- The Gootloader malware resurfaced in late October 2025 after a nine-month hiatus and was used to orchestrate ransomware attacks.
- Delivered via malicious JavaScript hidden in custom web fonts, allowing remote access and stealthy reconnaissance.
- Linked to Storm-0494 and Vice Society; The attackers reached the domain controllers in less than an hour in some cases.
After a nine-month sabbatical, the malware known as Gootloader has indeed returned and is possibly being used as a springboard into ransomware infections.
A report from cybersecurity researchers Huntress noted “multiple infections” from October 27 to early November 2025. Before that, Gootloader was last seen in March 2025.
In the new campaign, Gootloader was likely exploited by a group known as Storm-0494, as well as its downstream operator, Vanilla Tempest (also known as Vice Society), a ransomware group first observed in mid-2021, primarily targeting the education and healthcare sectors, with occasional forays into manufacturing.
Hide malware in custom fonts
The researchers explained that Gootloader was used to deliver malicious JavaScript from compromised websites. The script installs tools that give attackers remote access to corporate Windows machines and enable follow-up actions such as account takeover or ransomware deployment.
Gootloader hid malicious file names and download instructions within a custom web font (WOFF2) so that the page looked normal in a browser but displayed meaningless text in plain HTML. When a victim opened the compromised page, the browser used the font to swap invisible or encoded characters for readable ones, revealing the actual download link and file name only when it was rendered.
The purpose of the campaign is to gain reliable initial access, quickly map and control target networks, and then hand over access to ransomware operators. The entire process is done as quickly as possible, primarily through automated reconnaissance and remote monitoring tools that help identify high-value targets, create privileged accounts, and prepare for ransomware.
In some cases, Huntress added, attackers reached domain controllers within hours. Initial automated reconnaissance often begins 10 to 20 minutes after the malicious JavaScript is executed, and in several incidents, operators gained access to the domain controller in as little as 17 hours. In at least one environment they reached a domain controller in less than an hour.
To defend against Gootloader, Huntress recommends keeping an eye out for early signs, such as unexpected downloads from web browsers, unknown shortcuts in startup locations, sudden PowerShell or script activity coming from the browser, and unusual proxy-like outgoing connections.
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
