Gootloader JavaScript malware, commonly used to deliver ransomware, is back in action after a period of reduced activity.

Since October 27, security shop Huntress says it has spotted three Gootloader infections, and two of these led to hands-on-keyboard intrusions with domain controller compromise occurring in as little as 17 hours after the attackers gained initial access.

Huntress senior analyst Anna Pham told The Register that her team has attributed all three intrusions to Gootloader operator Storm-0494 and ransomware gang Vanilla Tempest (aka Rhysida).

“The infection operates through a well-established criminal partnership: Storm-0494 handles Gootloader operations and initial access, then hands off compromised environments to Vanilla Tempest for post-exploitation and ransomware deployment,” Pham said in a Wednesday blog. 

Gootloader, which functions as both a malware dropper and an infostealer, has been around since at least 2014 with some disruptions to its operations and briefly resurged in March. Like most movie monsters and malware, however, it returned from the grave, this time with some changes – like custom WOFF2 fonts with glyph substitution to obfuscate filenames – and some of the same old tricks such as SEO poisoning.

In one of the infections that Huntress discovered, the user was searching “missouri cover utility easement roadway” via Bing, and the search engine served up a compromised site in the first page of results.

The loader abuses WordPress’s comment submission endpoint to hide encrypted payloads, and when the user clicks “Download,” they unwittingly install a ZIP archive with a malicious JavaScript file for additional payloads such as ransomware.

“One of the interesting observations is that Gootloader is using a custom web font to obfuscate the filenames,” Pham wrote. “So, when the user attempts to copy the filename or inspect the source code—they will see weird characters like ‛›μI€vSO₽*’Oaμ==€‚‚33O%33‚€×:O[TM€v3cwv,. However, when rendered in the victim’s browser, these same characters magically transform into perfectly readable text like Florida_HOA_Committee_Meeting_Guide.pdf.”

The miscreants did this by using a custom WOFF2 font file that Gootloader embeds directly into the JavaScript code of the compromised webpage.

Between 10 and 20 minutes after executing the initial JavaScript file, the malware creates two persistence mechanisms for the follow-on activity. This includes deploying the Supper SOCKS5 backdoor for remote access to compromised devices.

“In these three specific October 2025 infections, we documented the presence of Vanilla Tempest’s signature Supper backdoor,” Pham told The Register. “We identified a specific obfuscator we named ‘TextShell’ that was used in the malware samples. Further investigation and analysis using YARA rules for the ‘TextShell’ obfuscator revealed that the same obfuscation was also present in OysterLoader samples, another backdoor exclusively associated with Vanilla Tempest operations.”

Vanilla Tempest (aka Vice Society) has been active since at least 2021, using various ransomware families before rebranding as Rhysida in 2023 and deploying Rhysida ransomware in its infections.

In an infection that Huntress investigated, about 20 minutes after executing the initial JavaScript file, the network intruders performed reconnaissance from one of the four Supper SOCKS5 backdoors dropped onto the victim’s machine. “Why the threat actor decided to drop four instances of a Supper backdoor is still a mystery,” Pham wrote.

Just under 17 hours after the initial JavaScript execution and reconnaissance activity, the criminals used Windows Remote Management to move laterally to the Domain Controller and create a new user with admin-level access. 

Then they used Impacket to remotely execute a command on the Domain Controller that allowed them to identify backup snapshots on the system. Ransomware crims typically do this right before deleting the backups and deploying data-encrypting malware on compromised machines.

Huntress published indicators of compromise, plus Yara rules and Supper backdoor detections, to help defenders hunt for signs of Gootloader and Vanilla Tempest on their networks, so check those out.

“What makes Gootloader particularly dangerous is the speed of the attack chain,” Pham told The Register. “The research shows that organizations have a narrow window to detect and respond before threat actors achieve domain controller compromise and begin ransomware preparation activities.” ®