Gootkit Loader\u2019s Updated Tactics and Fileless Delivery of Cobalt Strike<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html\"><br \/>\n<meta property=\"og:title\" content=\"Gootkit Loader\u2019s Updated Tactics and Fileless Delivery of Cobalt Strike\"><br \/>\n<meta property=\"og:description\" content=\"Gootkit has been known to use fileless techniques to drop Cobalt Strike and other malicious payloads. Insights from a recent attack reveal updates in its tactics.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Gootkit Loader\u2019s Updated Tactics and Fileless Delivery of Cobalt Strike\"><br \/>\n<meta name=\"twitter:description\" content=\"Gootkit has been known to use fileless techniques to drop Cobalt Strike and other malicious payloads. Insights from a recent attack reveal updates in its tactics.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.313481003374\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1901936439\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.2763157894737\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.026315789474\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Threats<\/p>\n<p class=\"article-details__description\">Gootkit has been known to use fileless techniques to drop Cobalt Strike and other malicious payloads. Insights from a recent attack reveal updates in its tactics.<\/p>\n<p class=\"article-details__author-by\">By: Buddy Tancio, Jed Valderama <time class=\"article-details__date\">July 27, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"43.0976\">\n<div readability=\"34.0992\">\n<p>Our in-depth analysis of what began as an unusual PowerShell script revealed intrusion sets associated with Gootkit loader. In the past, Gootkit used freeware installers to mask malicious files; now it uses legal documents to trick users into downloading these files. We uncovered this tactic through <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/managed-detection-and-response\" target=\"_blank\" rel=\"noopener\">managed extended detection and response (MxDR)<\/a> and by investigating a flag for a PowerShell script that allowed us to stop it from causing any damage and dropping its payload.<\/p>\n<p>Gootkit has been known to use fileless techniques to deliver noteworthy threats such as the SunCrypt, and REvil (Sodinokibi) ransomware, Kronos trojans, and Cobalt Strike. In 2020, we <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/l\/investigating-the-gootkit-loader.html\" target=\"_blank\" rel=\"noopener\">reported on Gootkit capabilities<\/a>. While it has kept much the same behavior as that in our previous report, updates reveal its continuing activity and development nearly two years later.<\/p>\n<p><span class=\"body-subhead-title\">Attack overview<\/span><\/p>\n<p>Having been associated with a variety of payloads, we can assume that Gootkit runs on an <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/investigating-the-emerging-access-as-a-service-market\" target=\"_blank\" rel=\"noopener\">access-a-as-a-service<\/a> model. It can therefore be used by different groups to conduct their attacks, making it worth monitoring to prevent bigger threats from successfully entering a system. <\/p>\n<p>Figure 1 illustrates its infection routine. It begins with a user searching for specific information in a search engine. In this case, the user had searched for the keywords \u201cdisclosure agreement real estate transaction\u201d. A website compromised by Gootkit operators was among the results, meaning that the user did not open this compromised website by chance. Indeed, the operators had tweaked the odds in their favor by using Search Engine Optimization (SEO) poisoning to make this website rank high in the search results, leading the user to visit the compromised website. This also means that the website\u2019s URL will not be available for long and that a full analysis would be difficult to conduct if not done immediately.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"2c31df\" data-modal-title=\"Figure 1. The infection chain of GootKit Loader as seen by MxDR\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/figure%201.jpg\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/figure%201.jpg\" alt=\"Figure 1. The infection chain of Gootkit Loader as seen by MxDR\"> <\/a><figcaption>Figure 1. The infection chain of Gootkit Loader as seen by MxDR<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"42.5\">\n<div readability=\"30\">\n<p>Upon opening the website, we found that it presented itself as an online forum directly answering the victim\u2019s query. This forum housed a ZIP archive that contains the malicious .js file. When the user downloaded and opened this file, it spawned an obfuscated script which, through registry stuffing, installed a chunk of encrypted codes in the registry and added scheduled tasks for persistence. The encrypted code in the registry was then reflectively loaded through PowerShell to reconstruct a Cobalt Strike binary that runs directly in the memory filelessly. <\/p>\n<p>Much of what we have just described is still in line with the behavior we reported in 2020, but with a few minor updates. This indicates that Gootkit Loader is still actively being developed and has proved successful in compromising unsuspecting victims.<\/p>\n<p>Two noticeable changes stand out:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">The search term now leverages legal document templates instead of freeware installers.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Encrypted registries now use custom text replacement algorithm instead of base64 encoding.<\/span><\/li>\n<\/ul>\n<p><span class=\"body-subhead-title\">The compromised website<\/span><\/p>\n<p>Following the behavior of users, we can now look at the website visited in the attack. Threat actors have been known to simply compromise a vulnerable or a misconfigured website to plant their malware or tools instead of creating or registering a new one for their malicious operation. In the case of Gootkit, since it compromised a legitimate domain, the website used was likely to pass reputation services. For an unsuspecting user, visiting the site would not arouse suspicion as it appears like a harmless website for a singing and voice coach. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/figure%202.jpg\" alt=\"Figure 2. Homepage of the legitimate compromised website\"><figcaption>Figure 2. Homepage of the legitimate compromised website<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.131868131868\">\n<div readability=\"11.868131868132\">\n<p>Performing Google search specifically on the downloaded file (\u201cdisclosure agreement real estate transaction\u201d) shows that the site\u2019s content was unrelated to its owner and its purpose. Additionally, none of these search result links can be found by navigating the site\u2019s homepage itself. This is evidence that the website has been compromised, as it has allowed adversaries to inject or create new unrelated web content. We also found more evidence of vulnerabilities when we queried the IP address via <a href=\"https:\/\/www.shodan.io\/\" target=\"_blank\" rel=\"noopener\">Shodan<\/a> where the website was hosted.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/figure%203.jpg\" alt=\"Figure 3. Google searches reveal unwanted contents in the website\"><figcaption>Figure 3. Google searches reveal unwanted contents in the website<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"44\">\n<div readability=\"33\">\n<p>This tactic is nothing new for Gootkit. Coupled with SEO poisoning, Gootkit operators can herd victims into a compromised website and bait them into downloading a file they are looking for. For this incident, we were able to stop Gootkit loader in its tracks before it dropped its payload. However, the user had already visited the website, downloaded the malicious ZIP file, and opened it. The unusual PowerShell script that resulted from these actions alerted us to possible malicious activity. In this investigation, we try to piece together what would have happened if the PowerShell script had not been flagged and had been allowed to run. <\/p>\n<p><span class=\"body-subhead-title\">Investigation and analysis<\/span><\/p>\n<p>As mentioned, the user visited the compromised website and downloaded the ZIP archive using Google Chrome. As logged by Trend Micro Vision OneTM, the exact URL they visited is as follows:<\/p>\n<blockquote><p>hxxps:\/\/www[.]{domain name}[.]co[.]uk\/forum[.]php?uktoz=znbrmkp&iepdpjkwxusknzkq=3147417f829ff54ffe9acd67bbf216c217b16d47ac6a2e02c1b42f603121c9ad4b18757818e0bbdd5bab3aa154e5794b<\/p><\/blockquote>\n<p>As of writing, this URL is no longer accessible. However, we were able to analyze the ZIP archive downloaded by the user. As mentioned, it was named <i>disclosure agreement real estate transaction(8321).zip<\/i>. In another instance, the JavaScript file was named <i>tenancy agreement between family members template(98539).zip<\/i>. Both file names strongly suggest that Gootkit leverages keywords that refer to legal document templates, likely to lure users into downloading files. It\u2019s important to note that this chosen search term and topic is one of the notable changes from past campaigns.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/figure%204.jpg\" alt=\"Figure 4. Vision One interface showing evidence of the user visiting the compromised website and downloading the ZIP archive\"><figcaption>Figure 4. Vision One interface showing evidence of the user visiting the compromised website and downloading the ZIP archive<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The ZIP archive was successfully saved in the Downloads folder <i>C:\\Users\\{username}\\Downloads\\disclosure agreement real estate transaction (8321).zip. <\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/figure%205.jpg\" alt=\"Figure 5. The ZIP archive successfully saved in the user\u2019s Downloads folder\"><figcaption>Figure 5. The ZIP archive successfully saved in the user\u2019s Downloads folder<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The user then opened the .js file inside the ZIP archive, which spawned an obfuscated PowerShell Script. The detected command line included wscript.exe, the default script interpreter of Windows operating systems. This command line runs the malicious JavaScript file. The folder file path and the file name can be seen here:<\/p>\n<blockquote><p>C:\\Windows\\System32\\WScript.exe <\/p><\/blockquote>\n<blockquote><p>C:\\Users\\{username}AppData\\Local\\Temp\\Temp1_disclosure agreement real estate transaction(8321).zip\\disclosure_agreement_real_estate_transaction 3994.js<\/p><\/blockquote><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/figure%206.png\" alt=\"Figure 6. Obfuscated PowerShell Script spawned through the .js file\"><figcaption>Figure 6. Obfuscated PowerShell Script spawned through the .js file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>By using Vision One\u2019s AMSI Telemetry, the team was able to view the decoded script at runtime and build the order of events that it generated. In the decoded script, there are three potentially compromised domains listed. The domains themselves are legitimate websites. Gootkit only selects one and constructs the full URL to get the next stage of script execution. The three domains are listed here:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><i>learn[.]openschool.ua<\/i> \u2013 Education<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>lakeside-fishandchips[.]com<\/i> \u2013 Restaurants and food<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>kristinee[.]com<\/i> \u2013 Personal sites<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/figure%207.png\" alt=\"Figure 7. Decoded script logged by Vision One\u2019s AMSI telemetry\"><figcaption>Figure 7. Decoded script logged by Vision One\u2019s AMSI telemetry<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Decoding the script also led us to discover that two stages of script are used to complete the operation. The first stage script carries out the following: <\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">It checks for the registry HKCU\\PJZTLE and creates it if not found. This serves as an infection marker as we discussed in our previous blog.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">It then checks if the current user is logged in to a domain that might be used to bypass sandbox tools.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Next, it connects to the constructed URL to fetch the next script to be executed. For this case, it retrieved the second stage script from <i>hxxps:\/\/learn[.]openschool[.]ua\/test.php?mthqpllauigylit=738078785565141<\/i>.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">It then sleeps for 10 seconds before running the fetched codes.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/figure%208.png\" alt=\"Figure 8. First stage script execution flow as logged by Vision One\u2019s AMSI telemetry\"><figcaption>Figure 8. First stage script execution flow as logged by Vision One\u2019s AMSI telemetry<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The second stage script retrieved from the aforementioned compromised website accomplishes the listed information here:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">It gets the current username via environment strings.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">It checks the target registry and creates it if it does not exist. It performs registry stuffing for persistence, wherein two sets of registries are created, each containing encrypted binaries to be decoded and executed later:\n<ul>\n<li><span class=\"rte-circle-bullet\">HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Phone\\\\{loggedOnUser}\\\\{consecutive numbers}, which contains binary payload encrypted using custom text replacement<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Phone\\\\{loggedOnUser}0\\\\{consecutive numbers}, which contains hex-encoded binary used to decode and execute the first registry<\/span><\/li>\n<\/ul>\n<p> <\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/figure%209.png\" alt=\"Figure 9. Registry stuffing on \\\\Phone\\\\{loggedOnUser}\\\\ as logged by Vision One\u2019s AMSI telemetry\"><figcaption>Figure 9. Registry stuffing on \\\\Phone\\\\{loggedOnUser}\\\\ as logged by Vision One\u2019s AMSI telemetry<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/figure%2010.png\" alt=\"Figure 10. Registry stuffing on \\\\Phone\\\\{loggedOnUser}0\\\\ as logged by Vision One\u2019s AMSI telemetry\"><figcaption>Figure 10. Registry stuffing on \\\\Phone\\\\{loggedOnUser}0\\\\ as logged by Vision One\u2019s AMSI telemetry<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>After these two stages, it finally executes two encrypted PowerShell scripts also logged by AMSI Telemetry. The first one decrypts the binary of the registry<i> \\\\Phone\\\\{loggedOnUser}0\\\\<\/i> and uses to initiate a function named \u201cTest\u201d.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/figure%2011.png\" alt=\"Figure 11. Decoded first PowerShell script as logged by Vision One\u2019s AMSI telemetry\"><figcaption>Figure 11. Decoded first PowerShell script as logged by Vision One\u2019s AMSI telemetry<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The second PowerShell script installs persistence mechanism via Scheduled Task, where it assigns the username as its Task Name.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/figure%2012.png\" alt=\"Figure 12. Decoded second PowerShell script as logged by Vision One\u2019s AMSI telemetry\"><figcaption>Figure 12. Decoded second PowerShell script as logged by Vision One\u2019s AMSI telemetry<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.5\">\n<div readability=\"28\">\n<p>The scheduled task loads the binary on <i>\\Phone\\{loggedOnUser}0<\/i> registry, which in turn decrypts and executes the final payload found in <i>\\Phone\\{loggedOnUser}<\/i> registry using the same reflective code loading technique. <\/p>\n<p>The final payload for this instance was found to be a Cobalt Strike binary, which has also been spotted to connect to Cobalt Strike\u2019s command-and-control (C&C) server.<\/p>\n<p><span class=\"body-subhead-title\">The Cobalt Strike payload<\/span><\/p>\n<p>The Cobalt Strike binary reflectively loaded directly to the memory has been seen connecting to the IP address 89[.]238[.]185[.]13. Using internal and external threat intelligence, the team validated that the IP address is a Cobalt Strike C&C. Cobalt Strike, a tool used for post-exploitation activities, uses the beacon component as the main payload that allows the execution of PowerShell scripts, logging keystrokes, taking screenshots, downloading files, and spawning other payloads.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/figure%2013.png\" alt=\"Figure 13. Cobalt Strike C&C based on the graph from Virus Total\"><figcaption>Figure 13. Cobalt Strike C&C based on the graph from Virus Total<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"49.442755825735\">\n<div readability=\"44.498480243161\">\n<p><span class=\"body-subhead-title\">Security recommendations<\/span><\/p>\n<p>One key takeaway from this case is that Gootkit is still active and improving its techniques. This implies that this operation has proven effective, as other threat actors seem to continue using it. Users are likely to encounter Gootkit in other campaigns in the future, and it is likely that it will use new means of trapping victims. <\/p>\n<p>This threat also shows that SEO poisoning remains an effective tactic in luring unsuspecting users. The combination of SEO poisoning and compromised legitimate websites can mask indicators of malicious activity that would usually keep users on their guard. Such tactics highlight the importance of user awareness and the responsibility of website owners in keeping their cyberspaces safe. <\/p>\n<p>Organizations can help by conducting user security awareness training for their employees, which aims to empower people to recognize and protect themselves against the latest threats. In this instance, for example, the threat could have been avoided earlier if the user had been more wary of downloading JavaScript files. On the other hand, website owners must make better web hosting choices by opting for web host providers who emphasize security in their own servers.<\/p>\n<p>This case highlights the importance of 24\/7 monitoring. Notably, cross-platform XDR prevented this attack from escalating, since we were able to isolate the affected machine quickly stopping the threat from inflicting further damage on the network. A Cobalt Strike payload, for example, can result in worse problems, such as the deployment of ransomware, credential dumping for lateral movement, and data exfiltration. Managed XDR service prevented all of this from being realized.<\/p>\n<p>Organizations can consider <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\">Trend Micro Vision One<\/a>, which offers the ability to detect and respond to threats across multiple security layers. It can isolate endpoints, which are often the source of infection, until they are fully cleaned or the investigation is done.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div class=\"responsive-table-wrap\" readability=\"9\">\n<p><span class=\"body-subhead-title\">Indicators of compromise (IOCs)<\/span><\/p>\n<p>Trojan.BAT.POWLOAD.TIAOELD<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">cbc8733b9079a2efc3ca1813e302b1999e2050951e53f22bc2142a330188f6d4<\/span><\/li>\n<li><span class=\"rte-red-bullet\">f1ece614473c7ccb663fc7133654e8b41751d4209df1a22a94f4640caff2406d<\/span><\/li>\n<\/ul>\n<p>Trojan.PS1.SHELLOAD.BC<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">8536bb3cc96e1188385a0e230cb43d7bdc4f7fe76f87536eda6f58f4c99fe96b<\/span><\/li>\n<\/ul>\n<p>URLs<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">hxxps:\/\/www[.]{domain name}[.]co[.]uk\/forum[.]php?uktoz=znbrmkp&iepdpjkwxusknzkq=3147417f829ff54ffe9acd67bbf216c217b16d47ac6a2e02c1b42f603121c9ad4b18757818e0bbdd5bab3aa154e5794b&pohokt=ifgde = Disease vector<\/span><\/li>\n<li><span class=\"rte-red-bullet\">hxxps:\/\/learn[.]openschool.ua\/test[.]php?mthqpllauigylit=738078785565141 = Disease vector<\/span><\/li>\n<li><span class=\"rte-red-bullet\">89[.]238[.]185[.]13 = C&C server (Cobalt Strike IP address)<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Gootkit has been known to use fileless techniques to drop Cobalt Strike and other malicious payloads. Insights from a recent attack reveal updates in its tactics. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":47859,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9509],"class_list":["post-47858","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-research"],"yoast_head":"\n<title>Gootkit Loader\u2019s Updated Tactics and Fileless Delivery of Cobalt Strike Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Gootkit Loader\u2019s Updated Tactics and Fileless Delivery of Cobalt Strike Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-27T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Gootkit Loader\u2019s Updated Tactics and Fileless Delivery of Cobalt Strike Threats Analyst Threats Analyst\",\"datePublished\":\"2022-07-27T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\\\/\"},\"wordCount\":2144,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\\\/\",\"name\":\"Gootkit Loader\u2019s Updated Tactics and Fileless Delivery of Cobalt Strike Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst.jpg\",\"datePublished\":\"2022-07-27T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst.jpg\",\"width\":2496,\"height\":1510},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Gootkit Loader\u2019s Updated Tactics and Fileless Delivery of Cobalt Strike Threats Analyst Threats Analyst\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Gootkit Loader\u2019s Updated Tactics and Fileless Delivery of Cobalt Strike Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/","og_locale":"en_US","og_type":"article","og_title":"Gootkit Loader\u2019s Updated Tactics and Fileless Delivery of Cobalt Strike Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-07-27T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Gootkit Loader\u2019s Updated Tactics and Fileless Delivery of Cobalt Strike Threats Analyst Threats Analyst","datePublished":"2022-07-27T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/"},"wordCount":2144,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/08\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/","url":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/","name":"Gootkit Loader\u2019s Updated Tactics and Fileless Delivery of Cobalt Strike Threats Analyst Threats Analyst 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/08\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst.jpg","datePublished":"2022-07-27T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/08\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/08\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst.jpg","width":2496,"height":1510},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Gootkit Loader\u2019s Updated Tactics and Fileless Delivery of Cobalt Strike Threats Analyst Threats Analyst"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47858","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=47858"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47858\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/47859"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=47858"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=47858"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=47858"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":47858,"date":"2022-07-27T00:00:00","date_gmt":"2022-07-27T00:00:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/"},"modified":"2022-07-27T00:00:00","modified_gmt":"2022-07-27T00:00:00","slug":"gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike-threats-analyst-threats-analyst\/","title":{"rendered":"Gootkit Loader\u2019s Updated Tactics and Fileless Delivery of Cobalt Strike Threats Analyst Threats Analyst"},"content":{"rendered":"