Ethical Hacking News
GootLoader's Resurgence: Uncovering the Sophisticated Malware Threat to WordPress Sites
GootLoader has resurfaced with a new trick, using custom WOFF2 fonts to hide malicious code on WordPress sites. The malware is affiliated with the threat actor tracked as Hive0127 (aka UNC2565) and is often distributed via search engine optimization (SEO) poisoning tactics. Custom web font is used to obfuscate filenames, making it difficult for static analysis methods to detect. GootLoader uses a new trick that modifies ZIP files to make them unpack as harmless-looking .TXT files when opened with certain tools. The malware deploys Supper, a backdoor capable of remote control and SOCKS5 proxying, which can laterally move to the Domain Controller and create a new user with admin-level access. Web developers and security experts must stay vigilant and up-to-date with the latest detection techniques to protect against GootLoader and similar threats.
GootLoader, a notorious malware threat that had previously been on the radar of cybersecurity experts, has made its comeback. According to recent findings from Huntress, a leading cybersecurity company, GootLoader has resurfaced with a new trick up its sleeve, leveraging custom WOFF2 fonts to hide malicious code on WordPress sites.
The resurgence of GootLoader has significant implications for web developers and cybersecurity professionals alike. The malware, which is affiliated with the threat actor tracked as Hive0127 (aka UNC2565), is a JavaScript-based loader that is often distributed via search engine optimization (SEO) poisoning tactics. This means that users may inadvertently download the malware by searching for legitimate templates or agreements on search engines.
The latest attack sequence documented by Huntress shows that searches for terms like "missouri cover utility easement roadway" on Bing are being used to direct unsuspecting users to deliver ZIP archives containing the GootLoader malware. What's notable this time around is the use of a custom web font to obfuscate the filenames displayed on the browser, making it difficult for static analysis methods to detect.
"So, when the user attempts to copy the filename or inspect the source code – they will see weird characters like ‛›μI€vSO₽*'Oaμ==€‚‚33O%33‚€×:O[TM€v3cwv," said Anna Pham, a security researcher at Huntress. "However, when rendered in the victim's browser, these same characters magically transform into perfectly readable text like Florida_HOA_Committee_Meeting_Guide.pdf."
This custom font trick is just one of the many evasion techniques employed by GootLoader to evade detection. The malware also uses a new trick that modifies ZIP files to make them unpack as harmless-looking .TXT files when opened with tools like VirusTotal or Python's ZIP utilities.
"This simple evasion technique buys the actor time by hiding the true nature of the payload from automated analysis," Pham explained.
The JavaScript payload present within the archive is designed to deploy Supper, a backdoor capable of remote control and SOCKS5 proxying. In at least one instance, the threat actors are said to have used Windows Remote Management (WinRM) to move laterally to the Domain Controller and create a new user with admin-level access.
"The Supper SOCKS5 backdoor uses tedious obfuscation protecting simple functionality – API hammering, runtime shellcode construction, and custom encryption add analysis headaches, but the core capabilities remain deliberately basic: SOCKS proxying and remote shell access," Huntress said.
This 'good enough' approach proves that threat actors don't need cutting-edge exploits when properly obfuscated bread-and-butter tools achieve their objectives.
The resurgence of GootLoader highlights the ongoing cat-and-mouse game between cybersecurity professionals and malicious actors. As malware threats continue to evolve, it's essential for web developers and security experts to stay vigilant and up-to-date with the latest detection techniques.
To protect themselves against this type of threat, WordPress site owners should ensure that their sites are running the latest version of WordPress, and consider implementing additional security measures such as:
* Regularly updating plugins and themes
* Using a reputable security plugin to scan for malware
* Implementing a Web Application Firewall (WAF) to block malicious traffic
* Conducting regular backups of site data
By taking these precautions, web developers can significantly reduce the risk of falling victim to GootLoader or other similar threats.
Related Information:
https://www.ethicalhackingnews.com/articles/GootLoaders-Resurgence-Uncovering-the-Sophisticated-Malware-Threat-to-WordPress-Sites-ehn.shtml
https://thehackernews.com/2025/11/gootloader-is-back-using-new-font-trick.html
Published: Tue Nov 11 10:05:08 2025 by llama3.2 3B Q4_K_M
