Upon execution, Gootloader identifies whether the affected system is connected to an Active Directory domain before deploying multiple stages of JScript and PowerShell payloads that may eventually lead to threats such as Cobalt Strike, Gootkit, Osiris, or Sodinokibi ransomware. Unremoved Gootloader infections have a strong possibility of leading to larger-scale incidents resulting in data theft or ransomware.

Readers of past Threat Detection Reports may recall that we previously tracked Gootloader together with the related Gootkit payload. While Gootloader sometimes delivers Gootkit as a payload, we began distinguishing the two in 2022 because we observed Gootloader sometimes delivered alternative payloads to Gootkit, such as Cobalt Strike, and often did not deliver a second-stage payload at all.

Adversaries using Gootloader in 2024 followed a consistent pattern. Initial access began when a victim was directed to a malicious website via SEO poisoning, and downloaded a ZIP file with a name that included something similar to the search query, plus up to five random digits. In August 2024, Red Canary observed a change in the filename pattern that would include the four-to-five digits within parentheses. Examples of this file-naming pattern include:

• florida_building_code_requirements_for_sheds(9306).zip
• can_a_minor_be_an_independent_contractor_in_florida(72777).zip
• solanco_school_district_collective_bargaining_agreement(6421).zip
• novation_agreement_for_tenancy(56934).zip

The attack relies on user execution, typically launching the dropper JScript that was resident in the downloaded archive using wscript.exe. During this initial execution, the second-stage payload is written as a .dat or .log file to a folder in the user’s AppData\Roaming directory, and then renamed with a .js extension. This new JScript file is then executed using wscript.exe, referring to the MS-DOS short filename. This leads to the execution of the same JScript via cscript.exe, eventually leading to a process execution chain of wscript.exe, calling cscript.exe, calling PowerShell.

During execution, Gootloader establishes persistence using scheduled tasks, creating a task within C:\Windows\System32\tasks. These tasks are typically named with two or three words that are completely unrelated to the initial JScript file, and execute the second-stage script living within the victim user’s AppData\Roaming directory. The staging folder for the second stage JScript file typically uses a directory related to communication software (i.e., MS Teams, Zoom) or other software that the user may have installed on the device (ie FortiClient, Adobe, UltraVNC).

For more details, check out our blog from May 2022 (updated in October 2024), which covers Gootloader activity in more depth.

One of the best ways to mitigate risks associated with Gootloader–as well as Scarlet Goldfinch, SocGholish, and other threats that begin with malicious JavaScript files–is to change the default behavior in Windows to open JS files with notepad or another editor rather than immediately executing them. Details on implementing this control via GPO are available in our July 2024 blog Open with Notepad: Protecting users from malicious JavaScript.

To remove Gootloader components, stop any malicious instances of wscript.exe, cscript.exe, and powershell.exe. Remove any malicious scheduled tasks for the victim user to remediate persistence on the host. If any payloads were stored within the Windows Registry or on disk, attempt to remove those payloads for full remediation. Examples of these registry keys include:

• HKCU\SOFTWARE\Microsoft\Phone\%USERNAME%
• HKCU\SOFTWARE\Microsoft\Phone\%USERNAME%0
• HKCU\SOFTWARE\Microsoft\Personalization\%USERNAME%
• HKCU\SOFTWARE\Microsoft\Personalization\%USERNAME%0
• HKCU\SOFTWARE\Microsoft\Fax\%USERNAME%
• HKCU\SOFTWARE\Microsoft\Fax\%USERNAME%0
• HKCU\SOFTWARE\Microsoft\Personalization\%RANDOMVALUE%

Windows Scripting Host executing JScript files

Victims nearly always download Gootloader samples inside a ZIP archive distributed by an adversary. The most common initial execution pattern is for the victim to double click on the ZIP archive and execute the JScript file within. This produces a command line similar to:

WScript.exe "C:\Users\[redacted]\AppData\Local\Temp\Temp1_simple_agreement_for_future_equity_9891.zip\simple agreement for future equity 95886.js"

This pattern is also seen across other script-based threats distributed within ZIP archives. To detect this entire class of threat, you can start with this logic and tune:

Note: the asterisk signifies that we’re not looking for any particular filename.

Windows Scripting Host executing JScript files with MS-DOS short names

During execution, the Gootloader samples copy one stage to disk and persistently execute it using cscript.exe. During this procedure, the cscript.exe command line references the malicious script using an 8.3 short filename, which is an uncommon pattern. This produces a command line similar to:

cscript.exe "POSTPR~1.JS"

To detect this threat you can start with this logic and tune: