Jun 2, 2026
C2 Hosts: 11
Gootkit
Also known as: Waldek, Xswkit, talalpek
Gootkit is a banking trojan consisting of an x86 loader and a payload embedding nodejs as well as a set of js scripts. The loader downloads the payload, stores it in registry and injects it in a copy of the loader process. The loader also contains two encrypted DLLs intended to be injected into each browser process launched in order to place the payload in man in the browser and allow it to apply the webinjects received from the command and control server on HTTPx exchanges. This allows Gootkit to intercept HTTPx requests and responses, steal their content or modify it according to the webinjects.
C2 Infrastructure
Hosting/VPS 100%
Last 7 days
| Date | C2 Hosts |
|---|---|
| Jun 2, 2026 | 11 |
Further Reading
blog.cert.societegenerale.com opens in a new tab
blog.cert.societegenerale.com
blog.trendmicro.com opens in a new tab
blog.trendmicro.com
vkremez.com opens in a new tab
vkremez.com
5556002.fs1.hubspotusercontent-na1.net opens in a new tab
5556002.fs1.hubspotusercontent-na1.net
blog.malwarebytes.com opens in a new tab
blog.malwarebytes.com
blogs.blackberry.com opens in a new tab
blogs.blackberry.com
blogs.blackberry.com opens in a new tab
blogs.blackberry.com
connect.ed-diamond.com opens in a new tab
connect.ed-diamond.com
dannyquist.github.io opens in a new tab
dannyquist.github.io
dissectingmalwa.re opens in a new tab
dissectingmalwa.re
forums.juniper.net opens in a new tab
forums.juniper.net
github.com opens in a new tab
github.com
labs.sentinelone.com opens in a new tab
labs.sentinelone.com
news.drweb.com opens in a new tab
news.drweb.com
news.sophos.com opens in a new tab
news.sophos.com
resource.redcanary.com opens in a new tab
resource.redcanary.com
securelist.com opens in a new tab
securelist.com
securelist.com opens in a new tab
securelist.com
securelist.com opens in a new tab
securelist.com
securityintelligence.com opens in a new tab
securityintelligence.com
securityintelligence.com opens in a new tab
securityintelligence.com
thedfirreport.com opens in a new tab
thedfirreport.com
twitter.com opens in a new tab
twitter.com
twitter.com opens in a new tab
twitter.com
unit42.paloaltonetworks.com opens in a new tab
unit42.paloaltonetworks.com
certego.net opens in a new tab
certego.net
cronup.com opens in a new tab
cronup.com
f5.com opens in a new tab
f5.com
s21sec.com opens in a new tab
s21sec.com
sentinelone.com opens in a new tab
sentinelone.com
sentinelone.com opens in a new tab
sentinelone.com
trendmicro.com opens in a new tab
trendmicro.com
trendmicro.com opens in a new tab
trendmicro.com
trendmicro.com opens in a new tab
trendmicro.com
trendmicro.com opens in a new tab
trendmicro.com
us-cert.gov opens in a new tab
us-cert.gov
youtube.com opens in a new tab
youtube.com
youtube.com opens in a new tab
youtube.com