Trojan:JS/Gootloader.A

The Trojan:JS/Gootloader.A operators do not register new domains for their lures. They compromise existing WordPress sites by injecting PHP shells and modifying database entries to host malicious content on otherwise legitimate infrastructure. This approach allows them to inherit the search engine ranking and domain authority of the compromised site. The threat actors target niche professional search queries. Observed search phrases include "Florida building code requirements for sheds," "Can a minor be an independent contractor in Florida," "Solanco school district collective bargaining agreement," and "What states have tax reciprocity." When a user clicks on a poisoned search result, the compromised WordPress site runs a server-side validation script that captures the visitor's IP address, user agent, and referrer string. This data is transmitted to a central orchestration server. Historical infrastructure includes the domain my-game[.]biz and IP address 5[.]8[.]18[.]7. If it validates the visitor based on geographic location and browser type, the compromised site dynamically renders a fake forum page. An "Admin" persona on that page provides a download link for the requested document. The downloaded file is always a ZIP archive.

The ZIP archive contains a single JavaScript file. This first-stage dropper consistently exceeds 3.5 MB in file size. It launches using wscript.exe, the Windows Script Host. The file uses obfuscation to defeat signature-based detection and evade automated analysis. Obfuscation techniques include code segmentation, variable scattering across thousands of lines, and junk application programming interface calls that perform no malicious function. The script also contains long-running loops that run benign mathematical calculations. These loops function as sleep timers. They are designed to exceed the execution time limits of automated sandbox environments. A function with a nonsensical name such as gmvvf6r might contain an infinite loop where a specific variable always evaluates to a value that sustains the loop until a time threshold is crossed.  

A more advanced evasion technique introduced in 2025 campaigns involves custom Web Open Font Format 2 fonts. The threat actors include a WOFF2 font file in the malicious landing page. The font uses glyph substitution. In this scheme, the visual character "a" might map to a different Unicode character in the underlying HTML or JavaScript source. The victim sees a perfectly legitimate filename. This technique defeats both static analysis and manual research.  

After the first-stage script completes its initial delay and deobfuscation routines, it performs reconnaissance on the local system. The script checks whether the device is a member of an Active Directory domain. If the device is a standalone workstation, the malware terminates the launch entirely or delivers a low-value decoy payload. The operators exclusively target enterprise environments. If the target is validated as domain-joined, the script writes a second-stage JavaScript file to the user's AppData\Roaming directory. This file is initially created with a .dat or .log extension to evade file system monitoring tools that alert newly written script files. The file is later renamed to a .js extension. 

Historical Gootloader versions used scheduled tasks with deceptive names such as AdobeUpdate, ZoomAutoUpdater, or TeamsBackgroundHandler. Current versions favor the Windows Startup folder. The malware drops shortcut files into C:\Users%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. These .lnk files point to the malicious script files in AppData\Roaming. The shortcut targets use 8.3 MS-DOS short filenames to obscure the full path. A typical target path appears as C:\Users\USER~1\AppData\Roaming\DIR~1\SCRIPT~1.JS rather than the full path with long directory names. Command-line monitoring tools that log process creation events capture the short filename, which provides no indication of the actual script name or parent directory. Some shortcuts are assigned hotkey combinations. Observed hotkey assignments include Ctrl+Alt+M and Ctrl+Alt+G. If the user accidentally triggers the key combination, the malware re-runs even if the original persistence mechanism has been removed. 

The second-stage script communicates with its command-and-control infrastructure to download the final payload components. Observed C2 IP addresses from 2025 campaigns include 178[.]32[.]224[.]219, 37[.]59[.]205[.]2, 193[.]104[.]58[.]64, 103[.]253[.]42[.]91, and 91[.]236[.]230[.]134. Delivery URLs observed in these campaigns include https://spirits-station[.]fr, https://motoz[.]com[.]au, and https://routinelynomadic[.]com. The downloaded components are not written to disk as binary files. They are stored in the Windows Registry to minimize forensic footprint and evade file scanners. The script writes binary data to the HKEY_CURRENT_USER hive. Specific subkeys used for payload storage include Software\Microsoft\Phone, Software\Microsoft\Personalization, and Software\Microsoft\Fax. Within these subkeys, the malware stores payloads as large binary blobs. The blobs are split across multiple registry values to avoid triggering size limit alerts. Common value names include %USERNAME% and %USERNAME%0. Some variants use %RANDOM% as a value name. 

To launch the registry-resident payloads, Trojan:JS/Gootloader.A uses a PowerShell script that performs the following operations in sequence. The script queries the specific registry subkeys for the current user. It retrieves all binary fragments and concatenates them into a single data stream. It performs string substitution on the concatenated data. One observed substitution replaces the # character with the string "1000" to revert obfuscated hexadecimal values to their original form. It converts the final hex string into a byte array. It loads the resulting assembly directly into memory using .NET reflection. No file is written to disk during this stage. 

The assembly loaded into memory is tracked as FONELAUNCH. It is a .NET binary that functions as an in-memory dropper. Three distinct variants of FONELAUNCH have been identified. FONELAUNCH.FAX is optimized to load other .NET assemblies from registry storage. FONELAUNCH.PHONE is designed to load native DLLs using dynamic loading techniques. FONELAUNCH.DIALTONE is capable of injecting portable executable (PE) files into separate running processes. This architecture eventually runs the final payload. The most common final payload is a CobaltStrike Beacon 

Once CobaltStrike is active on the infected workstation, the operation transitions to hands-on-keyboard activity. Storm-0494 often hands off access to ransomware affiliates. One affiliate group that has received Gootloader access is tracked as Vanilla Tempest. The threat actors prioritize speed. In modern incidents, they have demonstrated the ability to move from a single compromised workstation to a Domain Controller in 17 hours. In high-speed cases documented in late 2025, this lateral movement was achieved in less than one hour. The threat actors often deploy malicious proxy DLLs. 

Reconnaissance commands observed during the post-exploitation phase include net user <username> /domain for identity discovery, nltest /dclist: for domain controller discovery, and net group domain admins /domain for privileged account enumeration. Credential theft is launched using ntdsutil. The threat actors run the following command sequence: ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q. This command creates a copy of the Active Directory database and related files in the temp directory for offline extraction. The threat actors also deploy secondary backdoors to maintain persistent access. Observed secondary tools include SystemBC, a proxy tool that provides encrypted C2 tunnels, and a SOCKS5 proxy tool. Data exfiltration is performed using legitimate synchronization tools. Observed exfiltration tools include MEGA Sync and AnyDesk. These tools blend into normal network traffic and are often overlooked by egress filtering controls.