In the intricate realm of cyber threats, GootLoader emerges as a formidable challenge. This article delves deep into the intricacies of decoding its payloads and obfuscations.

Equipped with hands-on scripts and tools, we aim to guide cybersecurity enthusiasts and professionals through the maze of GootLoader. Get ready for an informative journey.

  • – automatically decodes .js files using static analysis (recommended)
  • – automatically decodes .js files using dynamic analysis
  • – used to manually decode .js files using dynamic analysis
  • – automatically decodes reg payload exports
  • GootloaderWindowsRegDecode.ps1 – Directly decodes a payload from the registry.


JavaScript Decoding

Automated Decoding

Run the script against the .js file.

python "evil.js"

The script will output the files below:

  • FileAndTaskData.txt – Contains the names of the scheduled task and dropped files.
  • DecodedJsPayload.js_ – The decoded payload that runs a PowerShell command. You can use a CyberChef’s Generic Code Beautify in order to make the content easier to read.

If the script stops working then you can attempt to use the dynamic version of the script ( Be aware that the dynamic script executes part of the GOOTLADER code, as a result it should only be run in an isolated environment.

Manual Decoding

Sometimes the GOOTLOADER js obfuscation changes and the script stops working. In those instances, follow the instructions found at

Sample MD5s:

Gootloader Obfuscation Variant 2:

Gootloader Obfuscation Variant 3:

Registry Payload Decoding


  1. On the left menu go to Agent Events\Registry Key Events
  2. Filter on the following:
    • Change Type: value change
      • The specific path might change, but you should end up with two sets of keys, one called ...\Phone\UserName\... and one called ...\Phone\UserName0\....
  3. Select all the rows that have something in the Text Data field.
  4. Right click and select “Copy with Headers”
  5. Paste the text into a text document and save it as a CSV

Decoding The CSV File

  1. Transfer the CSV and Python scripts to the same machine
  2. Run the command below:
python "regExport.csv"

3. The script should generate 2 files payload1.dll_ and payload2.exe_

Published by Tamil S

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Leave a comment

Your email address will not be published. Required fields are marked *