Tag Archives: cobalt strike

general

Gootloader malware returns with fake NDA scam – here’s what we know

Leave a comment

**Gootloader Malware Campaign: A Resurgence with New Obfuscation Techniques**

Gootloader is notorious for leveraging malvertising and SEO poisoning to distribute malware. Cybercriminals behind this campaign either create websites from scratch or infiltrate legitimate ones, modifying them to host various documents, such as NDA templates. To increase visibility, they purchase ads on popular ad networks or use SEO poisoning by generating numerous web articles packed with keywords that link back to the sites they control.

According to analysts from Huntress Labs, hundreds of websites have been seen hosting the malware. The combination of these tactics ensures that when users search for specific terms, these malicious sites appear at the very top of search engine results—often overtaking legitimate pages. This tactic significantly raises the likelihood of users unknowingly compromising their systems.

### Obfuscation Techniques

The Gootloader campaign was effectively halted in March 2025, following persistent efforts from security researchers who pressured ISPs and hosting platforms to take down the attackers’ infrastructure. However, after a six-month hiatus, Gootloader has made a comeback, employing the same distribution techniques to deploy its loader. This loader then delivers various payloads, such as ransomware, infostealers, or Cobalt Strike beacons.

The most notable change in the new campaign is the introduction of sophisticated obfuscation methods. Researchers revealed that attackers are now using JavaScript combined with a special web font to conceal the real file names of the malware. This font replaces characters with visually similar symbols, making the HTML source look like gibberish, while the rendered webpage displays normal words.

Huntress Labs explained, “Rather than using OpenType substitution features or character mapping tables, the loader swaps what each glyph actually displays. The font’s metadata appears completely legitimate—the character ‘O’ maps to a glyph named ‘O’, the character ‘a’ maps to a glyph named ‘a’, and so forth.”

However, the actual vector paths defining these glyphs have been swapped. For example, when the browser requests the shape for the glyph ‘O’, the font renders the letter ‘F’ instead. Similarly, the glyph for ‘a’ draws ‘l’, ‘9’ draws ‘o’, and special Unicode characters like ‘±’ draw ‘i’. This means a string of gibberish such as “Oa9Z±h•” in the source code is rendered as the word “Florida” on-screen.

This clever obfuscation technique complicates analysis and detection, making it easier for attackers to evade traditional security mechanisms.

Stay informed on the latest cybersecurity developments and make sure to click the **Follow** button for updates!
https://www.techradar.com/pro/security/gootloader-malware-returns-with-fake-nda-scam-heres-what-we-know