Researcher for Gootloader malware
@gootloader.zip
⚠️ New TTPs detected for #Gootloader ⚠️
Out are the PDF conversions and back in are legal document lurs. They are still using #malvertising, not SEO poisoning.
gootloader.wordpress.com/2025/03/31/g...
Out are the PDF conversions and back in are legal document lurs. They are still using #malvertising, not SEO poisoning.
gootloader.wordpress.com/2025/03/31/g...
🚨Gootloader Returns: Malware Hidden in Google Ads for Legal Documents
The threat actor behind the Gootloader malware has once again changed their tactics, but also reverted to some of their old ways. Just like with the previous infection method, we are seeing Google …
gootloader.wordpress.com
March 31, 2025 at 1:37 PM
⚠️ New TTPs detected for #Gootloader ⚠️
Out are the PDF conversions and back in are legal document lurs. They are still using #malvertising, not SEO poisoning.
gootloader.wordpress.com/2025/03/31/g...
Out are the PDF conversions and back in are legal document lurs. They are still using #malvertising, not SEO poisoning.
gootloader.wordpress.com/2025/03/31/g...
Created a new #yara rule for #gootloader, thanks to @malwrhunterteam.bsky.social smica83. github.com/GootloaderSi...
Tools/jQuery-GootloaderJSv2.yar at main · GootloaderSites/Tools
Contribute to GootloaderSites/Tools development by creating an account on GitHub.
github.com
December 18, 2024 at 9:53 PM
Created a new #yara rule for #gootloader, thanks to @malwrhunterteam.bsky.social smica83. github.com/GootloaderSi...
Sorry I haven’t been active over here. Here is my latest blog update regarding Gootloader’s massive change in tactics from SEO poisoning to PDF converters gootloader.wordpress.com/2024/11/07/g...
Gootloader’s Pivot from SEO Poisoning: PDF Converters Become the New Infection Vector
Three weeks ago, Gootloader samples suddenly dried up. This has happened before, so I switched VPNs and tried new locations—coffee shops, friends’, and family’s Wi-Fi networks—but still couldn’t re…
gootloader.wordpress.com
November 19, 2024 at 7:34 PM
Sorry I haven’t been active over here. Here is my latest blog update regarding Gootloader’s massive change in tactics from SEO poisoning to PDF converters gootloader.wordpress.com/2024/11/07/g...
Current GootLoader site, serving up malicious zip/js is
hxxps://www.penhaligonsfriends.org.uk/api.php
hxxps://www.penhaligonsfriends.org.uk/api.php
February 1, 2024 at 4:10 AM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.penhaligonsfriends.org.uk/api.php
hxxps://www.penhaligonsfriends.org.uk/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.peleg.cn/api.php
hxxps://www.peleg.cn/api.php
February 1, 2024 at 3:55 AM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.peleg.cn/api.php
hxxps://www.peleg.cn/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.pedrademari.com/api.php
hxxps://www.pedrademari.com/api.php
February 1, 2024 at 3:30 AM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.pedrademari.com/api.php
hxxps://www.pedrademari.com/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.papingo.gr/api.php
hxxps://www.papingo.gr/api.php
February 1, 2024 at 3:10 AM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.papingo.gr/api.php
hxxps://www.papingo.gr/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nwcc-apha.com/api.php
hxxps://www.nwcc-apha.com/api.php
February 1, 2024 at 1:30 AM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nwcc-apha.com/api.php
hxxps://www.nwcc-apha.com/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nomik.at/api.php
hxxps://www.nomik.at/api.php
February 1, 2024 at 1:25 AM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nomik.at/api.php
hxxps://www.nomik.at/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nilsfuncke.se/api.php
hxxps://www.nilsfuncke.se/api.php
February 1, 2024 at 1:07 AM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nilsfuncke.se/api.php
hxxps://www.nilsfuncke.se/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nightlightproductions.co.uk/api.php
hxxps://www.nightlightproductions.co.uk/api.php
February 1, 2024 at 12:40 AM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nightlightproductions.co.uk/api.php
hxxps://www.nightlightproductions.co.uk/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nico-bloxx.de/api.php
hxxps://www.nico-bloxx.de/api.php
February 1, 2024 at 12:25 AM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nico-bloxx.de/api.php
hxxps://www.nico-bloxx.de/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.neretva.se/api.php
hxxps://www.neretva.se/api.php
February 1, 2024 at 12:06 AM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.neretva.se/api.php
hxxps://www.neretva.se/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nashitalia.com/api.php
hxxps://www.nashitalia.com/api.php
January 31, 2024 at 11:02 PM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nashitalia.com/api.php
hxxps://www.nashitalia.com/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nada-editions.fr/api.php
hxxps://www.nada-editions.fr/api.php
January 31, 2024 at 10:48 PM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nada-editions.fr/api.php
hxxps://www.nada-editions.fr/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nada-editions.fr/api.php
hxxps://www.nada-editions.fr/api.php
January 31, 2024 at 10:40 PM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.nada-editions.fr/api.php
hxxps://www.nada-editions.fr/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.my-cfecgc-aed.fr/api.php
hxxps://www.my-cfecgc-aed.fr/api.php
January 31, 2024 at 10:35 PM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.my-cfecgc-aed.fr/api.php
hxxps://www.my-cfecgc-aed.fr/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.mobilcare-mintraching.de/api.php
hxxps://www.mobilcare-mintraching.de/api.php
January 31, 2024 at 10:22 PM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.mobilcare-mintraching.de/api.php
hxxps://www.mobilcare-mintraching.de/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.minorihoikuen.ed.jp/api.php
hxxps://www.minorihoikuen.ed.jp/api.php
January 31, 2024 at 10:10 PM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.minorihoikuen.ed.jp/api.php
hxxps://www.minorihoikuen.ed.jp/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.metromediasystem.it/api.php
hxxps://www.metromediasystem.it/api.php
January 31, 2024 at 10:00 PM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.metromediasystem.it/api.php
hxxps://www.metromediasystem.it/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.messagesmusicaux.com/api.php
hxxps://www.messagesmusicaux.com/api.php
January 31, 2024 at 9:40 PM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.messagesmusicaux.com/api.php
hxxps://www.messagesmusicaux.com/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.meinlieblingsglas.de/api.php
hxxps://www.meinlieblingsglas.de/api.php
January 31, 2024 at 9:37 PM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.meinlieblingsglas.de/api.php
hxxps://www.meinlieblingsglas.de/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.meibachtech.com/api.php
hxxps://www.meibachtech.com/api.php
January 31, 2024 at 9:30 PM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.meibachtech.com/api.php
hxxps://www.meibachtech.com/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.medischdrukwerk.nl/api.php
hxxps://www.medischdrukwerk.nl/api.php
January 31, 2024 at 9:13 PM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.medischdrukwerk.nl/api.php
hxxps://www.medischdrukwerk.nl/api.php
Current GootLoader site, serving up malicious zip/js is
hxxps://www.media-web24.de/api.php
hxxps://www.media-web24.de/api.php
January 31, 2024 at 8:15 PM
Current GootLoader site, serving up malicious zip/js is
hxxps://www.media-web24.de/api.php
hxxps://www.media-web24.de/api.php