- Malware Gootloader reappeared in late October 2025 after a nine-month hiatus and was used in ransomware attacks.
- Delivered via malicious JavaScript hidden in custom web fonts, enabling stealthy remote access and discovery
- Associated with Storm-0494 and the Vice Society; In some cases, the attackers reached domain controllers within an hour.
After a nine-month hiatus, the malware known as Gootloader is back and can be used as a launching pad for ransomware infections.
A report by cybersecurity researcher Huntress observed “multiple infections” between October 27 and early November 2025. Before that, Gootloader was last seen in March 2025.
In the new campaign, Gootloader was likely used by a group called Storm-0494 and its downstream operator Vanilla Tempest (aka Vice Society), a ransomware group first discovered in mid-2021 that primarily targeted the education and healthcare sectors, with occasional forays into the manufacturing sector.
Hide malware in custom fonts
Researchers said Gootloader was used to deliver malicious JavaScript from compromised websites. The script installs tools that allow attackers to gain remote access to the company’s Windows computers and enables follow-up actions, such as taking over accounts or distributing ransomware.
Gootloader hid malicious filenames and download instructions in a custom web font (WOFF2), so the page looked normal in a browser but displayed meaningless text in plain HTML. When a victim opened the infected page, the browser used the font to replace invisible or encrypted characters with readable characters, so that the actual download link and file name were only visible during rendering.
The goal of the campaign is to initially gain trusted access, quickly map and monitor target networks, and then deny access to ransomware operators. The entire process is completed as quickly as possible, primarily through automated remote reconnaissance and monitoring tools that help identify valuable targets, create privileged accounts, and prepare for ransomware.
In some cases, Huntress added, attackers reached domain controllers within hours. The first automatic detection usually starts 10 to 20 minutes after the malicious JavaScript code is executed. In many cases, operators could access the domain controller after In at least one environment, they reached a domain controller within an hour.
To protect against Gootloader, Huntress recommends paying attention to early signs such as unexpected browser downloads, unknown home shortcuts, sudden PowerShell or browser script activity, and unusual proxy-like outgoing connections.
IN hacker news
