GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites

GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites

Huntress identifies three GootLoader infections since October 27, 2025, with two resulting in domain controller compromise within 17 hours. The malware now uses custom WOFF2 fonts to obfuscate filenames and evade detection.

Why This Matters

GootLoader’s evolution highlights the gap between ideal malware detection models and real-world evasion tactics. While automated tools rely on static analysis, the font-based obfuscation and ZIP file tampering render traditional methods ineffective. The rapid lateral movement to domain controllers underscores the critical risk of delayed response, with potential breaches escalating from initial infection to full network access in under a day.

Key Insights

• “Three GootLoader infections since Oct 27, 2025; two led to domain controller compromise within 17 hours”: Huntress
• “Custom WOFF2 fonts with glyph substitution to obfuscate filenames”: The Hacker News, 2025
• “Supper backdoor used by Hive0127 (UNC2565) for remote access and SOCKS5 proxying”: Microsoft, 2024

Practical Applications

• Use Case: WordPress sites targeted via SEO poisoning with GootLoader payloads delivering XOR-encrypted ZIP archives.
• Pitfall: Relying on static analysis tools that fail to detect obfuscated filenames and ZIP evasion techniques.

References:

• https://thehackernews.com/2025/11/gootloader-is-back-using-new-font-trick.html