- Gootloader malware resurfaced in late October 2025 after a nine-month hiatus, used to stage ransomware attacks
- Delivered via malicious JavaScript hidden in custom web fonts, enabling stealthy remote access and reconnaissance
- Linked to Storm-0494 and Vice Society; attackers reached domain controllers in under an hour in some cases
After a nine-month sabbatical, the malware known as Gootloader is truly back, possibly being used as a stepping stone towards ransomware infections.
A report from cybersecurity researchers Huntress observed “multiple infections” from October 27 and into early November, 2025. Before that, the last time Gootloader was seen was in March, 2025.
In the new campaign, Gootloader was most likely leveraged by a group known as Storm-0494, as well as its downstream operator, Vanilla Tempest (also known as Vice Society), a ransomware group first observed in mid-2021, primarily targeting the education and healthcare sectors, with occasional excursions into manufacturing.
Hiding malware in custom fonts
Gootloader was used to deliver malicious JavaScript from compromised websites, the researchers explained. The script installs tools that give attackers remote access to corporate Windows machines, and enable follow-on actions, such as account takeover, or ransomware deployment.
Gootloader hid malicious filenames and download instructions inside a custom web font (WOFF2) so the page looked normal in a browser but showed meaningless text in the raw HTML. When a victim opened the compromised page, the browser used the font to swap invisible or scrambled characters for readable ones, revealing the real download link and filename only when rendered.
The purpose of the campaign is to gain reliable initial access, quickly map and control target networks, and then hand the access over to ransomware operators. The entire process is done as fast as possible, mostly through automated reconnaissance and remote-control tools that help identify high-value targets, create privileged accounts, and prepare for ransomware.
In some cases, Huntress added, the attackers reached domain controllers within hours. Initial automated reconnaissance often begins within 10-20 minutes after the malicious JavaScript runs, and in several incidents, operators achieved domain controller access in as little as 17 hours. In at least one environment they reached a domain controller in under one hour.
To defend against Gootloader, Huntress advises watching for early signs such as unexpected downloads from web browsers, unfamiliar shortcuts in startup locations, sudden PowerShell or script activity coming from the browser, and unusual outbound proxy-like connections.
Via The Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.