Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Several Law Firms Targeted in Malware Attacks

In January and February 2023, six law firms were targeted with the GootLoader and SocGholish malware in two separate campaigns.

In January and February 2023, six law firms were targeted with the GootLoader and SocGholish malware in two separate campaigns, cybersecurity firm eSentire reports.

Targeting law firm employees, the first campaign aimed to infect victims’ devices with GootLoader, a malware family known for downloading the GootKit remote access trojan (RAT), REvil ransomware, or the Cobalt Strike implant.

According to eSentire, the attacks appear focused on espionage and exfiltration activities, given that none of the observed GootLoader infections in 2022 deployed ransomware.

For initial access, the attackers relied on search engine optimization (SEO) poisoning, adding blog posts to a compromised legitimate WordPress website.

The GootLoader-infected blogs featured legal keywords to attract law firm employees and to increase their rankings in search results.

Visitors were directed to a fake forum page encouraging them to download an alleged agreement template or contract template, but were served the GootLoader malware instead.

“The increased absence of ransomware being deployed in these attacks, while maintaining success in infecting legal firms, and a willingness to engage in hands-on intrusions, suggests the possibility that the GootLoader operations have shifted to not only supporting financially-motivated attacks but also supporting politically-motivated and cyber espionage operations,” eSentire researcher Keegan Keplinger says.

As part of the second campaign, the attackers targeted law firm employees and other business professionals with the SocGholish malware, which is also known as FakeUpdates.

Typically used by initial access brokers, SocGholish allows attackers to perform reconnaissance and deploy additional payloads, including Cobalt Strike. Recently, the malware was also seen deploying the LockBit ransomware.

The observed attacks relied on poisoned domains, including the hijacked website of a business offering notary public services in Miami. The compromised website displayed a pop-up notification informing visitors they should update the Chrome browser, but serving the SocGholish malware instead.

“By infecting a large number of lower traffic sites, SocGholish operators capture the occasional high-value victim website from their infections. For example, the Notary Public website was frequented by legal firms. These visitors are considered high value,” eSentire notes.

Related: Recent GootLoader Campaign Targets Law, Accounting Firms

Related: A Deep Dive Into the Growing GootLoader Threat

Related: Over 250 US News Websites Deliver Malware via Supply Chain Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.