Jan 16, 2026Ravie LakshmananMalvertising / Risk Intelligence
The JavaScript (aka JScript) malware loader referred to as GootLoader has been noticed utilizing a malformed ZIP archive that is designed to sidestep detection efforts by concatenating anyplace from 500 to 1,000 archives.
“The actor creates a malformed archive as an anti-analysis method,” Expel safety researcher Aaron Walton stated in a report shared with The Hacker Information. “That’s, many unarchiving instruments should not in a position to constantly extract it, however one vital unarchiving device appears to work constantly and reliably: the default device constructed into Home windows techniques.”
This results in a situation the place the archive can’t be processed by instruments like WinRAR or 7-Zip, and, subsequently, prevents many automated workflows from analyzing the contents of the file. On the similar time, it may be opened by the default Home windows unarchiver, thereby guaranteeing that victims who fall sufferer to the social engineering scheme can extract and run the JavaScript malware.
GootLoader is often distributed by way of search engine marketing (search engine marketing) poisoning techniques or malvertising, concentrating on customers searching for authorized templates to take them to compromised WordPress websites internet hosting malicious ZIP archives. Like different loaders, it is designed to ship secondary payloads, together with ransomware. The malware has been detected within the wild since not less than 2020.
In late October 2025, malware campaigns propagating the malware resurfaced with new methods: leveraging customized WOFF2 fonts with glyph substitution to obfuscate filenames and exploiting the WordPress remark endpoint (“/wp-comments-post.php”) to ship the ZIP payloads when a person clicks a “Obtain” button on the location.
The newest findings from Expel spotlight continued evolution of the supply strategies, with the menace actors using extra refined obfuscation mechanisms to evade detection –
Concatenate collectively 500-1,000 archives to craft the malicious ZIP file
Truncate the archive’s finish of central listing (EOCD) document such that it misses two vital bytes from the anticipated construction, triggering parsing errors
Randomize values in non-critical fields, reminiscent of disk quantity and Variety of Disks, inflicting unarchiving instruments to anticipate a sequence of ZIP archives which can be non-existent
“The random variety of information concatenated collectively, and the randomized values in particular fields are a defense-evasion method referred to as ‘hashbusting,'” Walton defined.
“In observe, each person who downloads a ZIP file from GootLoader’s infrastructure will obtain a singular ZIP file, so searching for that hash in different environments is futile. The GootLoader developer makes use of hashbusting for the ZIP archive and for the JScript file contained within the archive.”
The assault chain primarily entails the supply of the ZIP archive as an XOR-encoded blob, which is decoded and repeatedly appended to itself on the client-side (i.e., on the sufferer’s browser) till it meets a set measurement, successfully bypassing safety controls designed to detect the transmission of a ZIP file.
As quickly because the downloaded ZIP archive is double-clicked by the sufferer, it would trigger Home windows’ default unarchiver to open the ZIP folder containing the JavaScript payload in File Explorer. Launching the JavaScript file, in flip, triggers its execution by way of “wscript.exe” from a brief folder, because the file contents weren’t explicitly extracted.
The JavaScript malware then creates a Home windows shortcut (LNK) file within the Startup folder to determine persistence, in the end executing a second JavaScript file utilizing cscript, spawning PowerShell instructions to take the an infection to the subsequent stage. In earlier GootLoader assaults, the PowerShell script is used to gather system info and obtain instructions from a distant server.
To counter the menace posed by GootLoader, organizations are suggested to think about blocking “wscript.exe” and “cscript.exe” from executing downloaded content material if not required and use a Group Coverage Object (GPO) to make sure that JavaScript information are opened in Notepad by default, as an alternative of executing them by way of “wscript.exe.”
