Also known as: Waldek, Xswkit, talalpek, Trojan-Downloader.Win32.Injecter, Trojan.Win32.Generic, Trojan-Downloader.Win32.Gootkit, Trojan-Banker.Win32.Gootkit
Category: Malware
Type: Remote access trojan (RAT), banking trojan, backdoor, keylogger, loader
Platform: Windows
Variants: Multiple (new variants created daily)
Damage potential: Stolen financial information, camera hijacking, taking unauthorized screenshots, web injection, keylogging, opening backdoors for other malware (like ransomware)
Overview
Gootkit is an advanced banking trojan first discovered in 2014 and operated by a Russian-speaking hacker group. Gootkit targets Windows devices in the financial, legal, healthcare, and other critical sectors. Once on a system, it can log keystrokes, take screenshots, hijack the camera, perform man-in-the-browser attacks, and even download other malware. All Gootkit variants consist of two modules — an x86 loader and the core DLL component.
Possible symptoms
Gootkit is renowned for its ability to evade detection and operate beneath suspicion, surpassing even other trojans in stealth. It can bypass standard antivirus checks and send data in a way that may not trigger network detection mechanisms.
Possible indicators of a Gootkit infection include:
- Your device frequently freezes or stutters.
- You realize you’ve been redirected to a fake website after clicking a legitimate link.
- Other malware appears on your device without a known cause.
- Your device’s fan seems to be constantly on, even when the device is idle.
- Your device periodically sends data to unknown remote servers (Gootkit is contacting its control servers).
Sources of the infection
Initially, Gootkit was spread through infected email attachments (either .zip archives or Microsoft Word documents). More recently, Gootkit has spread through files downloaded from compromised websites that have been deliberately moved to the front of search engine rankings through SEO poisoning. These websites target specific demographics (like legal or financial sector workers) and disguise the Gootkit loader as desirable files (such as .pdf guides).
Your device may also get infected with Gootkit from:
- Infected files shared through messaging platforms.
- Infected files downloaded from cloud storage or online repositories.
- Other viruses that drop Gootkit as part of their operations.
- Exploit kits (like Spelovo or RIG.)
- Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
- Peer-to-peer (P2P) sharing of infected files.
- Infected external devices, such as hard drives or USB sticks.
Protection
Traditional cybersecurity measures may not be enough to protect you from Gootkit once it has found its way into your system — in this case, the best defense is practicing good cyber hygiene. Learn to recognize spam emails, avoid opening suspicious attachments, always check if the page you’re on is legitimate, and scan any file you download for malware before running it.
Other protective measures include:
- Use email scanning tools to identify and automatically block messages with suspicious attachments.
- Use multi-factor authentication to protect your accounts in the event that someone steals your password using Gootkit.
- Avoid potentially dangerous websites like dark web pages or torrent repositories. In certain situations, these websites may attempt to download malware (including Gootkit) to your device by exploiting vulnerabilities.
- Use NordVPN’s Threat Protection Pro™. This feature includes tools such as scam and fraud alert or a malware blocker to enhance protection against malicious websites and prevent drive-by download attacks.
Removal
Gootkit is notoriously difficult to remove, deploying several sophisticated persistence mechanisms to continue operations. Do not attempt to remove Gootkit manually — use a reliable antivirus instead. In some cases, the Gootkit infection is so severe that the only way to get rid of it is by performing a factory reset.