Update (31 Mar 2025 @ 822 PDT)Thanks to Vultr for taking down skhm[.]org! Update (31 Mar 2025 @1016 PDT)Thanks to CloudFlare for flagging lawliner[.]com! The threat actor behind the Gootloader malware has once again changed their tactics, but also reverted to some of their old ways. Just like with the previous infection method, we are […]| ⌛☃❀✵Gootloader Details ✵❀☃⌛
After a little over a year of hiding out at PROSPERO OOO/AS200593 Gootloader has set its sails for another shady Russian hosting provider Proton66 OOO /Proton66 LLC/AS198953. Initially it looks like just the C2 that proxied endpoints communicate to. The new IP address Command and Control (C2) is Name: setting.ccIP Address: 45.135.232.53 This information was […]| ⌛☃❀✵Gootloader Details ✵❀☃⌛
Intro Cybersecurity experts and enthusiasts, brace yourselves! The notorious Gootloader malware is at it again, shifting tactics and burrowing deeper into compromised WordPress sites. Just when we thought we had them pinned down, they’ve executed a sleight of hand. This blog post uncovers their latest evasion techniques and provides insights into how they’ve been hiding […]| ⌛☃❀✵Gootloader Details ✵❀☃⌛
In a recent development in the cybersecurity landscape, the Gootloader malware has updated its infrastructure. As of May 28, 2024, threat actors behind Gootloader have established a new command and control (C2) server at hotheads.co.za, operating under the IP address 91.215.85.21. This strategic shift replaces their previous server, luckyserver777.co.za, which was located at IP address […]| ⌛☃❀✵Gootloader Details ✵❀☃⌛
A lot of little things have changed with the Gootloader malware since my last blog, so I feel it is time to document them publically. I would like to example on #4. I was able to identify the following PHP code that was injected in the legitimate WordPress file xmlrpc.php. Removing the obfuscation and we […]| ⌛☃❀✵Gootloader Details ✵❀☃⌛
For some time, I have been using a YARA rule for Gootloader zips, to hunt for additional samples on VirusTotal. But I have never seen one for the .JS file inside of the .zip. I have never created a YARA rule before, and set out to figure it out. Perfect timing as a new video […]| ⌛☃❀✵Gootloader Details ✵❀☃⌛
It has been a while since I last posted, mainly due to my old Twitter/X account being banned for no reason (appealing went to the rubbish bin, or so it appears). This will be a short posting, as I want to document recent changes to Gootloader’s Command & Control. The main Gootloader Command & Control […]| ⌛☃❀✵Gootloader Details ✵❀☃⌛
In this post, I would like to share various articles that have helped me understand all aspects of Gootloader. The first thing was to understand where the name came from, and that brought me to an article from Dr. Web here. The first mention of compromised WordPress sites being used for SEO Poisoning (and even […]| ⌛☃❀✵Gootloader Details ✵❀☃⌛
In the previous blog post What is Gootloader?, it was mentioned that Gootloader utilizes compromised WordPress sites. How these blogs are compromised, is still a mystery, but they belief is either …| ⌛☃❀✵Gootloader Details ✵❀☃⌛
Three weeks ago, Gootloader samples suddenly dried up. This has happened before, so I switched VPNs and tried new locations—coffee shops, friends’, and family’s Wi-Fi networks—but still couldn’t re…| ⌛☃❀✵Gootloader Details ✵❀☃⌛