During the threat hunt campaign, MDR discovered a .zip archive used to deliver GootLoader’s first-stage payload while reviewing an impacted user’s browser history. This allowed MDR to identify the compromised website that was hosting the malicious payload. This report highlights the MDR investigation process and the technical details of the uncovered GootLoader campaign.