Blog
/
Network
/
February 15, 2024

Detecting & Containing Gootloader Malware

Learn how Darktrace helps detect and contain multi-functional threats like the Gootloader malware. Stay ahead of cyber threats with Darktrace AI solutions.
Written by
Ashiq Shafee
Cyber Security Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Ashiq Shafee
Cyber Security Analyst
Default blog image
15
Feb 2024

What is multi-functional malware?

While traditional malware variants were designed with one specific objective in mind, the emergence of multi-functional malware, such as loader malware, means that organizations are likely to be confronted with multiple malicious tools and strains of malware at once. These threats often have non-linear attack patterns and kill chains that can quickly adapt and progress quicker than human security teams are able to react. Therefore, it is more important than ever for organizations to adopt an anomaly approach to combat increasingly versatile and fast-moving threats.

Example of Multi-functional malware

One example of a multi-functional malware recently observed by Darktrace can be seen in Gootloader, a multi-payload loader variant that has been observed in the wild since 2020. It is known to primarily target Windows-based systems across multiple industries in the US, Canada, France, Germany, and South Korea [1].  

How does Gootloader malware work?

Once installed on a target network, Gootloader can download additional malicious payloads that allow threat actors to carry out a range of harmful activities, such as stealing sensitive information or encrypting files for ransom.

The Gootloader malware is known to infect networks via search engine optimization (SEO) poisoning, directing users searching for legitimate documents to compromised websites hosting a malicious payload masquerading as the desired file.

If the malware remains undetected, it paves the way for a second stage payload known as Gootkit, which functions as a banking trojan and information-stealer, or other malware tools including Cobalt Strike and Osiris [2].

Darktrace detection of Gootloader malware

In late 2023, Darktrace observed one instance of Gootloader affecting a customer in the US. Thanks to its anomaly-focused approach, Darktrace quickly identified the anomalous activity surrounding this emerging attack and brought it to the immediate attention of the customer’s security team. All the while, Darktrace's Autonomous Response was in place and able to autonomously intervene, containing the suspicious activity and ensuring the Gootloader compromise could not progress any further.

Autonomous Response was in place and able to autonomously intervene, containing the suspicious activity and ensuring the Gootloader compromise could not progress any further.

In September 2023, Darktrace identified an instance of the Gootloader malware attempting to propagate within the network of a customer in the US. Darktrace identified the first indications of the compromise when it detected a device beaconing to an unusual external location and performing network scanning. Following this, the device was observed making additional command-and-control (C2) connections, before finally downloading an executable (.exe) file which likely represented the download of a further malicious payload.

As this customer had subscribed to the Proactive Notification Service (PTN), the suspicious activity was escalated to the Darktrace Security Operations Center (SOC) for further investigation by Darktrace’s expert analysts. The SOC team were able to promptly triage the incident and advise urgent follow-up actions.

Gootloader Attack Overview

Figure 1: Timeline of Anomalous Activities seen on the breach device.

Initial Beaconing and Scanning Activity

On September 21, 2023, Darktrace observed the first indications of compromise on the network when a device began to make regular connections to an external endpoint that was considered extremely rare for the network, namely ‘analyzetest[.]ir’.

Although the endpoint did not overtly seem malicious in nature (it appeared to be related to laboratory testing), Darktrace recognized that it had never previously been seen on the customer’s network and therefore should be treated with caution.  This initial beaconing activity was just the beginning of the malicious C2 communications, with several additional instances of beaconing detected to numerous suspicious endpoints, including funadhoo.gov[.]mv, tdgroup[.]ru’ and ‘army.mil[.]ng.

Figure 2: Initial beaconing activity detected on the breach device.

Soon thereafter, Darktrace detected the device performing internal reconnaissance, with an unusually large number of connections to other internal locations observed. This scanning activity appeared to primarily be targeting the SMB protocol by scanning port 445.

Within seconds of Darktrace's detection of this suspicious SMB scanning activity, Darktrace's Autonomous Response moved to contain the compromise by blocking the device from connecting to port 445 and enforcing its ‘pattern of life’. Darktrace’s Self-Learning AI enables it to learn a device’s normal behavior and recognize if it deviates from this; by enforcing a pattern of life on an affected device, malicious activity is inhibited but the device is allowed to continue its expected activity, minimizing disruption to business operations.

Figure 3: The breach device Model Breach Event Log showing Darktrace identifying suspicious SMB scanning activity and the corresponding respose actions.

Following the initial detection of this anomalous activity, Darktrace’s Cyber AI Analyst launched an autonomous investigation into the beaconing and scanning activity and was able to connect these seemingly separate events into one incident. AI Analyst analyzes thousands of connections to hundreds of different endpoints at machine speed and then summarizes its findings in a single pane of glass, giving customers the necessary information to assess the threat and begin remediation if necessary. This significantly lessens the burden for human security teams, saving them previous time and resources, while ensuring they maintain full visibility over any suspicious activity on their network.

Figure 4: Cyber AI Analyst incident log summarizing the technical details of the device’s beaconing and scanning behavior.

Beaconing Continues

Darktrace continued to observe the device carrying out beaconing activity over the next few days, likely representing threat actors attempting to establish communication with their malicious infrastructure and setting up a foothold within the customer’s environment. In one such example, the device was seen connecting to the suspicious endpoint ‘fysiotherapie-panken[.]nl’. Multiple open-source intelligence (OSINT) vendors reported this endpoint to be a known malware delivery host [3].

Once again, Darktrace Autonomous Response was in place to quickly intervene in response to these suspicious external connection attempts. Over the course of several days, Darktrace blocked the offending device from connecting to suspicious endpoints via port 443 and enforced its pattern of life. These autonomous actions by Darktrace effectively mitigated and contained the attack, preventing it from escalating further along the kill chain and providing the customer’s security team crucial time to take act and employ their own remediation.

Figure 5: A sample of the Autonomous Response actions that was applied on the affected device.

Possible Payload Retrieval

A few days later, on September 26, 2023, Darktrace observed the affected device attempting to download a Windows Portable Executable via file transfer protocol (FTP) from the external location ‘ftp2[.]sim-networks[.]com’, which had never previously been seen on the network. This download likely represented the next step in the Gootloader infection, wherein additional malicious tooling is downloaded to further cement the malicious actors’ control over the device. In response, Darktrace immediately blocked the device from making any external connections, ensuring it could not download any suspicious files that may have rapidly escalated the attackers’ efforts.

Figure 6: DETECT’s identification of the offending device downloading a suspicious executable file via FTP.

The observed combination of beaconing activity and a suspicious file download triggered an Enhanced Monitoring breach, a high-fidelity DETECT model designed to detect activities that are more likely to be indicative of compromise. These models are monitored by the Darktrace SOC round the clock and investigated by Darktrace’s expert team of analysts as soon as suspicious activity emerges.

In this case, Darktrace’s SOC triaged the emerging activity and sent an additional notice directly to the customer’s security team, informing them of the compromise and advising on next steps. As this customer had subscribed to Darktrace’s Ask the Expert (ATE) service, they also had a team of expert analysts available to them at any time to aid their investigations.

Figure 7: Enhanced Monitoring Model investigated by the Darktrace SOC.

Conclusion

Loader malware variants such as Gootloader often lay the groundwork for further, potentially more severe threats to be deployed within compromised networks. As such, it is crucial for organizations and their security teams to identify these threats as soon as they emerge and ensure they are effectively contained before additional payloads, like information-stealing malware or ransomware, can be downloaded.

In this instance, Darktrace demonstrated its value when faced with a multi-payload threat by detecting Gootloader at the earliest stage and responding to it with swift targeted actions, halting any suspicious connections and preventing the download of any additional malicious tooling.

Darktrace DETECT recognized that the beaconing and scanning activity performed by the affected device represented a deviation from its expected behavior and was indicative of a potential network compromise. Meanwhile, Darktrace ensured that any suspicious activity was promptly shut down, buying crucial time for the customer’s security team to work with Darktrace’s SOC to investigate the threat and quarantine the compromised device.

Credit to: Ashiq Shafee, Cyber Security Analyst, Qing Hong Kwa, Senior Cyber Analyst and Deputy Analyst Team Lead, Singapore

Appendices

Darktrace DETECT Model Detections

Anomalous Connection / Rare External SSL Self-Signed

Device / Suspicious SMB Scanning Activity

Anomalous Connection / Young or Invalid Certificate SSL Connections to Rare

Compromise / High Volume of Connections with Beacon Score

Compromise / Beacon to Young Endpoint

Compromise / Beaconing Activity To External Rare

Compromise / Slow Beaconing Activity To External Rare

Compromise / Beacon for 4 Days

Anomalous Connection / Suspicious Expired SSL

Anomalous Connection / Multiple Failed Connections to Rare Endpoint

Compromise / Sustained SSL or HTTP Increase

Compromise / Large Number of Suspicious Successful Connections

Compromise / Large Number of Suspicious Failed Connections

Device / Large Number of Model Breaches

Anomalous File / FTP Executable from Rare External Location

Device / Initial Breach Chain Compromise

RESPOND Models

Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block

Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

Antigena / Network/Insider Threat/Antigena Network Scan Block

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Client Block

Antigena / Network / External Threat / Antigena Suspicious File Block

Antigena / Network / External Threat / Antigena File then New Outbound Block

Antigena / Network / External Threat / Antigena Suspicious Activity Block

List of Indicators of Compromise (IoCs)

Type

Hostname

IoCs + Description

explorer[.]ee - C2 Endpoint

fysiotherapie-panken[.]nl- C2 Endpoint

devcxp2019.theclearingexperience[.]com- C2 Endpoint

campsite.bplaced[.]net- C2 Endpoint

coup2pompes[.]fr- C2 Endpoint

analyzetest[.]ir- Possible C2 Endpoint

tdgroup[.]ru- C2 Endpoint

ciedespuys[.]com- C2 Endpoint

fi.sexydate[.]world- C2 Endpoint

funadhoo.gov[.]mv- C2 Endpoint

geying.qiwufeng[.]com- C2 Endpoint

goodcomix[.]fun- C2 Endpoint

ftp2[.]sim-networks[.]com- Possible Payload Download Host

MITRE ATT&CK Mapping

Tactic – Technique

Reconnaissance - Scanning IP blocks (T1595.001, T1595)

Command and Control - Web Protocols , Application Layer Protocol, One-Way Communication, External Proxy, Non-Application Layer Protocol, Non-Standard Port (T1071.001/T1071, T1071, T1102.003/T1102, T1090.002/T1090, T1095, T1571)

Collection – Man in the Browser (T1185)

Resource Development - Web Services, Malware (T1583.006/T1583, T1588.001/T1588)

Persistence - Browser Extensions (T1176)

References

1.     https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/gootloader

2.     https://redcanary.com/threat-detection-report/threats/gootloader/

3.     https://www.virustotal.com/gui/domain/fysiotherapie-panken.nl

Written by
Ashiq Shafee
Cyber Security Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Ashiq Shafee
Cyber Security Analyst

Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor

Network
May 14, 2026
Tara Gould
Malware Research Lead
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms
Mar 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Network
May 21, 2026

Darktrace named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) For the Second Consecutive Year

Darktrace has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) for the second consecutive year. We believe this reflects continued execution in NDR, ongoing AI innovation, and strong outcomes delivered for customers globally.
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Read more
Network
May 19, 2026

When Open Source Is Weaponized: Analysis of a Trojanized 7 Zip Installer

Attackers abused a trojanized 7‑Zip installer distributed via a typo‑squatted domain to establish proxyware infections worldwide. This blog analyzes how social engineering, trusted open‑source software, and stealthy command‑and‑control activity enabled widespread compromise, highlighting the importance of software validation, user awareness, and proactive network‑level detection.
Justin Torres
Cyber Analyst
Read more
Network
May 14, 2026

Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor

Darktrace researchers identified a Twill Typhoon–linked China‑nexus campaign targeting APJ customers. The activity observed includes CDN impersonation, legitimate binaries, and DLL sideloading to deploy a modular .NET RAT.
Tara Gould
Malware Research Lead
Read more

Blog

/

Proactive Security

/

June 2, 2026

Stopping Stealth Attacks with Precision: How Núclea Prevented a Breach Without Disruption

Default blog imageDefault blog image

Núclea is a Brazilian data and technology company that supports the country’s financial system by delivering digital services exclusively to banks and financial institutions. Operating in an environment where trust, availability, and data integrity are critical, the company faces a threat landscape that has evolved rapidly—particularly with the rise of AI-driven cyberattacks.

Brazil has experienced a wave of successful cyber incidents targeting financial institutions, many of them enabled by insiders or compromised credentials. The result was a noticeable shift in attacker strategy: instead of focusing on end customers, threat actors began targeting the institutions and platforms that underpin the financial ecosystem itself.

“Attacks became far more directed and contextual,” explains Guilherme, who leads incident response within Núclea’s security platform engineering team. “They weren’t noisy or obviously malicious—they were precise, patient, and designed to blend into normal operations.”

That precision was on full display in January 2026, when Núclea faced one of the most convincing phishing attacks the team had seen.

A real attack, built on trust and context

The attack began with a seemingly routine email.

It was sent from a real Brazilian government institution, using legitimate infrastructure and valid credentials that were later confirmed to have been compromised. Núclea had an established, ongoing relationship with this organization, and the email’s language, tone, and subject matter aligned perfectly with the type of communication the recipient team handled every day.

Attached to the email was a PDF document containing content that looked entirely legitimate.

The problem? A single URL embedded inside that PDF.

“The message itself was correct. The sender was real. The context was familiar. Even the document content made sense,” Guilherme explains. “There was just one small element that didn’t belong.”

That small detail was enough to initiate a full attack chain.

What the attackers were trying to do

If clicked, the URL would have downloaded a malicious payload designed to:

  • Collect information about the user and device
  • Identify where the system was located within the financial ecosystem
  • Install remote access tools to maintain control
  • Deploy an infostealer to extract sensitive data
  • Execute anti-forensic scripts to erase traces of the intrusion

In other words, it was a carefully engineered operation designed for persistence and stealth, not immediate disruption.

The attack also employed urgency—a classic social engineering technique. When the link didn’t open as expected, employees requested assistance from the security team, insisting the document was important and needed to be accessed quickly.

This is precisely the kind of scenario where traditional security tools struggle: almost everything about the interaction is legitimate.

Where Darktrace made the difference

Instead of blocking the entire message or relying on known indicators of compromise, Darktrace focused on behavioral context.

Darktrace recognized:

  • That the sending organization was normally trusted
  • That the communication pattern matched historical behavior
  • That the PDF content itself was not suspicious

But it also identified that the URL embedded within the document deviated from established behavioral patterns.

Rather than disrupting business operations, Darktrace took precise action: it rewrote the URL, preventing the malicious download while leaving the rest of the email untouched.

“When we analyzed it afterward, it became clear how dangerous the attack would have been,” says Guilherme. “But it never progressed—because Darktrace acted at exactly the right point.”

Subsequent forensic analysis confirmed the payload’s malicious intent. The attack never succeeded.

Precision over disruption

For Núclea, this incident reinforced a critical lesson: modern attacks don’t always look malicious—they hide within normal activity.

“What stands out to me is the precision,” Guilherme says. “Darktrace doesn’t rely on big, obvious signals. It’s effective in situations that fall outside the standard patterns we all know.”

Building resilience in a high trust ecosystem

For Núclea, cybersecurity is not just a defensive measure—it’s a business enabler.

Availability failures or successful breaches in the financial ecosystem can have immediate, large-scale consequences, from financial loss to reputational damage. Preventing those outcomes protects not just Núclea, but its partners and customers as well.

“Cyber resilience means keeping the business running—even under attack,” Guilherme explains. “And that requires people, processes, and technology working together.”

As AI continues to accelerate both attacks and defenses, the role of security is evolving. Precision, behavioral understanding, and intelligent automation are no longer optional—they’re essential.

“The easy days were yesterday,” Guilherme says. “The challenges ahead are bigger. We need to be prepared—internally and with partners that help us build resilience.”

Continue reading
About the author

Blog

/

Proactive Security

/

June 1, 2026

Defend What You Trust: Stories from the Front Lines of Modern Cyber Defense

Default blog imageDefault blog image

Modern attacks don’t always announce themselves, follow obvious patterns, or rely on known malware. Often, they move quietly inside trusted systems, authenticated sessions, and everyday behavior.

They don’t break in. They blend in.

That’s why an AI-powered defense is essential. It turns invisible signals into actionable insights at a scale neither analysts nor traditional tools can achieve alone.

Confidence is creating risk

One of the most dangerous assumptions in cybersecurity today is that strong controls equal strong protection.

Multi-factor authentication (MFA), for example, is widely viewed as a foundational safeguard. But as the CISO for a professional sports organization explains, that confidence can be misplaced. “A lot of organizations assume that once you have MFA, those accounts are safe. That’s not true.”

In one instance, his team identified a sophisticated attack where a threat actor bypassed MFA entirely, not by breaking it, but by going around it. A user’s authenticated session was hijacked and re-used, allowing the attacker to impersonate them without triggering traditional controls.

“Darktrace picked up that a session had been re-injected by the hacker, and we were able to block it right away,” he explains.

Attackers anticipate what we miss

Even well-trained users can become entry points.

“An email bypassed our existing security tools,” shares the VP of IT at a U.S.-based risk management services provider.  “The user missed one signal and entered their credentials into a malicious site. That’s what the bad guys count on.”

The organization responded quickly, but not before damage was done. Crucially, this occurred while Darktrace was in “watch mode,” before autonomous response was fully enabled. “Darktrace would have seen that and shut it down immediately,” he notes.

Mistakes and oversights like misconfigurations, forgotten machines, and missed patches can create serious vulnerabilities.

The CIO of a utility services organization shares an instance when Darktrace detected a breach to a client’s network via their ZTNA VPN due to misconfigured MFA. “Darktrace alerted us and autonomously blocked the scanning, preventing what could have been a ransomware-type incident.”  

The most dangerous threats are already inside

The Head of Security at a global business services provider knows firsthand how blind spots can persist inside environments. His team uncovered evidence of dormant ransomware artifacts sitting unnoticed within a company’s environment ¬¬– long before modern detection was in place.

“During a routine file transfer, Darktrace flagged the suspicious activity, identified the ransomware, and immediately quarantined the server,” he recalls.  While the attack was never executed, the implication was significant: the risk existed long before it was finally detected.

Cyber threats are also successful because they take advantage of normal human behavior, exploiting moments of cognitive overload, urgency, and trust.

The Executive Director of IT and Business Applications at a pharmaceutical lab describes the time Darktrace flagged an employee logging into Microsoft 365 from Singapore, despite him being physically located in the U.S. Darktrace immediately cut off his access and within minutes revealed that the employee’s son was using a VPN to play a video game.

While the threat was benign, it demonstrated the strength of AI to use contextual information to detect threats other tools miss. The information also saved security analysts hours of investigation and minimized downtime for the employee. “That level of precision and speed isn’t just convenient, it’s game changing.”

“Unusual” behavior is the new red flag

Detecting modern threats requires an understanding of what “normal” looks like and recognizing when something subtly deviates.

One security leader  at an AI technology enterprise described a scenario in which an employee connected to a proxy service in China. The service itself was legitimate, and although traditional tools didn’t flag it, the behavior was unusual for that user specifically.

“That’s what Darktrace picked up on. The activity turned out to be benign, but without visibility into behavioral deviations, it could just as easily have been something more serious.”

AI shifts defense from reaction to anticipation

These stories point to a fundamental shift by cyber attackers, both tactically and strategically. Because traditional security tools were built to detect what’s already known, modern attacks are often:

  • Credential-based, not malware-based
  • Behavioral, not signature-based
  • Subtle, not overt

They may operate within the boundaries of what appears normal, exploiting what organizations trust, not what they block:

  • Trusted sessions
  • Legitimate services
  • Human error

This is where AI is changing the equation. Rather than relying on predefined rules or known threat signatures, AI can:

  • Establish a baseline of normal behavior
  • Detect subtle anomalies in real time
  • Act autonomously to contain potential threats

Resilience, not perfection, is the new security standard

As these frontline experiences show, the organizations that lead are those that move beyond reactive defense and embrace AI as a core part of their strategy.

It eliminates the blind spots and uncertainty, says the CISO of a professional sports organization. “If you lack visibility, you’re not managing risk, you’re assuming it. AI gives you the actionable insights needed to turn uncertainty into control.”

And it provides the speed and agility that are vital when seconds matter, says the Executive Director of IT and Business Applications. “When Darktrace alerted us at 3:00 am to a ransomware attack, it had already quarantined the affected systems, blocked the attacker’s access, and provided us with the critical details and time needed to investigate. That action likely saved us hundreds of thousands, if not millions, of dollars.”

The modern SOC has become a cornerstone of enterprise resilience, responsible for protecting data and operational continuity while enabling digital growth and innovation. For today’s security professional, that means success is no longer measured by what they keep out, but by what they protect: revenue, reputation, and trust.

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI