Gootloader JavaScript malware, commonly used to deliver ransomware, is back in action after a period of reduced activity.

Since October 27, security shop Huntress says it has spotted three Gootloader infections, and two of these led to hands-on-keyboard intrusions with domain controller compromise occurring in as little as 17 hours after the attackers gained initial access.

Huntress senior analyst Anna Pham told The Register that her team has attributed all three intrusions to Gootloader operator Storm-0494 and ransomware gang Vanilla Tempest (aka Rhysida).

"The infection operates through a well-established criminal partnership: Storm-0494 handles Gootloader operations and initial access, then hands off compromised environments to Vanilla Tempest for post-exploitation and ransomware dep

See Full Page