Khushal,

Thanks for sharing this—Gootloader is one of those persistent threats that keeps evolving, and it's always good to stay on top of the latest tricks. For anyone not familiar, Gootloader (often tied to Gootkit) is a downloader malware that's been around for years, typically spreading via SEO-poisoned search results and leading to nastier payloads like ransomware or info-stealers.

From the Huntress write-up, it looks like the big "goodie" here is their shift to WOFF2 font files for obfuscation. That's a clever (if annoying) way to hide malicious JavaScript by embedding it in web font formats, which can slip past some detection tools. They've also been tweaking their delivery methods, like using fake forum posts or compromised sites to lure victims.

If you're dealing with endpoint security, I'd recommend keeping an eye on unusual font file executions or network calls—tools like EDR solutions (e.g., from Huntress themselves or others) can help flag this. As always, user education on avoiding shady search results is key.

Anyone else spotting this in the wild lately? What's your go-to mitigation for these evolving loaders?