GOLD ZODIAC

GOLD ZODIAC is a financially motivated cybercriminal threat group that operates the Gootkit malware and associated GootLoader malware distribution network. GootLoader is a network of thousands of infected WordPress sites hosting content intended to influence each site's search engine result rankings for various phrases. This malicious search engine optimization (SEO) drives traffic to the infected sites, which then present a malware download link to potential victims. The download link is presented on a page masquerading as a forum post related to the search phrase requested by the victim. Since 2021, these phrases have largely concentrated on themes of contractual agreements, forms, and templates, resulting in victimology disproportionally representing those in legal and human resources roles. The downloaded malware archive requires a victim to explicitly open and execute an embedded Microsoft JScript script, also known as GootLoader, to cause infection. GootLoader may remain active on an infected system for days before retrieving a final malware payload, such as Cobalt Strike. GootLoader has been used as the initial access vector for threat actors that ultimately deployed the REvil ransomware.