- Gootloader malware re-emerged in late October 2025 after a nine-month hiatus, used to stage ransomware attacks
- Delivered via malicious JavaScript hidden in custom web fonts, enabling stealthy remote access and reconnaissance
- Affiliated with Storm-0494 and the Vice Society; attackers reached domain controllers in under an hour in some cases
After a nine-month sabbatical, the malware known as Gootloader is truly back, possibly being used as a springboard for ransomware infections.
A report by cybersecurity researchers Huntress observed “multiple infections” from October 27 into early November 2025. Before then, the last time Gootloader was seen was in March 2025.
In the new campaign, Gootloader was most likely exploited by a group known as Storm-0494, as well as its downstream operator, Vanilla Tempest (also known as Vice Society), a ransomware group first observed in mid-2021 primarily targeting the education and healthcare sectors, with occasional forays into manufacturing.
Hide malware in custom fonts
Gootloader was used to deliver malicious JavaScript from compromised websites, the researchers explained. The script installs tools that give attackers remote access to the company’s Windows machines and enables follow-up actions, such as account takeover or deployment of ransomware.
Gootloader hid malicious file names and download instructions inside a custom web font (WOFF2), so the page looked normal in a browser but displayed meaningless text in the raw HTML. When a victim opened the compromised page, the browser used the font to replace invisible or encrypted characters with readable ones, revealing only the correct download link and file name when rendered.
The aim of the campaign is to gain reliable initial access, quickly map and control target networks, and then hand over access to ransomware operators. The entire process is done as quickly as possible, mostly through automated reconnaissance and remote management tools that help identify high-value targets, create privileged accounts, and prepare ransomware.
In some cases, Huntress added, the attackers reached domain controllers within hours. Initial automated reconnaissance often begins within 10-20 minutes of the malicious JavaScript running, and in several cases operators gained domain controller access in as little as 17 hours. In at least one environment, they reached a domain controller in under an hour.
To defend against Gootloader, Huntress advises watching for early signs such as unexpected downloads from web browsers, unknown shortcuts in startup locations, sudden PowerShell or script activity coming from the browser, and unusual outbound proxy-like connections.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
