The threat actors behind the Gootkit virus have added new parts and obfuscated their infection chains, among other “notable improvements” to their toolkit. The UNC2565 activity cluster is being watched by Google-owned Mandiant, which notes that this organization is the only one using the virus. Using a tactic known as search engine optimization (SEO) poisoning, victims are deceived into visiting hacked websites when looking for business-related documents like agreements and contracts. These websites are then where Gootkit, also known as Gootloader, is distributed. The supposedly authentic documents are really ZIP packages that contain JavaScript malware. Once activated, this malware opens the door for further payloads including Cobalt Strike Beacon, FONELAUNCH, and SNOWCONE.