Detection of a new GootLoader variant actively being used by adversaries earlier this year led to a broad threat hunting campaign by Sophos X-Ops MDR for GootLoader instances across customer environments. As is typical of Gootloader, the new variant was found to be using SEO poisoning—the use of search engine optimization tactics to put malicious websites controlled by GootLoader’s operators high in the results for specific search terms—to deliver the new, JavaScript-based Gootloader package. In this case, we found the GootLoader actors using search results for information about a particular cat and a particular geography being used to deliver the payload: “Are Bengal Cats legal in Australia?”