RST TI Report Digest: 10 Nov 2025

GootLoader, attributed to UNC2565 (Storm-0494), has re-emerged using SEO-poisoning and a dual-personality ZIP evasion technique to distribute malicious JScript that leads to further payloads; the campaign targets users seeking business document templates and avoids CVE exploitation, instead relying on compromised legitimate WordPress sites and Startup-folder persistence. The report provides numerous IOCs (IPs, domains, URLs, SHA-256 hashes) and warns the loader supports ransomware affiliates as part of an Access-as-a-Service ecosystem.