Gootloader Malware Update

Threat Overview - Shai-Hulud Worm 2.0 UPDATE 12/08/2025: In October 2025, Gootloader resurfaced with enhanced capabilities, building on the multi-stage loader malware first seen in 2020. These capabilities include methods of initial access incorporating SEO (Search Engine Optimization) poisoning via law related decoys, and modified ZIP archive extraction methods to conceal itself. Additionally, newer persistence techniques and deployment of more unique malicious tooling has been observed by researchers as well. TITAN References: Titan Malware Campaign Report: https://titan.intel471.com/report/fintel/48f86795369858d923a6fa26c9ea4ef9 Titan Malware Report: https://titan.intel471.com/report/malrep/7a662b69267fefda9f77e90bcd7147c9 Titan Malware Profile: https://titan.intel471.com/malware/1195d06fcea9e1f026fb5332871556ef Titan Malware Campaign Report: Gootloader malware returns with updates: https://titan.intel471.com/report/fintel/0d349e091f9985c1c97a21fb807e653a Download The Emerging Threat Report Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms! Get Your HUNTER Community Account Gootloader Malware Hunt Collection ACCESS HUNT PACKAGE Related Hunt Packages Suspicious Scheduled Task Created - Execution Details Contains Scripting Reference This content is designed to detect when scripting references are found in scheduled tasks. Malware and adversaries use this technique to maintain persistence on a compromised system. ACCESS HUNT PACKAGE JS and LNK File Written in Short Period in Same Folder - Potential Malware Installation The identification of both `JavaScript` and `LNK` files being created in the same folder within a brief window is a strong indicator of potential defense evasion, as seen in Gootloader attacks. Threat actors use this method to obscure the execution of malicious scripts, with the `LNK` file acting as a launcher for the `JavaScript` payload, thereby sidestepping direct execution that might otherwise be blocked or scrutinized. ACCESS HUNT PACKAGE LNK File Created in Startup Folder - Potential Indirect Malware Execution This package is designed to identify shortcut (.lnk) files that are created in the Window's Start Up folder. This is a technique utilized by malware and attackers to cause their program to execute when a user logs in. A LNK file is utilized to bypass security controls and identification through typical means, such as utilizing an executable or other executable file, where suspicion would be drawn to the executable file. The startup folder path for the current user is C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp. ACCESS HUNT PACKAGE Rundll32 Run Without Arguments Rundll32 running without any command-line arguments is very anomalous and should be investigated. This can be indicative of malicious activity. ACCESS HUNT PACKAGE Suspicious Scheduled Task Create/Update - Unusual Task Command and Arguments Malware often maintains persistence via scheduled tasks. The provided logic identifies the use of rundll32, powershell, cmd or if the command contains common malware locations in AppData\\Roaming or AppData\\Local\\Temp. These two locations are common locations to store malware binaries. ACCESS HUNT PACKAGE LNK Created in Startup Folder by Script Interpreter - Potential Script Loader Persistence This Hunt Package is designed to identify the creation of .LNK shortcut files under a user's Startup folder by script interpreters (wscript/cscript/powershell/cmd). In late 2025, several actors and malware operators switched to utilizing JavaScript and other scripting languages to carry out their initial infection, such as loading additional malware and establishing persistence. This was likely done to evade detection mechanisms from executing a binary at the start of the infection chain. ACCESS HUNT PACKAGE File Created In Startup Folder This package is designed to detect the activity around a file being created and put in the Windows Startup Folder. ACCESS HUNT PACKAGE Scheduled Task Executing from Abnormal Location This hunt package is designed to capture activity associated with a scheduled task which includes abnormal locations in its details for execution. This is often a mark of persistence or malicious tasks created by malware or attackers. details. ACCESS HUNT PACKAGE WScript Executing File From Zip - Potential Loader Execution Zip files are often utilized to deliver malicious files, such as JavaScript files. Often sent via email or downloaded via phishing page, these zip files leave traces of execution when the files are not extracted, rather executed straight from the zip file. This package identifies schemas of temporary folder locations utilized by 7zip, Windows Explorer and WinRAR, in which a JavaScript file is executed by the built in Windows script interpreter WScript. JavaScript files are typically utilized to execute the first stage of malicious executions to download and install malware. ACCESS HUNT PACKAGE Wscript Spawning Suspicious Processes - Potential Script Loaders This Hunt Package is designed to identify instances where Windows Script Host launches potentially suspicious child processes such as PowerShell, cmd, or other LOLBins. This behavior is consistent with documented Gootloader infection chains, where JavaScript loaders executed via WScript or LNK shortcuts spawn additional processes to facilitate follow-on actions, including system enumeration and payload staging. ACCESS HUNT PACKAGE