Cybersecurity researchers have observed new evasive techniques being used by the JavaScript based malware loader known as GootLoader, highlighting its continued evolution and persistence in the threat landscape. The malware has been found distributing malicious payloads through highly malformed ZIP archives that are deliberately crafted to bypass traditional security analysis tools. According to findings shared by Expel security researcher Aaron Walton, the threat actor behind GootLoader now concatenates between 500 and 1,000 ZIP archives into a single file, making it extremely difficult for most unarchiving tools to process. While tools such as WinRAR and 7 Zip often fail to extract these files correctly, the default archive utility built into Windows systems is able to open them without issue, increasing the likelihood that victims can access and execute the malicious content.
This technique creates a unique challenge for automated detection systems and sandbox environments, which rely on standard extraction tools to inspect archived files. Because the malformed ZIP files cannot be reliably unpacked by many security solutions, they often evade deeper inspection altogether. At the same time, the compatibility with Windows default extraction ensures the social engineering aspect of the attack remains effective. Victims who are lured into downloading the archive are able to open it and interact with its contents, unknowingly triggering the malware. GootLoader is most commonly distributed through search engine optimization poisoning and malvertising campaigns, where users searching for legal templates are redirected to compromised WordPress websites hosting the malicious archives. Active since at least 2020, the malware functions as a loader designed to deliver secondary payloads, including ransomware, after initial infection.
Researchers noted that the campaign resurfaced in late October 2025 with additional obfuscation tactics layered onto its delivery chain. These included the use of custom WOFF2 fonts with glyph substitution to disguise file names and the abuse of the WordPress comment endpoint to deliver ZIP payloads when users clicked on fake download buttons. The latest iteration builds on this by introducing further archive level manipulation. The ZIP files are created by concatenating hundreds of archives, deliberately truncating the end of central directory record so that critical structural bytes are missing. This causes parsing errors in many tools. Non essential fields such as disk number values are randomized, forcing extraction software to search for archive segments that do not exist. Walton explained that this approach is a defense evasion method known as hashbusting, where every downloaded ZIP file is unique. As a result, relying on file hashes for detection becomes ineffective across different environments.
The delivery process involves sending the ZIP archive as an XOR encoded data blob, which is decoded and repeatedly appended to itself on the client side within the victim browser until it reaches a predefined size. This technique helps bypass security controls designed to detect ZIP file transfers over the network. Once the victim double clicks the downloaded archive, Windows File Explorer opens the folder containing the JavaScript payload. When the file is launched, it executes through wscript.exe directly from a temporary directory, as the contents were not manually extracted. The malware then establishes persistence by creating a Windows shortcut file in the Startup folder, executes a second JavaScript file via cscript, and launches PowerShell commands to advance the infection. Previous campaigns show these scripts gathering system information and communicating with remote command servers to receive further instructions.
To reduce exposure to GootLoader infections, security teams are advised to restrict the execution of wscript.exe and cscript.exe for downloaded content where possible. Additional protections include configuring Group Policy settings so that JavaScript files open in text editors by default instead of executing automatically. These measures can significantly limit the effectiveness of the malware delivery chain and reduce the risk posed by increasingly sophisticated archive based evasion techniques.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
