GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites

GootLoader is back in action, and this time it's using a slick new font obfuscation trick to hide malware on compromised WordPress sites. Huntress has spotted three fresh infections since October 27, 2025—and two of them escalated to full domain controller compromise in under 17 hours. Yeah, that fast.

The malware crew is still using their classic SEO poisoning playbook—boosting fake forums in search results to lure victims into downloading malicious JavaScript files. But now they've leveled up: the payloads are hidden inside font files on hacked WordPress sites, making detection way harder for basic security scans.

Once inside, GootLoader deploys a multi-stage attack chain that drops secondary payloads like Cobalt Strike beacons, leading to ransomware, data theft, or full network takeover. In the two worst cases Huntress tracked, the attackers went from initial infection to domain controller access in less than a day—showing how brutally efficient this loader has become.

WordPress admins, listen up: check your sites for suspicious font files and unexpected code injections. This isn't just another script kiddie attack—it's a coordinated, evolving threat that's already proving it can wreck networks fast.