In January and February 2023, two separate cyber campaigns that distributed the malware strains GootLoader and FakeUpdates (also known as SocGholish) targeted six distinct legal firms. GootLoader, a first-stage downloader active since late 2020, is capable of distributing a variety of secondary payloads, including Cobalt Strike and ransomware.
Notably, it uses SEO poisoning to direct victims looking for business-related papers to fly-by-night download sites that have JavaScript malware. The eSentire disclosure is the most recent in a string of attacks that have breached targets using the Gootkit malware loader.