The delivery system for the Gootkit information stealer has evolved into a complex and stealthy framework, which earned it the name Gootloader, and is now pushing a wider variety of malware via hacked WordPress sites and malicious SEO techniques for Google results.
Apart from increasing the number of payloads, Gootloader has been seen distributing them across multiple regions from hundreds of hacked servers that are active at all times.
Malware campaigns relying on Gootloader’s mechanism have been spotted last delivering REvil ransomware to targets in Germany. The activity marked a restart of Gootkit operations that took a long break after a data leak towards the end of 2019.
Source: Bleeping Computer