Gootloader Returns with Fake Legal Document Lure via Google Ads

The Gootloader malware has resurfaced with a fresh campaign that blends old-school social engineering with modern ad-based delivery. In a newly observed attack chain, the Gootloader operators are now using Google Ads to target individuals searching for legal document templates, such as NDAs or lease agreements.

“The threat actor behind the Gootloader malware has once again changed their tactics, but also reverted to some of their old ways,” the researcher notes.

Once infamous for poisoning search engine results with over 5 million legal terms on compromised WordPress blogs, the threat actor appears to have moved to a more controlled infrastructure—standing up their own fake sites and leveraging malicious advertising campaigns.

It all begins with a Google search for something like “non disclosure agreement template.” Among the top results appears a sponsored ad linking to a seemingly legitimate legal document provider—lawliner[.]com, hosted under the advertiser name MED MEDIA GROUP LIMITED.

“These are being delivered by the advertiser ‘MED MEDIA GROUP LIMITED’, which I assume has been compromised.”

Upon clicking, the user lands on a professional-looking page offering the document. To access it, they are prompted to enter their email address.

Shortly afterward, they receive an email from lawyer@skhm[.]org containing a link to download their requested file.

Although the email appears to contain a simple .docx file, the actual download is a ZIP archive containing a JavaScript file—often named after the original request (e.g., non_disclosure_agreement_nda.js).

“You cannot tell from the URL if you are going to be passed the malicious zipped .JS or a benign .docx file,” the researcher warns.

• When executed, the JavaScript file performs classic Gootloader behavior:
• Creates a scheduled task that runs at startup
• Drops another .js file in the user’s %AppData%\Roaming directory
• Launches PowerShell scripts that attempt to reach out to a series of compromised WordPress blogs

Out of the 10 blogs contacted, only one or two are truly infected—the rest are likely decoys to mislead investigators and sandboxes.

While the exact identities behind this latest wave remain unknown, the Gootloader gang has consistently shown a focus on legal-themed lures, meticulous campaign planning, and creative abuse of public platforms, from SEO poisoning to advertising supply chains.

The reuse of older infrastructure patterns and gate logic indicates that the core operators remain active, simply shifting techniques to bypass improved search engine protections.

Related Posts:

• Gootloader Malware Expands Its Reach with Advanced Social Engineering and SEO Poisoning
• RedLine malware pretends to be a Windows 11 upgrade installers
• Lazarus Group Lures Victims with Fake LinkedIn Job Offers, Warns Bitdefender
• Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.