Gootloader now uses 1,000-part ZIP archives for stealthy delivery
by Bill Toulas · BleepingComputerThe Gootloader malware, typically used for initial access, is now using a malformed ZIP archive designed to evade detection by concatenating up to 1,000 archives.
In doing so, the malware, which is an archived JScript file, causes many tools to crash when trying to analyze it.
According to researchers, the malicious file is successfully unpacked using the default utility in Windows, but tools relying on 7-Zip and WinRAR fail.
To achieve this, the threat actor behind the malware concatenates between 500 and 1,000 ZIP archives, but also uses other tricks to make parsing from analysis tools more difficult.
The Gootloader malware loader has been active since 2020 and is used by various cybercriminal operations, including ransomware deployments.
After a seven-month break, the operation returned last November, as reported by security researchers at Huntress Labs and the DFIR Report.
While malformed ZIP archives were present back then, they came with minimal modifications, and there were filename mismatches when trying to extract the data.
To further strengthen the anti-analysis of this stage, Gootloader operators have now implemented far more extensive obfuscation mechanisms, according to Expel researchers analyzing more recent samples.
Specifically, the following mechanisms are now used to evade detection and analysis:
- Concatenate up to a thousand ZIP archives, exploiting the fact that parsers read from the end of the file.
- Use a truncated End of Central Directory (EOCD) that misses two mandatory bytes, breaking the parsing by most tools.
- Randomize disk number fields, causing tools to expect non-existent multi-disk archives.
- Add metadata mismatches between the Local File Headers and Central Directory entries.
- Generate unique ZIP and JScript samples for each download to evade static detection.
- Deliver the ZIP as an XOR-encoded blob, which is decoded and repeatedly appended client-side until it reaches the desired size, evading network-based detection.
Source: Expel
Once executed on the host, the malware’s JScript activates via Windows Script Host (WScript) from a temporary directory and establishes persistence by adding shortcut (.LNK) files to the Startup folder that point to a second JScript file.
This payload is executed upon first launch, and with every system boot, triggering CScript with NTFS shortnames, followed by PowerShell spawning PowerShell.
While Gootloader’s authors added multiple corruption techniques to evade detection without breaking functionality, Expel researchers used the structural anomalies that allow defenders to spot the threat. The team also shared a YARA rule that "can consistently identify the current ZIP archives."
The detection relies on spotting a specific combination of ZIP header features, hundreds of repeating Local File Headers, and EOCD records.
The researchers recommend that defenders change the default application for opening JScript files to Notepad instead of Windows Script Host, to prevent their execution.
To reduce the attack surface, Expel advises blocking wscript.exe and cscript.exe from executing downloaded content if JScript files are not needed.
7 Security Best Practices for MCP
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.