【CyCraft Monthly Intelligence】Highly Sophisticated Evasion Techniques: Gootloader Malware Exploits Malformed ZIP Files

‍

Threat and Impact

The Gootloader malware achieves initial access through a uniquely engineered delivery mechanism. Unlike typical malware that relies on standard archives or executables, Gootloader deliberately utilizes malformed (incomplete) ZIP archives during the initial infection. These archives are specifically designed to bypass detection by many common decompression tools and autonomous security workflows. However, they remain compatible with the default Windows extraction tools, ensuring that victims can successfully decompress and execute the malicious content.

This campaign has far-reaching implications across all industries. As an Initial Access threat, Gootloader often serves as a precursor to more severe attacks, such as ransomware deployment or large-scale data exfiltration. Once a foothold is established, attackers can maintain persistent access to the victim’s network, enabling lateral movement and further compromise. The high complexity of Gootloader’s evasion techniques necessitates that defenders adopt more dynamic and behavior-oriented detection strategies.

Analyst Perspective

The primary challenge in defending against Gootloader lies in its randomized, reassembled archives. Because the Hash values never repeat, low-level IoCs are ineffective for protection. This represents a highly sophisticated Defense Evasion mechanism. To effectively counter these attacks, enterprises must shift their focus toward the behavior of the malware itself, employing methods such as YARA rules to identify malicious patterns.

Incident Description

The Gootloader campaign demonstrates highly sophisticated malware delivery and execution techniques, specifically utilizing malformed ZIP archives to evade detection and analysis. These ZIP files exhibit anomalous structural characteristics: they are composed of hundreds of concatenated ZIP segments, feature a deliberately truncated End of Central Directory (EOCD) record, and contain randomized non-critical metadata. Together, these traits form a "Hashbusting" anti-analysis and evasion technique. By tailoring a unique archive for every victim, the attackers render traditional Hash-based signatures ineffective, successfully bypassing antivirus and Endpoint Detection and Response (EDR) systems that rely on static indicators.

The infection chain is triggered once the user executes the JScript contained within the ZIP. To achieve persistence, the JScript drops a shortcut file (.LNK) into the Startup folder, pointing to a secondary script located in a randomized directory. The multi-stage execution process alternates between Windows Script Host (WScript and CScript) and PowerShell processes, combined with obfuscated code and NTFS short file paths to maximize stealth and complicate forensic analysis.

Technical Details

This section explores the technical foundations of this attack, deconstructing how threat actors craft and deploy their malware, maintain persistence, and evade defenses. By mapping these activities to the MITRE ATT&CK framework, readers will gain a comprehensive understanding of the malware's lifecycle and its technical mechanism.

Initial Access

Gootloader primarily gains initial access through social engineering and user interaction with malicious ZIP archives, typically delivered via phishing emails or compromised websites. Unlike standard archives, these files are "malformed" to evade automated detection:

• The archive contains 500–1,000 concatenated ZIP structures. This inflates the file size to tens of megabytes, even though it only contains a single small payload (a JScript file).
• The End of Central Directory (EOCD) record is truncated, missing critical bytes such as "Comment Length." This causes many extraction tools (e.g., 7-Zip, WinRAR) to fail during parsing.
• Non-critical fields in the ZIP header (e.g., "Disk Number," "Number of Disks") are randomized. This generates a unique Hash for every victim, a technique known as Hashbusting.

Despite these anomalies, the archive remains compatible with the Windows default ZIP utility, ensuring the victim can successfully open it.

Execution

Once the victim downloads and opens the ZIP archive:

• The victim typically double-clicks the JScript (.js) file, which is executed directly from a temporary folder (created by the Windows extraction tool) via Windows Script Host (WScript.exe).
• The JScript file contains a mix of benign and malicious code, often exceeding 10,000 lines. Only about 100 lines contain the obfuscated malicious logic, making both manual and automated analysis extremely difficult.
• Execution triggers a two-step PowerShell launch: the first PowerShell instance spawns a second instance, which then executes highly obfuscated commands.

Analysts can detect these suspicious execution patterns by monitoring the process chain:

• wscript.exe executing a .js file from a temp directory (e.g., AppData\Local\Temp).
• cscript.exe spawning a powershell.exe process.

Persistence

To maintain access across system reboots and user sessions, Gootloader employs the following mechanism:

1. The initial JScript creates a .LNK shortcut in the user's Startup folder (C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup).

2. This .LNK points to a second .LNK file located in a randomly selected directory.

3. The second .LNK calls a second JScript file within that same random directory.

4. The second JScript is executed via CScript.exe using NTFS short filenames (the legacy 8.3 format, e.g., FILENA~1.js). This rare usage provides a strong telemetry signal for detection.

This multi-layered shortcut chain secures a foothold, ensuring malicious code executes automatically upon system startup.

Defense Evasion

Gootloader utilizes several Defense Evasion techniques:

• Malformed ZIP Archives: Intentional corruption and concatenation prevent standard extraction and automated analysis tools from retrieving the payload.
• Hashbusting: Randomize non-critical header fields ensures unique Hashes for every download, neutralizing signature-based detection.
• JScript Obfuscation: Hide malicious logic within massive amounts of benign code to "blend in" and evade scanners.
• Execution from Temp Folders: Run scripts directly from temporary directories is an uncommon behavior for standard applications, serving as a red flag.
• NTFS Short Filenames (8.3): Use legacy naming conventions to bypass behavioral detections calibrated for modern naming standards.
• Multi-stage PowerShell Obfuscation: Use nested execution chains to hide the final malicious command from endpoint protection tools.

In-Depth Analysis of the Malformed ZIP Archive

1. Structure and Anti-Analysis Techniques

Generally, a standard ZIP consists of following components:

• Local File Headers: Metadata in each compressed file.
• Central Directory: An index of all files and their locations.
• EOCD: A record pointing to the Central Directory.

Gootloader’s version differs significantly:

• It contains hundreds (around 500 - 1,000) of concatenated ZIP segments rather than a single contiguous file.
• The EOCD records of each archive are truncated, missing mandatory bytes such as the “Comment Length” field.
• Randomized values in non-critical fields trick some tools into looking for subsequent ZIP sequences that do not exist, leading to parsing errors.
• Inconsistencies between the Local File Header and the Central Directory (e.g., modified time, CRC32 checksums) cause many ZIP utilities to reject the file as "corrupted."
• The Windows default utility reads the EOCD from the end of the file in a unique way that allows it to bypass these errors and extract the JScript successfully.

2. Delivery and Dynamic Construction

• The archive is not transmitted as a simple static ZIP on the Internet.
• The victim’s browser receives an XOR-encoded data blob containing a single ZIP archive.
• This blob is decoded on the client-end and recursively appended to itself until it reaches the desired size, creating the concatenated structure.
• This process effectively obfuscates the ZIP during transit, preventing detection by network-level security appliances.

Summary

The Gootloader campaign is a textbook example of how attackers combine file format manipulation, code obfuscation, and multi-stage scripting to bypass static and dynamic defenses. By exploiting the discrepancy between how Windows and third-party tools handle malformed ZIPs, the attackers deliver a payload that is invisible to many scanners but functional for the end-user. The subsequent use of shortcut chains for persistence and obfuscated PowerShell for execution demonstrates a high level of operational maturity in evading modern security ecosystems.

‍

Mitigation

The Gootloader campaign poses a significant challenge to organizations due to its highly sophisticated techniques designed to bypass traditional security mechanisms. To effectively mitigate the risks associated with this activity, organizations should adopt a multi-layered defense strategy covering both technical and operational levels. Below are detailed steps and recommendations to help organizations prevent and respond to similar attacks:

1. Reassociate JScript File Extensions

We strongly recommend reassociating the JScript (.js) file extension to Notepad via Group Policy Objects (GPO). By doing so, when a user double-clicks a .js file, it will open as a text file for viewing rather than executing as a script. This significantly reduces the risk of malicious scripts being executed and provides a safer environment for end-users.

2. Reduce Attack Surface Reduction

Organizations should consider blocking wscript.exe and cscript.exe from executing downloaded content. This can be achieved through GPO or other administrative control measures. Restricting the use of these built-in Windows Script Host executables helps shrink the attack surface and lowers the probability of exploitation.

3. Monitoring and Detection

To detect and respond to Gootloader, organizations should focus on monitoring anomalous behavior related to ZIP archives and the subsequent process execution chain. Key detection points include:

• Execution of .js files by wscript.exe in the AppData\Local\Temp directory: Monitor this specific behavior, as it represents the execution of a JScript file via the Windows Script Host from a temporary location.
• Creation of unknown .LNK files in the Startup Folder: Monitor for the creation of new shortcut files in the user’s startup directory, as these are frequently used to establish persistence.
• Execution of .js files by cscript.exe using legacy NTFS short filenames (8.3 format): Flag these events immediately; this behavior is extremely rare in modern environments and serves as a high-confidence indicator of malicious activity.
• Suspicious Process Genealogy: Alert on specific process spawning sequences, particularly cscript.exe spawning powershell.exe.

4. Dynamic Detection

Implement dynamic detection methods capable of adapting to the evolving nature of Gootloader, including:

• File Integrity Monitoring (FIM): Monitor for changes in critical files and directories to detect unauthorized modifications.
• Behavioral Analysis: Utilize behavioral analysis tools to detect suspicious activities, such as abnormal file access patterns or unexpected outbound network traffic.
• Endpoint Detection and Response (EDR): Deploy EDR solutions to provide real-time monitoring, deep visibility, and automated response capabilities.

‍

Reference

• Planned failure: Gootloader's malformed ZIP actually works perfectly | Expel
• 惡意軟體 GootLoader 透過 1 千個 ZIP 檔串接的壓縮檔傳送，企圖迴避防毒軟體偵測
• Detecting& Containing Gootloader Malware
• Gootloader
• Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, 2025)

‍

IoCs (Indicator of Compromise)

Yara Rule

rule gootloader_zip_archive_2025_11_17 : malware {

meta:

  name =“gootloader_zip_archive”

  description= “Detects unique ZIP archive format used by Gootloader”

  created =“2025-11-17”

  reliability= 100

  tlp =“TLP:CLEAR”

  sample =“b05eb7a367b5b86f8527af7b14e97b311580a8ff73f27eaa1fb793abb902dc6e”

  strings:

 $zip_record_and_attacker_zip_parameters_hex = { 50 4B 03 04 ?? 00 00 0008 00 } // check file header

 $end_of_central_directory = { 50 4B 05 06 0? 00 0? 00 00 00 01 00 ?? ??00 00 ?? ?? ?? 00 }

condition:

$zip_record_and_attacker_zip_parameters_hex at 0

and#zip_record_and_attacker_zip_parameters_hex > 100

and#end_of_central_directory > 100

}