S1138: Gootloader
Gootloader is a Javascript-based infection framework that has been used since at least 2020 as a delivery method for the Gootkit banking trojan, Cobalt Strike, REvil, and others. Gootloader operates on an "Initial Access as a Service" model and has leveraged SEO Poisoning to provide access to entities in multiple sectors worldwide including financial, military, automotive, pharmaceutical, and energy.[1][2]
Analyst context for executives and security teams
Gootloader matters because it is described by ATT&CK as a JavaScript-based infection framework and “Initial Access as a Service” delivery method that has used SEO poisoning and has delivered higher-impact follow-on tools such as Gootkit, Cobalt Strike, REvil, and others. For leaders, the decision point is not just “detect this malware,” but whether the organization can recognize a web-driven initial access chain on Windows before it turns into credential theft, hands-on-keyboard activity, or ransomware-enabling access.
Executive priority
Prioritize Gootloader as an initial-access and resilience validation scenario for Windows environments. Ask whether web security, endpoint logging, PowerShell visibility, script controls, identity discovery monitoring, and incident-response playbooks can connect the full chain: user link interaction, JavaScript execution, obfuscation/decoding, payload transfer, discovery, persistence, and possible process injection. This is especially relevant for audit evidence around endpoint monitoring, least privilege, security awareness, and response readiness.
Technical view
ATT&CK provides no official detection text for S1138, so coverage should be validated through the related behaviors. SOC teams should test whether they can correlate Windows JavaScript/JScript execution, PowerShell activity, obfuscated or decoded content, ingress tool transfer, system and network discovery, domain group discovery, time/location/language checks, registry run key or startup-folder persistence, and process injection indicators. Detection should focus on behavior chains rather than a single indicator, because the object is explicitly associated with obfuscation, standard encoding, and analysis-evasion-style checks.
Likely telemetry
- Windows process creation events with command line and parent/child process context
- PowerShell execution telemetry, including script block or equivalent command visibility where available
- Windows Script Host, JScript, or JavaScript execution evidence on endpoints
- Browser, proxy, DNS, and web gateway logs related to user link clicks, search-result-driven access, downloads, and unusual external connections
- Endpoint file telemetry for downloaded, obfuscated, encoded, decoded, or newly created script and payload artifacts
Detection direction
- Validate correlation from malicious-link or SEO-poisoning-style web access into JavaScript execution and PowerShell follow-on activity on Windows hosts.
- Tune for suspicious script interpreters spawning PowerShell, discovery commands, download activity, or persistence changes, while accounting for legitimate administration scripts and software deployment tooling.
- Review whether endpoint controls expose process hollowing and PE injection signals; process-only alerting may miss activity when code runs inside another process.
- Treat obfuscation, standard encoding, and later deobfuscation as detection pivots, not just static signatures.
- Monitor for domain group discovery and system/network discovery shortly after script execution, because these behaviors may indicate triage of the victim environment before follow-on payloads.
Mitigation priorities
- Reduce exposure to web-driven initial access with user training, safe browsing controls, download controls, and processes for reporting suspicious search-result or link-driven downloads.
- Harden Windows script execution and PowerShell usage according to business need, including limiting unnecessary scripting paths and improving logging before enforcement where operational risk is high.
- Apply application control or allowlisting strategies where feasible to reduce unapproved script and payload execution.
- Strengthen least privilege and identity hygiene so domain group discovery does not quickly reveal broadly privileged accounts or excessive access paths.
- Monitor and control persistence locations such as Registry Run Keys and Startup folders, and ensure changes are reviewable during incident response.
Analyst notes and limits
This take is based on ATT&CK S1138, its official description, external references, and listed technique relationships. The strongest supported framing is Gootloader as a Windows-focused JavaScript infection framework used for initial-access delivery, with relationships spanning execution, stealth, discovery, command and control, persistence, and resource development.
ATT&CK provides no official detection guidance, no aliases, no object-level tactics, and no indicators in the supplied fields. Local conclusions require environment-specific telemetry, asset context, web/proxy data, endpoint visibility, and incident evidence. Related technique platforms may include non-Windows platforms, but the Gootloader object itself is supplied with Windows as its platform.
Gootloader
Gootloader is a Javascript-based infection framework that has been used since at least 2020 as a delivery method for the Gootkit banking trojan, Cobalt Strike, REvil, and others. Gootloader operates on an "Initial Access as a Service" model and has leveraged SEO Poisoning to provide access to entities in multiple sectors worldwide including financial, military, automotive, pharmaceutical, and energy.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1614 | System Location Discovery | Gootloader can use IP geolocation to determine if the person browsing to a compromised site is within a targeted territory such as the US, Canada, Germany, and South Korea.CitationSentinelOne Gootloader June 2021 |
| Enterprise | T1584.001 | Domains Sub-technique | Gootloader has used compromised legitimate domains to as a delivery network for malicious payloads.CitationSentinelOne Gootloader June 2021 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | Gootloader can determine if a targeted system is part of an Active Directory domain by expanding the %USERDNSDOMAIN% environment variable.CitationSentinelOne Gootloader June 2021 |
| Enterprise | T1584.006 | Web Services Sub-technique | Gootloader can insert malicious scripts to compromise vulnerable content management systems (CMS).CitationSentinelOne Gootloader June 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Gootloader can create an autorun entry for a PowerShell script to run at reboot.CitationSophos Gootloader |
| Enterprise | T1059.001 | PowerShell Sub-technique | Gootloader can use an encoded PowerShell stager to write to the Registry for persistence.CitationSophos GootloaderCitationSentinelOne Gootloader June 2021 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | Gootloader can designate a sleep period of more than 22 seconds between stages of infection.CitationSophos Gootloader |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Gootloader can determine if a victim's computer is running an operating system with specific language preferences.CitationSophos Gootloader |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Gootloader has been executed through malicious links presented to users as internet search results.CitationSophos GootloaderCitationSentinelOne Gootloader June 2021 |
| Enterprise | T1082 | System Information Discovery | Gootloader can inspect the User-Agent string in GET request header information to determine the operating system of targeted systems.CitationSophos Gootloader |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Gootloader has the ability to decode and decrypt malicious payloads prior to execution.CitationSophos GootloaderCitationSentinelOne Gootloader June 2021 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Gootloader can execute a Javascript file for initial infection.CitationSophos GootloaderCitationSentinelOne Gootloader June 2021 |
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | Gootloader can use its own PE loader to execute payloads in memory.CitationSophos Gootloader |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Gootloader can inject its Delphi executable into ImagingDevices.exe using a process hollowing technique.CitationSophos GootloaderCitationSentinelOne Gootloader June 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Gootloader can use an embedded script to check the IP address of potential victims visiting compromised websites.CitationSentinelOne Gootloader June 2021 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Gootloader can retrieve a Base64 encoded stager from C2.CitationSentinelOne Gootloader June 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Gootloader can fetch second stage code from hardcoded web domains.CitationSophos GootloaderCitationSentinelOne Gootloader June 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | The Gootloader first stage script is obfuscated using random alpha numeric strings.CitationSophos GootloaderCitationSentinelOne Gootloader June 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 667c46923223… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Sophos Gootloader
Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022.
Open source URL -
[2]
SentinelOne Gootloader June 2021
Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024.
Open source URL -
[3]
mitre-attack S1138Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.