BTC $67410.0015
ETH $3593.5959
BNB $416.4328
SOL $129.9077
XRP $0.6561
stETH $3585.7788
ADA $0.7774
DOGE $0.1780
AVAX $42.6312
DOT $9.9456
wstETH $4165.0916
TRX $0.1402
LINK $20.3560
WETH $3598.6388
MATIC $1.1396
WBTC $67234.1897
UNI $12.3366
BCH $452.2054
LTC $89.7415
IMX $3.1695
ICP $13.1638
CAKE $3.3578
FIL $10.0198
ETC $35.1327
LEO $4.8796
ATOM $12.4225
TON $2.7710
HBAR $0.1177
RNDR $7.4133
KAS $0.1621
INJ $40.9267
DAI $0.9997
OKB $56.6241
VET $0.0496
PEPE $0.0000
XLM $0.1479
FDUSD $0.9974
STX $3.0701
WEMIX $2.7566
XMR $149.3118
GRT $0.3171
LDO $3.2702
NEAR $4.3329
ARB $1.9791
THETA $2.3134
BSV $115.4878
TIA $15.6992
BTC $67410.0015
ETH $3593.5959
BNB $416.4328
SOL $129.9077
XRP $0.6561
stETH $3585.7788
ADA $0.7774
DOGE $0.1780
AVAX $42.6312
DOT $9.9456
wstETH $4165.0916
TRX $0.1402
LINK $20.3560
WETH $3598.6388
MATIC $1.1396
WBTC $67234.1897
UNI $12.3366
BCH $452.2054
LTC $89.7415
IMX $3.1695
ICP $13.1638
CAKE $3.3578
FIL $10.0198
ETC $35.1327
LEO $4.8796
ATOM $12.4225
TON $2.7710
HBAR $0.1177
RNDR $7.4133
KAS $0.1621
INJ $40.9267
DAI $0.9997
OKB $56.6241
VET $0.0496
PEPE $0.0000
XLM $0.1479
FDUSD $0.9974
STX $3.0701
WEMIX $2.7566
XMR $149.3118
GRT $0.3171
LDO $3.2702
NEAR $4.3329
ARB $1.9791
THETA $2.3134
BSV $115.4878
TIA $15.6992
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • New variant of Gootkit malware discovered with updated tools


    Gootkit operators adapt to changes in cyberspace and update their software.

    Cybersecurity researchers at security firm Mandiant found that Gootkit operators have made "noticeable changes" to their toolbox, adding new components and obfuscation tools to their infection chains. Mandiant monitors the threat cluster under the alias UNC2565.

    Gootkit (Gootloader) is distributed through compromised websites that victims get to while searching for business documents (agreements, contracts, etc.) using the SEO poisoning method.

    The documents impersonate ZIP archives containing malicious JavaScript code that, when run, opens the way for additional payloads - Cobalt Strike Beacon, FONELAUNCH and SNOWCONE.

    FONELAUNCH is a .NET based loader designed to load encoded payloads into memory;

    SNOWCONE is a loader that retrieves the next stage payload (usually IcedID) via HTTP.


    While the general goals of Gootkit have remained unchanged, the attack sequence itself has undergone significant changes - now the JavaScript file in the ZIP archive is trojanized and contains obfuscated JavaScript code that executes the malware.

    A new variant discovered in November 2022 is tracked as GOOTLOADER.POWERSHELL. It is worth noting that the updated infection chain was also documented by Trend Micro earlier this month in a Gootkit attack on the Australian healthcare sector.

    Moreover, the authors of the malware used a method of avoiding detection using code hiding in modified versions of legitimate JavaScript libraries - jQuery, Chroma.js and Underscore.js.

    3 different variants of Gootkit - FONELAUNCH (FONELAUNCH.FAX), FONELAUNCH.PHONE and FONELAUNCH.DIALTONE - have been used by UNC2565 since May 2021 to execute DLLs, NET binaries and PE files, indicating an arsenal of malware constantly maintained and updated. These changes indicate the active development and growth of the capabilities of UNC2565.

    Author DeepWeb
    French teenager extradited to US to spend 116 years in jail
    Lazarus Group and APT 38 were behind the $100 million heist

    Comments 0

    Add comment