Gootloader

Guess who's back? 🎶 Gootloader's back. Again. New evasion tricks. New persistence chain. Same legal-themed lures. Big props to @RussianPanda9xx & @HuntressLabs for catching this one early. Details: gootloader.wordpress.com/2025/11/05/goo… #gootloader #malware #JavaScript #powershell

@RussianPanda9xx @BleepinComputer @skocherhan @SecurityAura Same. There is only one Aura

@BleepinComputer @skocherhan Thought it was you for a second @SecurityAura

Aura confirms data breach exposing 900,000 marketing contacts bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

@struppigel expel.com/blog/gootloade…

@Gootloader Oh, really? Do you have a link for me?

I don't quite understand why this is a CVE if standard unarchivers fail to unpack these ZIPs. If you corrupt or encrypt any file and need to deploy a custom loader to extract it you have same result. ¯\_(ツ)_/¯ x.com/BleepinCompute…

Before I was arrested in 2009, I was at the height of my little cybercriminal "empire". I was standing at a crossroads. Part of me wanted an exit and a chance to redirect my skills toward something constructive. Another part of me feared that if I walked away, all the risks I had taken as a hacker would have meant nothing. 11 years in prison for hacking taught me that the reputation I thought I had built in that world, the ideals I believed in, and the status I thought mattered turned out to be far more futile than I could have imagined at the time. When everything collapsed, I realized that none of that mattered. I learned that most of what passes for loyalty and respect in cybercrime is conditional. Today, there's no reason to turn to cybercrime in order to feel accepted or to enjoy camaraderie and acceptance among peers, or to pursue a sense of justice and vindication. Cybercrime isn't the solution, or the stepping stone. All the hackers in my crew from back in the day have respectable cybersecurity careers today, because sooner or later everyone learns the same lesson. Cybercrime has limits, and it does not put food on the table without tremendous risk. #realtalk #hacking #hacktivism #truecrime

@RussianPanda9xx I have a worse story, next time we are in person

I hate my life, I just accidentally reverted my VM without taking a snapshot and lost something important :C

@RussianPanda9xx @sudo_Rem @HuntressLabs

Cooking with @sudo_Rem on a spicy 🌶️ blog. Keep your eyes on @HuntressLabs 👀

@hellodotnyc are yall active on here? Got a bunch of domains to report to yall

@RussianPanda9xx At least it’s not a root canal

4 fillings in one visit at 9 am is not a dental appointment, it’s an ambush… 💀

@evernote why do you make it impossible to report malicious posts to yall? It’s giving accomplice vibes

@FABO97662188 Thought it was protected by cloudflare

#odyssey #macos #amos #malware Some fresh C2 servers used by Odyssey: 38.244.158[.]56 199.217.98[.]33 malext[.]com raytherrien[.]com Depending on the type, the data is sent to one of these servers. The last domain provides the initial payload. The initial vector is ClickFix.

@debug_majora @GoogleAds More like tracking malvertising

@Gootloader @GoogleAds in the sense of SEO poisoning?

Anyone have a good way to monitor new @GoogleAds for a specific domain?

Nice write up. #gootloader is known to push Oyster

@moonlock_lab Can yall follow me, so we can DM?

🧙IOCs: 🔗 claude[.]ai/public/artifacts/434d0114-c787-4af4-bc08-4fb1f9c30d83 🔗 apple-mac-disk-space.medium[.]com 🔗 a2abotnet[.]com 🔗 raxelpak[.]com 🌐 IPs: 172[.]67.187.216, 104[.]21.56.197, 13[.]248.169.48, 76[.]223.54.146 #️⃣ Hashes: 64068d0b7fbef87a7af91834ead9bc0efa21f814b9e6a945b440db75bbcfed76 6292f64c81dbc57d5135c5773547cc6d79afa15efe4c90cfaf27e087c7aba701 c0676ba7726e6b4b836c2a07aacb92e41efd9eea7cbc31bbf1a7f9f9556dd4cb 📎 Staging: /tmp/osalogging.zip (MacSync stealer indicator) 📎 Compromised advertisers: T S Q SA (Colombia), Earth Rangers Foundation (Canada) Stay safe, don't paste random commands into your Terminal 🫡

🧵 1/ 🚨 What if a Google Sponsored result for a common macOS query led to malware? That's happening right now and 15K+ people have already seen it. We at @MoonlockLab observed 2 variants today abusing legitimate platforms for ClickFix delivery: a @AnthropicAI public artifact on claude.ai and a @Medium article impersonating Apple's "Support Team." Same TA behind both, check for details👇

@moonlock_lab @AnthropicAI Been tracking the medium side for about a week. DM for details

Okay, not Gootloader. Not quite sure what it is tbh.

#Gootloader is trying to sell cars now. I think it's Gootloader, at least. And its website reeks of AI slop.

@malwrhunterteam Thank you for your service

2000... how many of those entries came from me directly or indirectly? 🤔 Guess like 1/2 to 1/3... what a fucking idiot I am, right? 🤷‍♂️

@BleepinComputer @billtoulas What’s pop-pp?

#CVE-2026-0920

This was a fun one to dig into Confirmed exploitation requires: • User registration enabled • LA-Studio Element Kit = 1.5.6.3 • At least one published Elementor page PoC confirmed (details withheld). Nice find by Jitlada. Boeing777 & Waris Damkham!