CYBERCROOKS ARE TARGETING BENGAL CAT LOVERS IN AUSTRALIA FOR SOME REASON

After a series of reports detailing its ongoing battle with Chinese cyberattackers, Sophos has revealed a peculiar new finding about a well-known malware strain, Gootloader, which seems to be targeting an unexpected group of victims.

First discovered in 2014, Gootloader has been a staple in the world of infostealers and malware droppers, often acting as a precursor to more damaging attacks, including ransomware. Traditionally, financially motivated cybercriminals cast a wide net, going after high-value targets like banks and cryptocurrency investors. But Sophos’ latest discovery has a surprising twist: Gootloader is now being used to target Australian enthusiasts of Bengal cats.

The malware is typically deployed using SEO poisoning techniques, where attackers manipulate search engine results to lure unsuspecting victims into downloading malicious files. Sophos launched an investigation after a new variant of Gootloader surfaced in March, discovering that the malware was targeting users who searched queries like “Are Bengal cats legal in Australia?”
In one case, the researchers showed how an SEO-poisoned forum appeared as the top search result. The forum contained posts with hyperlinked text that, when clicked, immediately triggered the download of a suspicious ZIP file—executing the first stage of the malware’s payload. The user’s browser was also redirected to a different website that dropped a large JavaScript file, causing multiple processes to spin up on the victim’s machine.

Among these processes, the researchers found signs of the attackers establishing persistence and using PowerShell commands to deploy Gootkit—the third stage of the malware. Gootkit then serves as a gateway for more dangerous tools, such as Cobalt Strike and ransomware.

According to Sophos, Gootloader is part of a broader trend of malware-as-a-service operations that rely heavily on search engine manipulation to distribute malicious payloads. “SEO manipulation and abusing search engine advertising to trick victims into downloading malware loaders have been tactics of Gootloader since at least 2020,” the researchers explained. “We’ve also seen similar tactics used by other malware-as-a-service operations, such as Raccoon Stealer.”

This discovery highlights the ongoing use of search engine optimization as a powerful tool for cybercriminals to deploy malware, with Gootloader continuing to evolve and target more niche groups.

“But we’ve seen continued growth in this method of initial compromise, with several large-scale campaigns utilizing this technique over the past year.”

SEO poisoning and malvertising often go hand-in-hand, but the latter has recently garnered particular attention from researchers and national security agencies alike.

NCC Group highlighted earlier this year that malvertising remains a popular tactic within the cybercrime ecosystem, benefiting both initial access brokers (IABs) and ransomware operators.

Malvertising typically involves promoting websites that host trojanized versions of legitimate apps. These apps often function as infostealers, harvesting credentials that are then sent back to IABs, who in turn sell the stolen data. Their main clientele? Ransomware affiliates looking for ways to launch attacks on high-value targets.

Last year, researchers discussed how ALPHV/BlackCat, once a prominent figure in the ransomware world, used malvertising tactics as part of its affiliates’ initial access process.

As recently as today, national cybersecurity agencies like the UK’s NCSC are collaborating with advertisers to combat the growing threat of malvertising, given its strong link to ransomware attacks.

Naturally, Google has faced criticism for “allowing” this activity to proliferate through its search engine results. However, the company consistently defends its position, stressing that malvertising is against its policies and that reported sites are often delisted from search results.