I am Goot (Loader)

This Cybereason Threat Analysis examines active GootLoader operations (including GootLoader 3.0) attributed to UNC2565, describing SEO-poisoned drive-by distribution of obfuscated JavaScript leading to a three-stage execution chain (JavaScript → scheduled task → PowerShell) that performs discovery, C2 communication, and delivers post-exploitation tools such as Cobalt Strike and ransomware; the report provides technical code-level analysis, version comparisons, MITRE ATT&CK mappings, and detection/evasion details.