Cyberbytes Daily

Gootloader Malware Attacking Users Via Google Search Ads Using Weaponized Documents

Gootloader Malware Attacking Users Via Google Search Ads Using Weaponized Documents

The notorious Gootloader malware has reemerged with evolved tactics, now leveraging Google Search advertisements to target users seeking legal document templates.

This sophisticated campaign specifically promotes “free” legal templates, primarily non-disclosure agreements, through sponsored search results that appear legitimate to unsuspecting users.

Upon clicking these advertisements, victims are directed to lawliner[.]com where they are prompted to enter their email address to receive the requested document.

Google Ad (Source – Gootloader.wordpress.com)

The attack chain begins innocuously with users searching for terms like “non disclosure agreement template” and encountering sponsored ads from domains that appear to offer legitimate legal services.

These advertisements are reportedly being delivered through “MED MEDIA GROUP LIMITED,” which security experts believe may have been compromised to facilitate this campaign.

A security analyst identified that after submitting their email address, victims receive a message from lawyer@skhm[.]org containing a download link that purportedly leads to the requested document.

However, instead of receiving a legitimate .docx file, users unwittingly download a compressed JavaScript file disguised as the legal document they requested.

The infection mechanism demonstrates sophisticated social engineering techniques.

When executed, the malicious JavaScript creates a scheduled task pointing to another .JS file in the user’s AppDataRoaming folder.

This persistence mechanism ensures the malware remains active across system reboots.

The script then executes PowerShell commands to establish connections with multiple WordPress blogs, approximately 10 in total, with 1-2 being genuinely compromised servers while others serve as decoys to complicate analysis.

SKHM Secure document delivery (Source – Gootloader.wordpress.com)

Security professionals recommend implementing immediate security measures including blocking web traffic to lawliner[.]com and skhm[.]org, filtering email communications from skhm[.]org, and conducting retrospective threat hunting for any historical interactions with these malicious domains to identify potentially compromised systems within organizational networks.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free

The post Gootloader Malware Attacking Users Via Google Search Ads Using Weaponized Documents appeared first on Cyber Security News.

​The original article found on Cyber Security News Read More

Tags

About Author

Chad Barr

Chad Barr is a visionary and executive leader, blending over two decades of expertise with a unique ability to demystify complex technical concepts. As a cybersecurity leader, prolific author, and director at AccessIT Group, Chad has empowered organizations across diverse industries to build resilient security frameworks. His engaging writing, speaking engagements, and thought leadership inspire proactive cybersecurity practices, making him a trusted voice in the ever-evolving digital landscape.

My Books

Latest Posts

Categories

Tags

AI AWS Briefing ChatGPT Credit Card Fraud Cybercriminals Cyber News Cyber Security Cybersecurity News Data Breach Data Protection Digital Transformation Gen AI IoT Nation-State Payment Security PCI DSS Privacy Ransomware Security Skimmer Malware Starbucks