GootLoader malware propagates via new SEO poisoning attack

GootLoader Malware Propagation SEO Poisoning Cyberattack TAC-011 Threat Group

The GootLoader malware has been spread through a recent Search Engine Optimisation (SEO) poisoning campaign targeting government and private sector employees.

In this campaign, the primary targets are employees who search for keywords related to their jobs. Once they click these links, they would be redirected by it to a malicious JavaScript malware downloader.

The SEO operators created about 200 blog posts for a website based on the reports. The campaign has also been effective since the threat actors gathered genuine content from numerous similar websites.

The adversaries have also utilised blog post titles that an employee would search for when looking for foreign intelligence services. If a user gets baited by these poisoned results, they will be redirected to a site that downloads the GootLoader malware.

Most of the topics referred to by the attackers are commonly related to real estate, government organisations, legal issues, medical information, education, and more.

Several researchers have attributed the latest SEO campaign to the TAC-011 threat group. According to them, the group has targeted WordPress websites to create thousands of blog posts for SEO poisoning.


The GootLoader malware could collect different types of information.


If an unaware visitor access one of the fake results, they will be redirected to the GootLoader malware-operated script that harvests details regarding their operating system, IP address, and last recorded visit.

The attackers use the script to run a chain of reviews before finalising whether to present the users with the blog post or a compromised overlay that spoofs a forum thread. Additionally, users that receive the overlay cannot get it again within the next day. However, users that use Tor or VPN services are not directed to the overlay.

The researcher could not identify additional payloads launched by the baited targets and concluded that the hackers were careful in selecting the targeted entity.

Organisations should adequately train their employees about SEO attacks, especially in the government sector. This training could equip employees with the knowledge to avoid such attacks and linger away from running unknown files.

About the author

Leave a Reply