SEO Poisoning to Domain Control: The Gootloader Saga Continues

In February 2023 a user downloaded a SEO‑poisoned “Implied Employment Agreement” which initiated a Gootloader multistage infection; Gootloader staged a Cobalt Strike beacon (in‑memory via registry storage) and the attacker deployed a PowerShell variant of SystemBC to establish a SOCKS proxy that tunneled RDP into the environment. The operator used Cobalt Strike and SMB/remote service techniques to move laterally, attempted to disable Windows Defender, accessed LSASS memory to harvest credentials, and interactively browsed sensitive shares on domain controllers and backup servers; the report includes payload hashes, C2 IPs, beacon configurations, network indicators, and detection rules, though data exfiltration was not confirmed.