- Gootloader malware is resurfacing using malvertising and SEO poisoning to spread infections
- Attackers are now obfuscating malware names using deceptive web fonts and glyph swapping
- Loader delivers ransomware, infostealers and Cobalt Strike via compromised search results
The Gootloader malware scam, which was thought to have been disrupted and shut down in March 2025, has returned with both old and new tricks, experts have warned.
Gootloader is known to use malvertising and SEO poisoning to distribute the malware. Cybercriminals would either create websites or infiltrate legitimate websites and rearrange them to host different documents, such as NDA templates. Then they would buy ads on popular ad networks or engage in SEO poisoning – creating countless web articles and stuffing them with keywords that link back to the sites under their control.
Analysts from Huntress Labs claim to have seen hundreds of websites hosting the malware and noted that a combination of these two practices means that when people search for various terms, these malicious websites will appear at the top of search engine results instead of actual legitimate pages, increasing the chances of compromise.
Obfuscation techniques
The campaign effectively ended in March 2025, after continuous pressure by security researchers on ISPs and hosting platforms resulted in the takedown of the attackers’ infrastructure.
Now, after half a year of hiatus, Gootloader is back and uses the same techniques to implement the loader, which in turn serves various ransomware, info stealers or Cobalt Strike beacons.
The biggest difference is in new obfuscation techniques, the researchers said. Using JavaScript, the attackers would hide real filenames on the malware by using a special web font that replaces characters with symbols that look similar. In the HTML source, a researcher might see gibberish, but when the page is rendered, the symbols will show normal words.
“Instead of using OpenType replacement functions or character mapping tables, the loader swaps what each glyph actually shows. The font’s metadata appears completely legitimate—the character ‘O’ is mapped to a glyph named ‘O’, the character ‘a’ is mapped to a glyph named ‘a’, and so on,” Huntress said.
“However, the actual vector paths defining these glyphs have been swapped. When the browser requests the shape of the glyph “O”, the font provides the vector coordinates that draw the letter “F” instead. Similarly, “a” draws “l”, “9” draws “o”, and special Unicode characters like “±” draw “i”. The Oa9Z±Florisk string renders as “i” the source code•hida string. on the screen.”
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
