In this blob post, I will describe how I wrote a config extractor for obfuscated JavaScript-based GootLoader component. The hard part of automating the config extraction is the obfuscation: the C2 servers are just plain text in the last stage. All <a href="https://github.com/larsborn/gootloader-babel-deobfuscator">code is on Github</a> if you are just interested in that. # Intro A fellow Cyberian struppigel recently released <a href="https://samplepedia.cc/">Samplepedia</a>, a platform were people can drop SHA256 hashes of files with a description and an analysis goal and some other metadata. My understanding is that the goal is to finally have a place to find interesting malware to analyze, a question I get asked a lot when teaching reverse engineering. Naturally I picked a task myself and decided to do one involve JavaScript, something I don't have a lot of expose to as a reverse engineer (I do have some exposure to it as a forward engineer, but that's a different story). The sample in question is ``1bc77b013c83b5b075c3d3c403da330178477843fc2d8326d90e495a61fbb01f`` and the task is: > Create a static C2 extractor that uses abstract syntax tree transformations with Babel. You can use astexplorer.net as helper tool. I was particularly intrigued because I've recently seen other people be extremely successful leveraging "normal dev tooling" in the JavaScript ecosystem to tackle challenges with JavaScript-based malware. <a href="https://blag.nullteilerfrei.de/2026/01/18/use-babel-to-deobfuscate-javascript-malware/#more-6162" class="more-link">Would you like to know more?</a>