Contact Arete 911

EXPLORE

EXPLORE

Article

Don’t Drink from That! Gootloader Watering Hole Leads to REvil Attack

Arete Analysis

Threat Actors

REvil, more commonly referred to as Sodinokibi, is one of the most prolific ransomware threat groups currently active in the cyber extortion space. In the past year alone, Arete has responded to countless incidents where REvil has facilitated cyberattacks against client sites.

From our investigations, we have curated and documented threat intelligence to better understand the group’s tactics, techniques, and procedures (TTPs). Based on incident analysis, the threat group primarily leverages three main vectors to gain initial access to targeted environments:

  • They exploit externally facing and unsecured Remote Desktop Protocol (RDP).

  • They leverage access to a compromised remote management platform, such as ScreenConnect/ConnectWise or NinjaRMM.

  • Or, they leverage compromised VPN appliances.

Other entry and deployment methodologies have been employed previously by the REvil group, such as the WinRAR Italia distributor supply chain attack in June of 2019. However, based off of the numerous REvil attacks we have responded to since the group’s inception, the above methodologies are those most commonly leveraged by the REvil threat group.

During a recent incident, however, we noted an interesting change in the group’s initial  access tactics, whereby they leveraged a successful Cobalt Strike compromise, which was initially introduced into the victim environment by way of the execution of Gootloader that was downloaded from a fraudulent messaging forum.

Arete Analysis

During our investigation, we identified the root cause of this incident as a successful watering hole attack that had impacted an employee workstation.

While conducting an online search for legal contract agreements specific to septic systems, the employee selected a site that a Google search had returned. Unbeknownst to the employee, threat actors had compromised the site, configuring it to display a malicious web page designed to look like an active messaging forum.

As shown below, the forum’s first post appeared to come from a user — display name “Emma Hill” — who had requested the same type of legal contract agreement that the employee had been searching for. The web page also made it seem that another user — display name “Admin” — had replied to the initial post, providing a direct download link to the requested document.


Figure 1: Malicious web page that appears to show a legitimate messaging forum

In this case, the hyperlinked text reached out to an external domain, one that was hosting a PHP script named down.php. When clicked, this link fetched a request to this PHP script, which then automatically downloaded a ZIP archive that contained a highly obfuscated JavaScript file. This JavaScript file had the same name as the ZIP archive. The content of this JavaScript file is below:

Figure 2: JavaScript file

Based on our analysis and the fact that we observed Cobalt Strike indicators on the endpoint less than an hour later, this JavaScript file was attributed to the Gootkit Remote Access Trojan (RAT), which was then further leveraged to introduce a secondary payload, Cobalt Strike, into the victim environment.  A REvil threat actor leveraged this initial compromise to gain access into this organization’s environment and, approximately eight (8) days later, deployed the REvil ransomware.

Another interesting observation from the analysis of this web page was that, after visiting the site from the same IP address in a short amount of time, the page redirected the end user to a different web page, one with a title page indicative of the legal contract the user was searching for. Unfortunately, this web page was simply a veil designed to shroud the site’s compromise and suppress any user suspicions.

Figure 3: Web page after initial site visitation

Indicators

Based on analysis performed during this engagement, Arete has compiled a list of indicators for public use and incorporation into security infrastructure.

Zip Archive Containing JavaScript Payload

  • MD5: E435D74D8A4009C955635C11DA1D3AFC

  • SHA1: F7C620AD560CDA2A9BA90B3E17C6D43A5FB91B44

  • SHA256: 2D6AB5C855F86032C4B2213B7FC5E53F0A772B4F709AE85299B8D33C1867845C

JavaScript Payload

  • MD5: 31C8B072C6FF386645DB60A4D9E121BB

  • SHA1: F6D85FFE4CA1A77F0DF7FE2379D6BB2103B6EE15

  • SHA256: 71C838EAC60AFBFE39728887240781AA5A10E0E563FB4AC259F965BFCD1FD5EA

Domains Serving Zip Archive

  • https[:]//www[.]vacanzenelmediterraneo[.]com/down.php

    • IPv4: 89.46.108[.]30

  • https[:]//www[.]thursdaybram[.]com/down.php

    • IPv4: 104.131.158[.]83

  • https[:]//yukata-sienne[.]jp/down.php

    • IPv4: 183.181.97[.]13

  • https[:]//www[.]frerecapucinbenin[.]org/down.php

    • IPv4: 94.177.165[.]14

  • https[:]//www[.]willkommen[.]org[.]rs/down.php

    • IPv4: 46.151.128[.]3

Watering Hole Communication Strings

  • Hi, I am looking to*A friend of mine told me he had seen it on your forum. I will appreciate any help here.

  • Here is a direct download link,

  • Thank you so much for your response! This is exactly what Ive been looking for

  • Thank you, Admin

  • Issue resolved. The ticket can be closed.

Fraudulent Forum – Full

Back to Blog Posts

Article

Arete's 2026 Q1 Crimeware Report

Harness Arete’s unique data and expertise on extortion and ransomware to inform your response to the evolving threat landscape.

Article

CMS Vulnerability Leads to ClickFix Campaign

Threat actors compromised at least 700 education and technology websites in a recent ClickFix campaign by exploiting a critical SQL injection flaw (CVE-2026-26980) in the Ghost content management system (CMS). Adversaries combined the vulnerability with the ClickFix social engineering tactic to steal admin keys and inject a malicious JavaScript that delivers a fake Cloudflare or CAPTCHA verification pop-up, tricking victims into copying and pasting a malicious command into their systems.

What’s Notable and Unique

  • Rather than targeting the end user first, this campaign is unique in its initial exploitation of the system, followed by social engineering attempts. This hybrid attack style is likely being leveraged to bypass traditional defenses.

  • This recent campaign also highlights how trusted web properties can be weaponized at scale and coupled with unpatched CMS vulnerabilities. Rather than using the CMS compromise to perpetrate a single attack, threat actors turned it into a supply-chain attack that ultimately affected over 700 trusted websites.

Analyst Comments

As network defenders and their tools enhance threat detection capabilities, adversaries increasingly seek methods to bypass these defenses. By combining vulnerability exploitation, social engineering techniques, and staging for ancillary attacks, this campaign successfully bypassed traditional defenses and inflicted significant impact. Defending against hybrid cyberattacks requires comprehensive security controls beyond simply patching vulnerabilities. Organizations should focus on limiting movement within the environment, detecting abuse of trusted applications, and preventing end-user manipulation.

Sources

  • 700+ education and tech websites hijacked in huge ClickFix malware campaign

  • Under the engineering hood: Why Malwarebytes chose WordPress as its CMS

  • Think before you Click(Fix): Analyzing the ClickFix social engineering technique

  • Ghost CMS Vulnerability Exploited to Infect 700 Sites With ClickFix Malware

Article

Threat Actors Leverage Fake JPEG Files for Initial Access

In a recent campaign, researchers observed threat actors using fake JPEG image files as a delivery mechanism to initiate the deployment of additional malicious components. The false JPEG files are typically distributed via phishing emails or other social engineering-based lures, and are actually PowerShell-based malware that deploys a trojanized version of ConnectWise ScreenConnect to establish and maintain persistence in the compromised environment. 

What’s Notable and Unique

  • This campaign leverages JPEG images as the initial lure, where the images are not merely decoys but part of the infection workflow. Victims are typically led to download or open an image that triggers hidden execution logic or redirects them to a payload-delivery sequence that initiates later stages of the intrusion chain. 

  • The attack chain is designed to blend into legitimate environments, making detection more difficult. Execution typically relies on scripted or native Windows components, often including PowerShell or other living-off-the-land binaries, enabling fileless or near-fileless execution and reducing forensic artifacts on disk.

  • The multistage design ensures that the initial JPEG does not directly contain the full payload but instead triggers retrieval or decryption steps that progressively assemble the final malicious components in memory.

Analyst Comments

This campaign illustrates how threat actors continue to blur the line between legitimate file handling and malicious execution chains, indicating potential overlap with remote management or administrative tooling. The use of JPEG-based staging combined with script-based execution reflects a broader evolution toward a stealth-first intrusion design, in which file formats serve as triggers rather than payload containers.

Sources

  • OPERATION SILENTCANVAS : JPEG BASED MULTISTAGE POWERSHELL INTRUSION

Podcast

Cyber Risk and Insurance for Law Firms

In this episode of Bytes of Insight, host Vinny Sakore is joined by Laura Zaroski, Managing Director of the Law Firms Group at Gallagher, as they discuss the evolution of cyber risk for law firms. Tune in for firsthand insights on how to select the right cyber policy, the incident response process, and the nuances of ransom payments and sensitive data.