Introduction

Darkstream Dispatch is a monthly intelligence report dedicated to tracking and analyzing malware families, threat actors, and cyber campaigns primarily targeting Civil Society Organizations (CSOs), human rights defenders, and advocacy groups. As digital threats become more sophisticated, CSOs face increasing risks from state-sponsored actors, cybercriminals, and surveillance campaigns designed to compromise their operations, communications, and safety. This volume focuses on GOOTLOADER, a Javascript malware.

Description

Gootloader is a JavaScript-based malware family that primarily uses SEO poisoning and compromised websites to trick users into downloading a ZIP archive disguised as a document they were searching for. Initial analysis shows that Gootloader infections occurred across various sectors, typically after victims visited compromised websites offering fake information related to contracts or legal and financial documents. These victims were likely led to such sites through search engine queries using keywords like “agreement,” “contract,” or the names of financial institutions. The widespread nature of these detections suggests that Gootloader operates opportunistically, rather than targeting specific industries or organizations. As such, it remains a persistent threat to all organizations.

Overview

Malware Type: 

Downloader

Operating System: 

Windows

Aliases:  

SLOWPOUR

Confirmed Targeted Industries: 

Civil Society & Non-Profits, Aerospace & Defense, Chemicals & Materials, Construction & Engineering, Education, Energy & Utilities, Financial Services, Government, Healthcare, Hospitality, Insurance, Legal & Professional Services, Manufacturing, Media & Entertainment, Pharmaceuticals, Retail, Technology, Telecommunications, and Transportation.

Associated Threat Actors: 

FIN12, UNC2565, UNC2727, UNC3944, UNC4120, UNC5636

Associated Malware: 

BEACON, GOOTLOADER.POWERSHELL

Associated Vulnerabilities: 

N/A

Associated Tools

COBALTSTRIKE

Find the full list of IOCs here: https://intel471.com/blog/threat-hunting-case-study-tracking-down-gootloader

Security Recommendations

To combat the ever-growing threats posed by malware that fall under the downloader class, CcHUB recommends that organizations;

• Have functional antivirus software with up to date databasees
• Conduct regular audits of their information systems
• Conduct regular employee awareness training

To read more about how you or your organization can track GOOTLOADER, kindly read the Intel471 article here.
If you also suspect a security breach of some sort, reach out to us on our helpdesk (help@cchub.africa)