Researcher for Gootloader malware

🚨Gootloader Returns: Malware Hidden in Google Ads for Legal Documents The threat actor behind the Gootloader malware has once again changed their tactics, but also reverted to some of their old ways. Just like with the previous infection method, we are seeing Google …

⚠️ New TTPs detected for #Gootloader ⚠️
Out are the PDF conversions and back in are legal document lurs. They are still using #malvertising, not SEO poisoning.

gootloader.wordpress.com/2025/03/31/g...

Tools/jQuery-GootloaderJSv2.yar at main · GootloaderSites/Tools Contribute to GootloaderSites/Tools development by creating an account on GitHub.

Created a new #yara rule for #gootloader, thanks to @malwrhunterteam.bsky.social smica83. github.com/GootloaderSi...

Gootloader’s Pivot from SEO Poisoning: PDF Converters Become the New Infection Vector Three weeks ago, Gootloader samples suddenly dried up. This has happened before, so I switched VPNs and tried new locations—coffee shops, friends’, and family’s Wi-Fi networks—but still couldn’t re…

Sorry I haven’t been active over here. Here is my latest blog update regarding Gootloader’s massive change in tactics from SEO poisoning to PDF converters gootloader.wordpress.com/2024/11/07/g...

Current GootLoader site, serving up malicious zip/js is
hxxps://www.penhaligonsfriends.org.uk/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.peleg.cn/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.pedrademari.com/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.papingo.gr/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.nwcc-apha.com/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.nomik.at/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.nilsfuncke.se/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.nightlightproductions.co.uk/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.nico-bloxx.de/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.neretva.se/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.nashitalia.com/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.nada-editions.fr/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.nada-editions.fr/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.my-cfecgc-aed.fr/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.mobilcare-mintraching.de/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.minorihoikuen.ed.jp/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.metromediasystem.it/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.messagesmusicaux.com/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.meinlieblingsglas.de/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.meibachtech.com/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.medischdrukwerk.nl/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.media-web24.de/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.marmolesdelnervion.com/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.marktastic.com/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.marekstejskal.cz/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.mammadu.org/api.php

Current GootLoader site, serving up malicious zip/js is
hxxps://www.malfant-masson-genealogie.fr/api.php