Gootkit continues to target Australian companies with sites still live as of the time of this post. Searching for an Australian company name and the words "enterprise agreement" will often lead to a result on the first page containing a link to a malicious site which will often then have a fake forum with a post containing the link to the malicious download. I managed to get a hit after trying a few different random companies names. The forum site with the malicious link will only be redirected to upon first visit otherwise the user will be redirected to a normal looking blog post. Clicking the link leads to the download of a zip file which contains a JavaScript file. Upon first glance the file appears to be benign jQuery. When compared with the official library it is almost identical except some additional lines have been added at a few locations. After extracting and prettifying the code we can see a bunch of variables and what looks like a de-obfuscator function. Using S...