GootLoader has reemerged with new obfuscation techniques, leveraging custom fonts and disguised ZIP files to deliver malicious payloads. Its operations are linked with threat actors like Hive0127 and Storm-0494, resulting in targeted intrusions and malware deployment on compromised systems. #GootLoader #Hive0127 #Storm0494
Keypoints
- GootLoader has recently been active with three confirmed infections since October 27, 2025.
- The malware now uses custom WOFF2 fonts and glyph substitution to obfuscate filenames and evade detection.
- It exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads with unique keys per file.
- GootLoader is associated with threat actors Hive0127 and Storm-0494, who deploy backdoors like Supper and connect to Ransomware campaigns.
- Attackers employ search engine poisoning and Google Ads to redirect victims to malicious WordPress sites hosting hidden payloads.
Read More: https://thehackernews.com/2025/11/gootloader-is-back-using-new-font-trick.html