New Gootloader attacks drop Supper SOCKS5 backdoor

New attacks leveraging Gootloader malware have been discovered, with one intrusion resulting in Domain Controller compromise within 17 hours, Huntress reported Wednesday.

Gootloader, which first emerged in 2020, recently saw a period of inactivity, save for a brief resurgence in March 2025, the Huntress researchers explained. The latest wave of attacks was seen last week, with Huntress observing three distinct Gootloader intrusions.

The loader is used by a threat actor tracked as Storm-0494, which provides initial access to another threat group tracked as Vanilla Tempest. Vanilla Tempest leverages this access to deploy backdoors and ultimately deliver ransomware, including the Rhysida ransomware family.

Gootloader is spread through malicious JavaScript injected into compromised WordPress sites. In one of the recent attacks, a compromised webpage about Missouri utility easement laws appeared at the top of Bing search results, leading the victim to the malicious download.

The injected JavaScript abuses the WordPress comment submission endpoint /wp-comments-post.php to deliver the Gootloader payload, which comes as a XOR-encrypted ZIP archive with the decryption key hardcoded into the webpage’s source code and corresponding to the payload’s filename.

The page uses a custom WOFF2 font file to obfuscate filenames in the source code, making them appear as one thing when rendered in the user’s browser but appear as gibberish when the source code is inspected or processed by static analysis tools.

Once installed, Gootloader runs a PowerShell script that captures all environment variables and running processes and exfiltrates them to one of the 10 hardcoded command-and-control (C2) server domains.

It specifically targets processes with visible graphical user interface (GUI) windows, indicating windows the user is actively working in, which could potentially reveal sensitive information like credentials within the window titles. It also enumerates desktop files and inventories mounted drives with greater than 50KB of free space, identifying potential staging locations for additional payloads, the researchers said.  

The loader beacons one of the 10 C2 servers at random every 20 seconds to await further PowerShell commands for execution.

Notably, the recent instances of Gootloader establish persistence though Startup folder shortcuts, whereas previous Gootloader attacks used scheduled tasks for persistence.

Speedy backdoor deployment and lateral movement

Huntress observed the Supper SOCKS5 backdoor deployed in recent attacks, a backdoor frequently used by the Vanilla Tempest in its ransomware attacks. Supper was deployed in about 20 minutes in two of the attacks the researchers observed.

The version of Supper seen in these attacks leveraged several obfuscation techniques, including API hammering, API hashing, reconstruction of shellcode at runtime, hash-based DLL resolution and a custom LZMA decompression routine.

For example, the backdoor makes many repetitive, benign API calls to hide its malicious calls among the noise (i.e. API hammering), the researchers noted. Additionally, the LZMA compression method used by Supper uses a 2-byte custom header rather than a standard 13-byte header.

The Supper backdoor encrypts C2 traffic using a custom XOR method, generating a new 4-byte key for every outbound message that is placed in the message header. It communicates with C2 servers over TCP port 443 and supports six commands, including commands for SOCKS5 setup and disconnection, shell command execution and self-deletion.

In the observed attacks, the backdoor executed reconnaissance commands including an Active Directory (AD) search for user accounts with Service Principal Names (SPNs), a scan for machines where the current user has local admin access, a Kerberoasting attack command to extract password hashes and an AD search for users with text in their description field, potentially including sensitive information such as temporary passwords.

In one of the attacks, just 16 hours and 54 minutes after the initial intrusion, the threat actors managed to move laterally to the Domain Controller via Windows Remote Management (WinRM), created a user named sccmad and added the new user to the Domain Admins and local Administrators groups, Huntress described.

After this, the attacker used Impacket to execute a command on the Domain Controller that enumerated Volume Shadow Copy snapshots, potentially in preparation for a ransomware attack.

The Huntress report also noted that researchers at DFIRReport shared observations of another Gootloader attack where lateral movement to the Domain Controller was achieved in less than one hour, after which the attacker deployed a malicious proxy DLL and dumped the NTSD.dit database for potential exfiltration.

The short time period between initial infection and Domain Controller compromise demonstrated the need for rapid detection and response to threats such as Gootloader and Supper, the Huntress researchers concluded. Despite the multiple layers of obfuscation used in these attacks, Huntress noted that proper monitoring can still likely uncover activities such as the AD enumeration, local admin scanning, WinRM abuse and privileged account creation.

“Monitor for unusual PowerShell execution, AD enumeration patterns, privilege escalation attempts, and lateral movement,” the researchers concluded. “These ‘mundane’ activities are your earliest warning signs. While Gootloader enhances its evasion capabilities, the attack patterns that follow remain consistent.”