The GootLoader malware loader has evolved its evasion techniques, now using malformed ZIP archives containing 500 to 1,000 concatenated files that cause security tools to extract harmless decoys while Windows Explorer extracts the actual malicious payload. This technique effectively blinds most analysis tools while maintaining full functionality for victims.
Technique overview
| Attribute | Details |
|---|
| Malware family | GootLoader |
| Evasion method | Concatenated ZIP archives |
| Archives per file | 500 to 1,000 |
| Discovery | Expel Security Research |
| Ransomware links | Rhysida, REvil, BlackCat, INC |
| First observed | November 2025 (return from hiatus) |
How it works
| Aspect | Details |
|---|
| ZIP parsing | Format reads from end of file |
| Concatenation | Hundreds of ZIPs appended together |
| Last archive | Contains malicious payload |
| Previous archives | Contain decoy/harmless files |
The ZIP file format specification reads the file structure from the end, making the last concatenated archive the “valid” one. All previous archives become effectively invisible junk data that doesn’t affect extraction—but confuses security tools.
| Tool | Extraction result |
|---|
| Windows Explorer | Malicious .JS file |
| 7-Zip | Harmless .TXT file |
| WinRAR | Varies |
| Security scanners | Often extract decoy |
The same archive produces completely different results depending on which tool opens it. Windows’ built-in extraction reliably extracts the malicious JavaScript, while third-party tools and security scanners often extract only the harmless decoy.
Anti-analysis features
Per-victim generation
| Feature | Purpose |
|---|
| On-the-fly generation | Each victim gets unique archive |
| Randomized metadata | Defeats static signatures |
| Hashbusting | No two files share hashes |
| Dynamic structure | Archive count varies |
Detection challenges
| Challenge | Impact |
|---|
| Tool inconsistency | Sandboxes may not see payload |
| Static analysis failure | Signatures don’t match |
| Dynamic variation | Behavioral patterns change |
| Legitimate format | Uses valid ZIP structures |
Ransomware connections
GootLoader serves as initial access for multiple ransomware operations:
| Ransomware | Relationship |
|---|
| Rhysida | Current active partnership |
| REvil | Historical |
| BlackCat/ALPHV | Historical |
| INC Ransomware | Recent |
| Zeppelin | Historical |
| Quantum Locker | Historical |
According to Huntress, GootLoader’s developer is currently working with Vanilla Tempest, a threat actor leveraging Rhysida ransomware.
Detection and mitigation
YARA rule indicators
Expel created detection rules looking for:
| Indicator | Threshold |
|---|
| Local file headers | >100 occurrences |
| End of Central Directory | >100 occurrences |
| Archive structure anomalies | Multiple EOCD markers |
Recommended mitigations
| Priority | Action |
|---|
| High | Block wscript.exe from executing downloads |
| High | Block cscript.exe from executing downloads |
| High | Set JavaScript to open in Notepad by default (GPO) |
| Medium | Monitor for anomalous ZIP structures |
| Medium | Implement download file inspection |
Group Policy configuration
| Setting | Value |
|---|
| Default handler for .js | notepad.exe |
| Script host restrictions | Block downloaded scripts |
| Execution policy | Limit to signed scripts |
Timeline
| Date | Event |
|---|
| 2014 | GootLoader first observed |
| 2020-2024 | Active campaigns with multiple ransomware |
| Mid-2025 | Operational hiatus |
| November 2025 | Returns with new evasion technique |
| January 2026 | Expel publishes analysis |
Indicators of compromise
Behavioral indicators
| Indicator | Detection |
|---|
| wscript.exe spawning processes | Process monitoring |
| Large ZIP with many headers | File analysis |
| JavaScript execution from downloads | Execution logging |
| Outbound C2 connections | Network monitoring |
File characteristics
| Characteristic | Description |
|---|
| File size | Unusually large for content |
| Structure | Multiple ZIP headers |
| Extraction variance | Different tools, different results |
Recommendations
For security teams
| Priority | Action |
|---|
| Critical | Update detection rules for malformed ZIPs |
| High | Test sandbox extraction behavior |
| High | Monitor for GootLoader IoCs |
| Medium | Review script execution policies |
For organizations
| Priority | Action |
|---|
| High | Implement script blocking policies |
| High | Use application allowlisting |
| Medium | Deploy behavioral detection |
| Medium | Train users on ZIP file risks |
Context
GootLoader’s concatenated ZIP technique represents a clever exploitation of how different tools implement the ZIP specification. By creating archives that extract differently depending on the tool used, attackers can ensure their payload reaches victims while evading security inspection.
The technique’s effectiveness stems from a fundamental inconsistency: security tools often use third-party libraries that handle edge cases differently than Windows’ native implementation. When a sandbox extracts a harmless text file and marks the archive as safe, the victim’s Windows Explorer extracts the malicious JavaScript.
GootLoader’s return from hiatus with enhanced evasion capabilities, combined with its partnership with Rhysida ransomware operations, signals continued investment in the malware’s development. Organizations should expect this technique to spread to other malware families as its effectiveness becomes apparent.
The recommended mitigation—changing default JavaScript handlers via Group Policy—is simple but highly effective. If .js files open in Notepad instead of executing, the entire attack chain breaks regardless of what the ZIP contains.
