How Website Fonts Can Spread Malware

Most business owners think of their website as a digital brochure. It’s there to tell your story, show your locations, and maybe collect a few leads. What it’s not supposed to do is quietly help attackers drop malware onto someone’s computer.

Unfortunately, that’s exactly what’s happening in a new wave of attacks involving the Gootloader malware family.

Recent research shows Gootloader is back after a quiet period, and this time it’s using a clever trick: hiding malicious code inside custom web fonts on compromised WordPress sites. (TechRadar)

Let’s break down what that means in plain language and what you can do about it.

What Is Gootloader, in Non-Technical Terms?

Gootloader is a type of malware whose main job is to open the door for more serious attacks.

On the surface, it looks like a harmless download—often a document, ZIP file, or script a user grabs when searching for legal forms, templates, or technical documents. Behind the scenes, once a user runs that file, Gootloader:

• Gives attackers remote access to the system

• Lets them move deeper into the network

• Is often used as a stepping stone to deploy ransomware or other backdoors

Security teams have been tracking Gootloader for years, and it’s known for using SEO poisoning—manipulating search results so malicious pages rank highly for specific searches. (Avast Blog)

The new twist is how it’s hiding itself.

The New Trick: Hiding Malware in Web Fonts on WordPress Sites

In the latest campaign, attackers are:

• Breaking into legitimate WordPress sites. These might belong to businesses that did nothing wrong other than having weak passwords, outdated plugins, or vulnerable themes.

• Injecting malicious JavaScript into the site. Instead of putting obvious code directly in the page, they hide it in a custom web font file (WOFF2). The font is used to display text on the page.

• Using the font to mask download links and filenames. The malicious code and filenames only reveal themselves correctly when the browser renders the font. To a casual reviewer—or even some security tools—the HTML and text look harmless or unreadable. (Huntress)

• Triggering a download that leads to compromise. Visitors who click fake “download” or “agreement” links on those pages may end up running Gootloader, which can lead to full network compromise in a matter of hours. In recent cases, attackers have reached a company’s domain controller in about 17 hours. (SC Media / Huntress)

So from the outside, a user might just see:

“Click here to download the template.”

Behind the scenes, the page is using a font file to hide the real, malicious content.

“But Our Site Doesn’t Store Anything Sensitive” – Why This Still Matters

A lot of owners think:

“Our site doesn’t store anything sensitive. It’s just marketing. Why would attackers care?”

In this kind of campaign, attackers don’t care about your data at all. They care about your reputation, your traffic, and your visitors.

If your site gets compromised and used in a Gootloader campaign:

• Your customers and partners could be infected. A client trying to download a form, spec, or menu could end up running malware.

• Your brand takes the hit. Even if the underlying vulnerability was in a plugin, the story your customer tells is “we went to your site and got malware.”

• Search engines may penalize or block your site. Being flagged as dangerous can tank your SEO and lead to warning pages in browsers.

• Incident response costs time and money. Cleaning up the website, investigating logs, responding to upset customers, and dealing with any regulatory obligations can be a painful distraction.

For industries like restaurants, retail, insulation/construction, and healthcare clinics, the website is often the first touchpoint a customer has with your brand. Turning that into a malware delivery mechanism is not the first impression you want.

How Do Victims End Up on These Pages?

Gootloader leans heavily on SEO poisoning. That means:

• Attackers compromise many WordPress sites.

• They fill them with pages targeted at very specific search phrases—things like legal agreements, business forms, contracts, or technical “how-to” content.

• They tune those pages so they rank highly in Google or Bing for those searches.

Then, when someone Googles:

• “free subcontractor agreement template”

• “example safety meeting minutes”

• “sample termination letter with cause”

They may land on a compromised site that looks legitimate, with a “Download” button that actually leads to Gootloader. (Avast Blog)

That’s why this campaign is so effective: people are asking for exactly the kind of document the attackers are pretending to offer.

Practical Steps for Website Owners and Marketing Teams

You don’t need to be a security engineer to reduce the risk. Here are concrete, non-technical steps that make a big difference:

1. Keep WordPress, Themes, and Plugins Updated

• Turn on automatic updates where possible (or schedule regular maintenance windows).

• Remove plugins and themes you’re no longer using—if it’s installed, it’s a potential entry point.

• Replace abandoned plugins (no updates in 1–2 years) with actively maintained alternatives.

2. Lock Down Admin Access

• Use strong, unique passwords for all WordPress admin accounts.

• Turn on MFA (multi-factor authentication) for logins if your platform/host supports it.

• Limit who has admin rights. Give editors and contributors only the permissions they actually need.

3. Use Security Tools Built for WordPress

• Enable a web application firewall (WAF) through your host or a reputable security plugin.

• Use malware scanning tools that regularly check your files for changes.

• Monitor for unexpected new admin accounts, strange scheduled tasks, or unknown plugins.

4. Choose Managed Hosting, Not Just “Cheap Hosting”

For a lot of organizations, moving to a managed WordPress hosting provider is one of the easiest security wins. Good providers:

• Handle patching at the infrastructure level

• Provide built-in WAF and malware scanning

• Offer daily backups and one-click restores

• Often help with cleanup if something goes wrong

That doesn’t remove all risk, but it shrinks the attack surface and gives you more options if your site is compromised.

5. Protect Your Internal Users Too

Remember, your own employees and contractors are also browsing the internet and downloading templates.

• Use endpoint protection that can detect suspicious scripts and downloads related to Gootloader. (Cybereason and others)

• Include SEO poisoning and “too-good-to-be-true downloads” in your security awareness training.

• Encourage staff to get forms and templates from trusted sources (internal SharePoint/Teams sites, reputable legal vendors, etc.), not random search results.

6. Have a “What If Our Site Is Hacked?” Plan

If your website is ever flagged or you suspect compromise:

• Take the site into maintenance mode or offline temporarily.

• Notify your web and security partners so they can investigate.

• Restore from a known-good backup after removing the malicious code.

• Communicate clearly and honestly with affected users if there is reasonable risk they downloaded something dangerous.

You don’t need to publish a 20-page incident report—but a short, direct message builds more trust than silence.

Bridging Digital Experience and Cybersecurity

For a lot of Archetype SC clients, the website sits at the intersection of branding, marketing, and security:

• Marketing wants a fast, attractive site with forms, downloads, and integrations.

• IT wants a site that doesn’t introduce new risk.

• Leadership wants the site to drive business, not cause headaches.

The new Gootloader campaign using web fonts on WordPress sites is a reminder that these aren’t separate conversations. Good digital experience and good security go hand in hand.

If you’d like help reviewing your website’s security posture—or aligning your marketing sites with your broader cybersecurity program—Archetype SC can help you bridge that gap in a practical, non-technical way.