Skip Navigation
Get a Demo



Gootkit is a banking trojan that can deliver additional payloads, siphon data from victims, and stealthily persist in a compromised environment.

Pairs with this song






A malware threat with a JavaScript loader component, Gootkit has been actively observed in the wild for more than a decade. Over the past several years, it has evolved into a multi-stage tool used to facilitate a range of hands-on-keyboard activity in multi-pronged attacks, wherein more than one objective is likely accomplished. Gootkit was originally delivered via spam email campaigns and older exploit kits, but over time its initial access has shifted to SEO poisoning tactics. Specifically, operators alter search engine results to direct victims to legitimate but compromised websites hosting Gootkit. Upon visiting a compromised website, victims are prompted to download a ZIP archive containing a malicious JavaScript file, which if executed can allow an adversary to remotely access a victim’s system. While some researchers track the delivery mechanism as “Gootloader” and the trojan activity as “Gootkit,” Red Canary tracks both components as “Gootkit.” Our classification may shift as we gather additional information.

Follow-on activity varies. In 2021, Red Canary saw operators use Gootkit to deliver Cobalt Strike. Though we didn’t observe any ransomware in that intrusion, the intrusion chain mirrored public reporting of compromises where victims’ networks were ultimately encrypted with Sodinokibi (REvil) ransomware. Based on public research and follow-on activity observed in customer environments last year, it’s likely that Gootkit operators facilitate ransomware-as-a-service (RaaS) activity in some cases, either deploying other payloads directly or selling access to environments with Gootkit infections. We have also observed Gootkit dropping the Osiris banking trojan.

While we’ve observed Gootkit detections in customer environments across multiple sectors, almost without exception, infections occurred after victims visited compromised websites purporting to host content related to legal or financial agreements. Victims were likely directed to these sites after initiating queries in common search engines with keywords such as “agreement,” “contract,” and the names of various financial institutions. Given the volume of Gootkit detections and the range of victims, this threat is likely more opportunistic than targeted to a specific industry or organization. Accordingly, Gootkit remains a threat to all organizations.

One hypothesis as to why we observe Gootkit so frequently is that it is downloaded from sites victims navigated to based on search results they initiated themselves, as we further discuss in the user-initiated initial access section.


Detection opportunities

Windows Scripting Host executing JavaScript files

This detection analytic will identify unusual activity originating from wscript.exe executing JavaScript files from the %APPDATA% directory. This applies to GootKit because the initial loader for the threat is implemented in JavaScript that gets executed via wscript.exe when the victim double-clicks on the downloaded loader.

process == wscript.exe
file_path_includes ('%APPDATA%')

PowerShell using a shortened EncodedCommand flag

This detection analytic will identify use of the shortened EncodedCommand flag in PowerShell, a tactic often used by Gootkit operators and others to obfuscate malicious code on an endpoint. Like all detection analytics, this may generate some false positives in your environment that require tuning. This applies to GootKit at multiple stages after the loader, when this threat uses PowerShell to deobfuscate and execute downloaded payloads.

process == powershell.exe
command_line_includes == [any variation of the '-encodedcommand' switch]*

*Note: the encoded command switch has many variations, including -encodedcommand, -e, -enc, and many other variations

Back to Top