Full Report
The JavaScript (aka JScript) malware loader called GootLoader has been observed using a malformed ZIP archive that's designed to sidestep detection efforts by concatenating anywhere from 500 to 1,000 archives. "The actor creates a malformed archive as an anti-analysis technique," Expel security researcher Aaron Walton said in a report shared with The Hacker News. "That is, many unarchiving tools
Analysis Summary
# Tool/Technique: Malformed Concatenated ZIP Archive (GootLoader Technique)
## Overview
A highly evasive technique employed by the GootLoader malware loader, involving the creation of a malformed ZIP archive constructed by concatenating 500 to 1,000 individual ZIP archives. This method is specifically designed to cause parsing errors in automated security tools (like WinRAR or 7-Zip) while ensuring successful extraction and execution via the default Windows native unarchiving utility.
## Technical Details
- Type: Technique (Delivery/Evasion)
- Platform: Windows (as the technique relies on the native Windows unarchiver)
- Capabilities: Bypasses automated analysis sandboxes/tools; ensures execution on victim machines; "hashbusting" to generate unique samples.
- First Seen: Observed recently (based on October 2025/January 2026 reporting context).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Delivered via compromised sites/malvertising)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1218 - Signed Binary Proxy Execution
- T1218.011 - PowerShell (Used in later stages to execute second payload)
## Functionality
### Core Capabilities
- **Archive Manipulation:** Concatenating 500-1,000 ZIP archives together.
- **Evasion via Truncation:** Truncating the End of Central Directory (EOCD) record by missing two critical bytes, causing standard extractors to fail.
- **Hashbusting:** Randomizing values in non-critical ZIP fields (like disk number), ensuring that every resulting file hash is unique, thwarting signature tracking.
- **Selective Execution:** Exploiting differences between third-party unarchivers (which fail) and the Windows default unarchiver (which successfully opens the archive, usually in File Explorer).
- **Client-Side Construction:** The initial delivery blob is an XOR-encoded file that is decoded and repeatedly appended to itself on the victim's browser until a specific size is reached, bypassing network security controls for ZIP file transmission.
### Advanced Features
- **Persistence Mechanism:** Creating a Windows Shortcut (.LNK) file in the Startup folder.
- **Staged Execution:** Using the first JavaScript payload to launch a second JavaScript file via `cscript.exe`, which then spawns PowerShell commands for the next stage of infection.
## Indicators of Compromise
- File Hashes: Unique per delivery due to hashbusting.
- File Names: Not specified, but associated with files delivered via compromised WordPress sites (potentially related to legal templates).
- Registry Keys: Creation of `.LNK` file in the Startup folder for persistence.
- Network Indicators: (Not detailed in the provided context, as the focus is on the archive mechanism.)
- Behavioral Indicators:
- Successful parsing of a malformed ZIP archive by the native Windows unarchiver.
- Execution of JScript/JavaScript via `wscript.exe` or `cscript.exe` from a temporary directory.
- Creation of shortcuts in the Windows Startup folder.
- Subsequent spawning of PowerShell processes.
## Associated Threat Actors
- GootLoader operations (Threat actor identity not explicitly named in the context, but the technique is attributed to the GootLoader operator).
## Detection Methods
- **Signature-based detection:** Ineffective against unique hashes generated by hashbusting.
- **Behavioral detection:** Monitoring for:
- Programs attempting to use native file handling routines for complex archive types without standard library calls.
- Execution of script files (`.js`, `.jscript`) launched by `wscript.exe` or `cscript.exe` when interacting with downloaded archives.
- Creation of LNK files in the Startup directory.
- **YARA rules if available:** (Not provided in the context.)
## Mitigation Strategies
- **Prevention Measures:** Blocking the execution of script files (`.js`, `.jscript`) by default, especially when initiated by context menus related to downloaded files.
- **Hardening Recommendations:**
1. Configure Group Policy Objects (GPO) to ensure that JavaScript files are opened in plain text editors (like Notepad) by default, preventing execution via `wscript.exe`.
2. Block the execution of `wscript.exe` and `cscript.exe` if they are not strictly required for business operations (especially for running downloaded content).
3. Employ robust endpoint detection and response (EDR) configurations to monitor and block the post-extraction chain (`.js` execution -> LNK creation -> `cscript` execution -> PowerShell).
## Related Tools/Techniques
- GootLoader (Malware family)
- SEO Poisoning/Malvertising (Initial distribution vector)
- WOFF2 glyph substitution (A related, contemporary obfuscation technique used by the same actor).