Gootloader Ransomware Loader - Vanilla Tempest Hits Domain Controllers

Gootloader ransomware loader activity has resurged after a period of relative quiet, with new campaigns quickly handing compromised environments to Vanilla Tempest (Rhysida) operators. Gootloader ransomware loader infections tracked by Huntress since late October show three recent compromises, two of which led to hands-on-keyboard intrusions and domain controller takeover in as little as 17 hours. Storm-0494 operators run the Gootloader initial access operation, while Vanilla Tempest manages post-exploitation and ransomware deployment. Gootloader ransomware loader campaigns rely heavily on search engine optimization poisoning and compromised WordPress sites. Victims searching for legal or business templates encounter booby-trapped pages that abuse WordPress comment endpoints to hide encrypted payloads. When users download seemingly harmless ZIP archives, they execute malicious JavaScript that establishes persistence, drops the Supper SOCKS5 backdoor, and sets the stage for lateral movement. Recent campaigns even embed custom WOFF2 fonts that obfuscate filenames, making malicious content appear benign in the browser while remaining unreadable in source code. For enterprise defenders, Gootloader ransomware loader operations represent a fast-moving intrusion chain that can pivot from a single endpoint compromise to domain-wide impact within a business day. Organizations that depend on distributed Windows infrastructure and loosely controlled internet browsing from workstations need layered defenses that detect malicious JavaScript execution, unusual outbound connections, and Supper backdoor indicators long before ransomware binaries appear.