top of page
Search

Gootloader's Evasion Tactics: Exploiting Malformed ZIP Files

  • Jan 18
  • 1 min read

Key Findings


  • GootLoader malware uses malformed ZIP files made of hundreds of concatenated archives to evade detection.

  • GootLoader is used by ransomware actors for initial access, then handed off to others.

  • GootLoader runs on an access-as-a-service model and has been known to deliver threats like SunCrypt, REvil, Kronos, and Cobalt Strike.

  • The ZIP file is intentionally broken so many security and analysis tools can't open it, but Windows can, helping the malware avoid detection.


Background


  • GootLoader is part of the GootKit malware family, which has been active since 2014.

  • Mandiant tracks the threat actors behind GootKit as UNC2565.

  • After resurfacing in November 2025, GootLoader is now linked to Vanilla Tempest and Rhysida ransomware.


Malformed ZIP Technique


  • The ZIP file contains 500-1,000 ZIP archives glued together, which still works because ZIPs are read from the end.

  • Each download is unique, so security tools can't rely on file fingerprints.

  • The ZIP also has damaged and random metadata that confuses many analysis tools, while Windows can still open it.


Infection Chain


  • The attack starts by sending victims an encoded file that looks harmless during download.

  • In the user's browser, this data is decoded and repeatedly copied until it becomes a ZIP file, bypassing security checks.

  • When the victim opens it, Windows automatically shows a JavaScript file. Running it launches the malware.


Detection and Prevention


  • To detect GootLoader, focus on unusual ZIP behavior, script execution from temp folders, startup shortcut creation, and suspicious process chains.

  • Prevent JavaScript files from running by default, restrict or block wscript and cscript if not needed, and use GPO to open .js files in Notepad.


Sources


  • https://securityaffairs.com/187037/cyber-crime/gootloader-uses-malformed-zip-files-to-bypass-security-controls.html

  • https://www.scworld.com/news/how-gootloader-uses-malformed-zip-archives-to-evade-detection

  • https://www.facebook.com/groups/2600net/posts/4436889649867459/

  • https://www.threads.com/@thehackernews/post/DTlMXyCEwQi/goot-loader-now-uses-zip-files-glued-together-the-broken-zip-wont-open-in-win

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page