- Gootloader malware resurfaced in late October 2025 after a nine-month hiatus, used to stage ransomware attacks
- Delivered via malicious JavaScript hidden in custom web fonts, allowing stealthy remote access and recognition
- Related to Storm-0494 and Vice Society; attackers reached domain controllers in less than an hour in some cases
After a nine-month sabbatical, the malware known as Gootloader is truly back, perhaps used as a springboard to ransomware infections.
A report from cybersecurity researchers Huntress observed “multiple infections” from October 27 to early November 2025. Before that, the last time Gootloader was seen was in March 2025.
In the new campaign, Gootloader was most likely exploited by a group known as Storm-0494, as well as its downstream operator, Vanilla Tempest (also known as Vice Society), a ransomware group first observed in mid-2021, primarily targeting the education and healthcare sectors, with occasional forays into the manufacturing sector.
Hide malware in custom fonts
Gootloader was used to deliver malicious JavaScript from compromised websites, researchers said. The script installs tools that give attackers remote access to the company’s Windows machines and enable follow-up actions, such as account takeover or ransomware deployment.
Gootloader hid malicious file names and download instructions in a custom web font (WOFF2), so that the page looked normal in a browser but displayed meaningless text in the raw HTML. When a victim opened the compromised page, the browser used the font to swap invisible or garbled characters for readable ones, revealing the real download link and file name only when rendered.
The goal of the campaign is to gain reliable initial access, quickly map and control target networks, and then pass access to ransomware operators. The entire process is carried out as quickly as possible, primarily through automated reconnaissance and remote monitoring tools that help identify high-value targets, create privileged accounts, and prepare for ransomware.
In some cases, Huntress added, attackers reached domain controllers within hours. Initial automated reconnaissance often begins within 10 to 20 minutes after malicious JavaScript code is executed, and in several incidents, operators gained access to the domain controller in as little as 17 hours. In at least one environment, they reached a domain controller in less than an hour.
To defend against Gootloader, Huntress advises watching for early signs such as unexpected downloads from web browsers, unknown shortcuts in startup locations, sudden PowerShell or script activity from the browser, and unusual proxy-like outgoing connections.
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
