From securityaffairs.co
Gootkit runs on an access-a-as-a-service model, it is used by different groups to drop additional malicious payloads on the compromised systems. Gootkit has been known to use fileless techniques to deliver threats such as the SunCrypt, and REvil (Sodinokibi) ransomware, Kronos trojans, and Cobalt Strike.
In the past, Gootkit distributed malware masquerading as freeware installers, now it uses legal documents to trick users into downloading these files.