Operators of the Gootloader malware family have adopted an unusual evasion technique that significantly complicates the work of antivirus engines, sandboxes, and automated analysis tools. The loader is now delivered inside an intentionally corrupted ZIP archive assembled from hundreds of other ZIP files, causing many popular utilities to fail when attempting to unpack it.
How Gootloader Exploits Intentionally Damaged ZIP Archives
According to researchers at Expel, recent Gootloader campaigns distribute an archived JScript file packaged in a deliberately malformed ZIP archive. The built‑in Windows ZIP handler processes this archive without visible errors, while third‑party tools such as 7‑Zip and WinRAR frequently fail to extract the file correctly or return parsing errors.
The core idea is to manipulate the internal structure of the ZIP format. Attackers concatenate approximately 500 to 1000 individual ZIP archives into a single file and introduce additional anomalies in the headers. This results in a file that contains hundreds of repeated Local File Header records and multiple End Of Central Directory (EOCD) structures. For many libraries and forensic tools, this appears as a corrupt or inconsistent archive, which breaks automated unpacking and static analysis workflows.
Windows, however, implements a more tolerant ZIP parsing logic. It effectively locks onto the first usable central directory it can interpret and ignores surplus or conflicting structures. Gootloader’s operators exploit this discrepancy: for the victim, the archive opens “normally” and the embedded script executes, while for analysis systems and sandboxes that rely on stricter ZIP parsers, the sample may remain unreadable or partially parsed.
Gootloader Malware: Threat Profile and Evolution
Gootloader is a modular malware loader that has been actively used since at least 2020 by multiple cybercriminal groups, including ransomware operators. Its purpose is to establish initial access and then download and execute additional payloads such as backdoors, information stealers, or ransomware.
After an operational pause of roughly seven months, Gootloader activity reportedly resumed in November 2025, as documented by Huntress Labs and The DFIR Report. Earlier waves already made use of “broken” ZIP archives, but the inconsistencies were relatively limited, typically involving mismatched file names and header values. In the newer variants, the archive architecture is substantially more complex, turning ZIP‑level manipulation into a primary evasion and anti‑analysis mechanism.
Infection Chain: From JScript Loader to PowerShell Execution
Once the malformed ZIP archive is successfully extracted by Windows, the embedded JScript file is executed via Windows Script Host (WScript) from the user’s temporary directory. At this stage, Gootloader establishes persistence by creating LNK shortcut files in the Startup folder that point to a second JScript script. This ensures the malware runs both at initial compromise and on every subsequent reboot.
The payload then employs additional obfuscation tricks. It invokes CScript using non‑standard NTFS file names, for example by abusing unusual characters or naming conventions to complicate detection and forensic investigation. Following this, the attack chain transitions into PowerShell: one PowerShell process spawns another, a pattern widely seen in modern intrusions and often used to bypass simple behavior‑based rules that only monitor initial script execution.
From a defensive perspective, this chain — archive → script engine (WScript/CScript) → PowerShell → secondary payload — is a critical behavioral indicator that should trigger closer inspection in endpoint detection and response (EDR) and SIEM solutions.
Detecting Gootloader with ZIP Structure Anomalies and YARA Rules
Ironically, the same structural anomalies that hinder analysis can be turned into robust detection signals. Expel’s researchers developed a YARA rule that focuses not on the payload content, but on the ZIP archive’s structural properties.
This detection logic examines the sequence and combination of headers within the file: unusually high counts of repeated Local File Header entries and multiple EOCD records characteristic of Gootloader’s “stitched” archives. Because the rule targets the archive’s layout rather than specific script code or file names, it remains effective even when attackers modify the JScript content, change the archive name, or slightly alter the infection script.
Hardening Windows Script Host, JScript, and PowerShell
Experts advise organizations not to rely solely on traditional antivirus but to include file structure analysis in email gateways, web proxies, and sandbox solutions, especially for ZIP archives from untrusted sources. At the same time, limiting abuse of Windows Script Host is essential.
One simple but effective control is to change the default application for .js and .jse files from Windows Script Host to a text editor such as Notepad. In this configuration, double‑clicking a JScript file opens it as text instead of executing it, significantly reducing the risk of accidental malware execution by users.
If JScript is not required for business processes, organizations should block wscript.exe and cscript.exe entirely for downloaded content and unprivileged users. This can be enforced via Group Policy, AppLocker, Windows Defender Application Control, or other application control solutions. In parallel, PowerShell should be hardened with comprehensive logging, restricted execution where feasible, and alerting on suspicious chains such as “archive → script host → PowerShell” originating from user profiles or temporary directories.
As Gootloader demonstrates, modern malware increasingly exploits subtle differences in file format implementations and default operating system behavior. Organizations that combine signature‑based and behavior‑based detection, pay attention to anomalous archive structures, and minimize unnecessary use of scripting engines like JScript, Windows Script Host, and unrestricted PowerShell can substantially improve their resilience and reduce the risk of follow‑on ransomware and data theft.
