The JavaScript (aka JScript) malware loader referred to as GootLoader has been noticed utilizing a malformed ZIP archive that is designed to sidestep detection efforts by concatenating wherever from 500 to 1,000 archives.
“The actor creates a malformed archive as an anti-analysis method,” Expel safety researcher Aaron Walton stated in a report shared with The Hacker Information. “That’s, many unarchiving instruments will not be capable of persistently extract it, however one important unarchiving software appears to work persistently and reliably: the default software constructed into Home windows techniques.”
This results in a situation the place the archive can’t be processed by instruments like WinRAR or 7-Zip, and, subsequently, prevents many automated workflows from analyzing the contents of the file. On the identical time, it may be opened by the default Home windows unarchiver, thereby guaranteeing that victims who fall sufferer to the social engineering scheme can extract and run the JavaScript malware.
GootLoader is often distributed through SEO (search engine optimization) poisoning ways or malvertising, concentrating on customers in search of authorized templates to take them to compromised WordPress websites internet hosting malicious ZIP archives. Like different loaders, it is designed to ship secondary payloads, together with ransomware. The malware has been detected within the wild since a minimum of 2020.
In late October 2025, malware campaigns propagating the malware resurfaced with new methods: leveraging customized WOFF2 fonts with glyph substitution to obfuscate filenames and exploiting the WordPress remark endpoint (“/wp-comments-post.php”) to ship the ZIP payloads when a person clicks a “Obtain” button on the positioning.
The most recent findings from Expel spotlight continued evolution of the supply strategies, with the menace actors using extra subtle obfuscation mechanisms to evade detection –
- Concatenate collectively 500-1,000 archives to craft the malicious ZIP file
- Truncate the archive’s finish of central listing (EOCD) report such that it misses two important bytes from the anticipated construction, triggering parsing errors
- Randomize values in non-critical fields, reminiscent of disk quantity and Variety of Disks, inflicting unarchiving instruments to count on a sequence of ZIP archives which are non-existent
“The random variety of recordsdata concatenated collectively, and the randomized values in particular fields are a defense-evasion method referred to as ‘hashbusting,'” Walton defined.
“In observe, each person who downloads a ZIP file from GootLoader’s infrastructure will obtain a singular ZIP file, so in search of that hash in different environments is futile. The GootLoader developer makes use of hashbusting for the ZIP archive and for the JScript file contained within the archive.”
The assault chain basically includes the supply of the ZIP archive as an XOR-encoded blob, which is decoded and repeatedly appended to itself on the client-side (i.e., on the sufferer’s browser) till it meets a set dimension, successfully bypassing safety controls designed to detect the transmission of a ZIP file.
As quickly because the downloaded ZIP archive is double-clicked by the sufferer, it can trigger Home windows’ default unarchiver to open the ZIP folder containing the JavaScript payload in File Explorer. Launching the JavaScript file, in flip, triggers its execution through “wscript.exe” from a brief folder, for the reason that file contents weren’t explicitly extracted.
The JavaScript malware then creates a Home windows shortcut (LNK) file within the Startup folder to determine persistence, finally executing a second JavaScript file utilizing cscript, spawning PowerShell instructions to take the an infection to the subsequent stage. In earlier GootLoader assaults, the PowerShell script is used to gather system info and obtain instructions from a distant server.
To counter the menace posed by GootLoader, organizations are suggested to think about blocking “wscript.exe” and “cscript.exe” from executing downloaded content material if not required and use a Group Coverage Object (GPO) to make sure that JavaScript recordsdata are opened in Notepad by default, as an alternative of executing them through “wscript.exe.”
