Searching for document templates can easily end in compromise.
The malware campaign involving Gootloader has resurfaced — this time with a more sophisticated tactic, as attackers are distributing malicious ads through Google Ads. The primary targets are legal professionals searching for document templates, which now conceal malicious JavaScript files.A researcher who runs the blog Gootloader Details and specializes in monitoring Gootloader activity discovered that the malware was being distributed via an ad account linked to the UK-based company Med Media Group Ltd. According to the researcher, the attackers registered a domain, set up hosting, and configured infrastructure through Cloudflare, effectively masking the origin of the threat.
At first glance, the ads appear to offer popular legal templates — such as non-disclosure agreements. Clicking on the ad directs users to lawliner[.]com, a website controlled by the attackers. There, users are prompted to enter their email address to receive the requested document.
The attachment sent is a ZIP archive containing a JavaScript file disguised as the requested template. Once extracted and executed, the file triggers malicious code that creates a scheduled task in the system. This task runs a PowerShell script designed to gather device information — from process names and desktop files to environment variables and disk space.
The data is exfiltrated to a dozen domains, some of which are compromised WordPress blogs used to redirect information to the attackers’ command-and-control server. Others are fake domains mimicking legitimate websites but serving solely to facilitate data transfer.
In the past, the group relied on SEO poisoning, compromising WordPress sites that ranked highly in legal-related search queries. Now, by using paid ads, they’ve increased their reach and can more precisely target victims.
The legal sector remains one of the most attractive targets for such attacks. Law firms store sensitive client data, deal information, signed documents, and contact details of high-profile individuals. A leak of this data can be exploited for blackmail or secondary attacks.
Gootloader originally emerged in 2014 as part of the GootKit malware family. Since 2020, its activity has significantly increased, especially as part of pre-ransomware campaigns. It often deploys an additional module, GootBot, which expands the attacker’s capabilities — such as downloading more malware or executing commands on the compromised system.
In the past, Gootloader actors also targeted unexpected groups, such as Bengal cat enthusiasts in Australia, via SEO poisoning. In the current campaign, key indicators of compromise include the domains lawliner[.]com and skhm[.]org. Security experts recommend blocking these domains, monitoring network traffic for signs of contact, and conducting retrospective analysis of any activity involving these addresses.
Gootloader continues to demonstrate adaptability and flexibility, making it a highly dangerous threat. Its shift in distribution methods, use of custom infrastructure, and focused targeting of the legal sector reflect a high level of organization. Prompt detection of malicious ads and effective domain filtering remain crucial defense strategies against such attacks.
