Gootloader adopts massive multi-part ZIP files to evade analysis

Researchers say the malware now relies on extreme archive manipulation to bypass common security tools.

What happened

Researchers have identified a new way that Gootloader, a type of malicious software, is being delivered to victims. The technique relies on specially crafted ZIP files containing hundreds or even thousands of smaller ZIP archives joined together. When a file is opened using Windows’ built-in ZIP tool, the hidden malicious JavaScript file is extracted and runs as expected. Many security analysis tools, however, struggle to inspect these files and may fail or crash before detecting the threat. According to The Hacker News, the approach allows the malware to bypass defenses designed to block suspicious attachments before they reach users.

Gootloader is part of the broader GootKit malware family, which has been active since at least 2014. The malware is typically used as an initial access tool rather than a standalone threat. Its primary purpose is to quietly gain a foothold inside a system, allowing attackers to deploy follow-on payloads such as ransomware or data-stealing malware at a later stage. The delivery method has been observed in active campaigns since 2020 and remains effective because it exploits familiar file formats and built-in tools that many organizations and users trust.

Going deeper

A ZIP file is a compressed archive commonly used to bundle files together, and Windows can open these archives natively through File Explorer. The updated samples take advantage of how Windows parses ZIP files by reading the archive data from the end of the file, which allows malformed archives to extract successfully even when analysis tools struggle to process them.

Analysts observed archives containing between five hundred and one thousand repeated ZIP segments, along with truncated end-of-directory records, randomized disk number fields, and mismatches between file headers and directory metadata. Each download is uniquely generated, with the ZIP content delivered as an XOR-encoded blob that is rebuilt on the client side, reducing the effectiveness of static signatures and network inspection.

Once extracted, the JavaScript executes through Windows Script Host, establishes persistence using startup shortcut files, and repeatedly launches additional scripts through PowerShell during system startup.

In the know

Researchers said the archive changes were designed to interfere with automated analysis without stopping the malware from running on victim systems. BleepingComputer reported that the file can be unpacked using Windows’ built-in ZIP utility, while common tools like 7-Zip and WinRAR fail.

They also said the corruption creates repeatable patterns defenders can key on, and noted a detection rule was published that “can consistently identify the current ZIP archives.” Researchers recommended reducing exposure by limiting scripting engines where they aren’t required and changing default file associations for JScript to reduce accidental execution.

The big picture

According to Security Affairs, Gootloader operates as an access-as-a-service model, with one group focused on breaking into systems and others taking over afterward. The malware itself is not tied to a single ransomware crew or end goal, which explains why it keeps resurfacing across different campaigns.

Links to malware such as REvil, SunCrypt, Kronos, and Cobalt Strike, as well as more recent ties to the Rhysida ransomware group, suggest Gootloader is being reused rather than rebuilt. Groups that already have access do not need to invest in their own delivery methods when a working loader is available.

Changes to archive structures and delivery techniques appear driven by practicality rather than experimentation. As long as Gootloader can reliably gain early access on Windows systems, it remains useful to a wide range of attackers, even as individual payloads and ransomware brands change.

FAQs

Why does Windows extract these files when other tools fail?

The built-in Windows ZIP handler is more tolerant of malformed archive structures and ignores some inconsistencies that cause third-party tools to stop processing.

Why is Gootloader often linked to ransomware incidents?

It is frequently used to establish early access, after which attackers deploy additional tooling for lateral movement, data theft, or ransomware execution.

What makes multi-part ZIP abuse effective against detection?

Large numbers of repeated headers and corrupted directory records overwhelm or crash analysis engines, delaying or preventing inspection.

How can organizations reduce exposure to this technique?

They can restrict the execution of WScript and CScript, block script-based files from user-writable directories, and review default file-handling policies.

Are malformed archives a new tactic?

No, but the scale and combination of corruption techniques used here show a continued shift toward delivery methods that exploit parser limitations rather than software vulnerabilities.