GootLoader Resurfaces with Innovative Font Obfuscation to Conceal Malware on WordPress Sites
The notorious malware known as GootLoader has reemerged, employing sophisticated techniques to infiltrate WordPress websites and distribute malicious payloads. Cybersecurity firm Huntress has identified three GootLoader infections since October 27, 2025, two of which escalated to domain controller compromises within 17 hours of the initial breach.
GootLoader, associated with the threat actor Hive0127 (also known as UNC2565), is a JavaScript-based malware loader. It is typically disseminated through search engine optimization (SEO) poisoning tactics, leading unsuspecting users to compromised sites that deliver additional malicious payloads, including ransomware.
In a recent report, Microsoft highlighted that the threat actor Vanilla Tempest receives access from GootLoader infections initiated by Storm-0494. This access is exploited to deploy a backdoor called Supper (also known as SocksShell or ZAPCAT) and the remote access tool AnyDesk, facilitating the deployment of INC ransomware. Notably, Supper has been linked to Interlock RAT (also known as NodeSnake), another malware associated with Interlock ransomware. Forescout observed potential overlaps in the cybercriminal ecosystem, noting associations between Interlock, Vice Society, and Rhysida.
Earlier this year, GootLoader operators utilized Google Ads to target individuals searching for legal templates, redirecting them to compromised WordPress sites hosting malware-laden ZIP archives. The latest attack sequence documented by Huntress reveals that searches for terms like missouri cover utility easement roadway on Bing are being exploited to deliver these malicious ZIP archives.
A notable aspect of this campaign is the use of a custom web font to obfuscate filenames displayed in the browser, thereby evading static analysis methods. When users attempt to copy the filename or inspect the source code, they encounter indecipherable characters. However, when rendered in the victim’s browser, these characters transform into readable text, such as Florida_HOA_Committee_Meeting_Guide.pdf. This obfuscation is achieved through a custom WOFF2 font file embedded directly into the JavaScript code of the page using Z85 encoding, a Base85 variant that compresses the 32KB font into a 40KB file.
Additionally, the attackers have implemented a technique that modifies the ZIP file to appear harmless when opened with tools like VirusTotal, Python’s ZIP utilities, or 7-Zip, unpacking as a benign-looking .TXT file. However, when opened in Windows File Explorer, the archive extracts a valid JavaScript file, which serves as the intended payload. This evasion tactic conceals the true nature of the payload from automated analysis, buying the attackers time to execute their malicious activities.
The JavaScript payload within the archive is designed to deploy Supper, a backdoor capable of remote control and SOCKS5 proxying. In at least one instance, the threat actors utilized Windows Remote Management (WinRM) to move laterally to the Domain Controller and create a new user with administrative-level access.
Huntress emphasizes that the Supper SOCKS5 backdoor employs extensive obfuscation to protect its simple functionality, including API hammering, runtime shellcode construction, and custom encryption. Despite these complexities, the core capabilities remain deliberately basic: SOCKS proxying and remote shell access. This approach demonstrates that threat actors can achieve their objectives using well-obfuscated, fundamental tools without relying on cutting-edge exploits.
The resurgence of GootLoader underscores the evolving tactics of cybercriminals and the importance of robust cybersecurity measures. Organizations are advised to remain vigilant, regularly update their security protocols, and educate employees about the risks associated with downloading files from untrusted sources.
