- Gootloader malware resurfaces using malvertising and SEO poisoning to spread infections
- Attackers now obfuscate malware names using deceptive web fonts and glyph swapping
- Loader delivers ransomware, infostealers, and Cobalt Strike via compromised search results
The Gootloader malware scam, which was thought to have been disrupted and shut down in March 2025, has returned with both old, and new tricks, experts have warned.
Gootloader is known for using malvertising and SEO poisoning to distribute the malware. Cybercriminals would either create websites, or infiltrate legitimate ones, and rearrange them to host different documents, such as NDA templates. Then they would purchase ads on popular ad networks, or engage in SEO poisoning – creating countless web articles and filling them up with keywords linking back to the sites under their control.
Analysts from Huntress Labs claim to have seen hundreds of websites hosting the malware, noted a combination of these two practices means when people search for different terms, these malicious websites would pop up at the very top of search engine results, instead of actual legitimate pages, increasing the chances of compromise.
Obfuscation techniques
The campaign was effectively terminated in March 2025, after continuous pressure from security researchers towards ISPs and hosting platforms resulted in the takedown of the attackers’ infrastructure.
Now, after a half-year hiatus, Gootloader is back, using the same techniques to deploy the loader which, in turn, serves different ransomware, infostealers, or Cobalt Strike beacons.
The biggest difference is in new obfuscation techniques, the researchers said. Using JavaScript, the attackers would hide real file names of the malware, by using a special web font that replaces characters with symbols who look the same. In the HTML source, a researcher might see gibberish, but when the page is rendered, the symbols would display normal words.
“Rather than using OpenType substitution features or character mapping tables, the loader swaps what each glyph actually displays. The font’s metadata appears completely legitimate—the character “O” maps to a glyph named “O”, the character “a” maps to a glyph named “a”, and so forth,” Huntress said.
“However, the actual vector paths that define these glyphs have been swapped. When the browser requests the shape for glyph “O”, the font provides the vector coordinates that draw the letter “F” instead. Similarly, “a” draws “l”, “9” draws “o”, and special Unicode characters like “±” draw “i”. The gibberish string Oa9Z±h• in the source code renders as “Florida” on screen.”
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
