A new Gootloader malware campaign is making rounds. This time using a deceptive malvertising strategy to compromise unsuspecting users searching for legal document templates on Google. In a fresh twist on an old playbook, the attackers are embedding their malicious payloads in Google Ads that appear legitimate to anyone looking for common legal forms like nondisclosure agreements.
This recent activity was uncovered by a dedicated security researcher operating under the alias “Gootloader” on X, formerly Twitter. Who also publishes detailed findings on a blog titled Gootloader Details. The researcher, who chooses to remain anonymous to avoid detection by threat actors. Has been tracking the malware strain for years. They report that attackers are now leveraging a UK-based advertiser’s compromised site—Med Media Group Ltd.—to deploy these misleading ads. According to the researcher, the attackers registered the domain, set up hosting, and connected it through Cloudflare to help mask their identity and add legitimacy.
One of the key tactics involves users encountering seemingly helpful search results when querying phrases like “nondisclosure agreement template.” Among the top results, a malicious ad from lawliner[.]com can appear. Clicking on this ad takes the victim to a spoofed legal document portal where they’re prompted to enter their email address to receive a downloadable document. Shortly after, an email arrives from “lawyer@skhm[.]org” with a download link to a Word document. But what’s actually delivered is a ZIP file containing a JavaScript file labeled as a legal agreement.
When the victim opens the .ZIP and executes the disguised .JS file, Gootloader activates silently in the background. The malware sets a scheduled task pointing to another JavaScript file stashed inside the system’s appdata\roaming folder. It then initiates a PowerShell script designed to collect basic system intelligence. Such as running processes, desktop file names, environment variables, and available drive space. This data is continuously exfiltrated to a network of 10 domains. Most of which are compromised WordPress blogs acting as proxies to a command-and-control server located in Russia. A few of these domains are decoys, adding a layer of obfuscation to the communication chain.
The return to targeting legal professionals is no surprise. Law firms have long been high-value targets due to the sensitive data they hold and their often-underfunded cybersecurity postures. According to the researcher, the goal is to acquire data that can be leveraged for ransomware operations, espionage, or sold for profit. This marks an evolution from earlier Gootloader campaigns that used SEO poisoning to lure victims to compromised legal blogs. In those efforts, attackers seeded millions of legal-related keywords into hacked WordPress sites. A technique they appear to have now replaced with more direct Google Ad exploitation and attacker-controlled infrastructure.
The researcher believes that this shift signals a maturing operation. Noting that Gootloader operators have “stood up their own infrastructure” rather than relying solely on compromised third-party websites. This change gives attackers more control over delivery and payload deployment, as well as evasion.
Gootloader itself has been around for nearly a decade, first surfacing in 2014 alongside the GootKit banking Trojan. While its techniques have shifted, the core purpose remains consistent. Which is to steal information, execute commands, drop additional malware, and in many cases, act as a precursor to ransomware attacks. More recently, operators have been observed using a post-compromise tool called GootBot. Which enables further lateral movement or data extraction from within an infected system.
The Gootloader group is also known for its sometimes bizarre targeting choices. One campaign notably focused on fans of Bengal cats in Australia. Using SEO poisoning to serve malware via fake pet care websites. But the legal sector remains its most consistently pursued victim group. Likely because of its combination of high-value data and variable defenses.
To help defenders take immediate action, the researcher published two key indicators of compromise for this latest campaign: lawliner[.]com and skhm[.]org. They advise organizations to block these URLs, monitor for historical connections to them, and set alerts for any future contact attempts. Additionally, security teams should implement behavior-based detection rules to flag unexpected file types like JavaScript archives arriving via email, especially when disguised as standard legal documents.
The Gootloader malware continues to adapt, blending old methods with new delivery tactics. Its use of malvertising targeting legal templates shows how attackers are evolving their tradecraft to appear legitimate while staying one step ahead of detection systems. With its combination of stealth, social engineering, and system-level infiltration, this latest campaign underscores the importance of vigilance — not just in email security, but also in search ad integrity and web-based threat detection.
