top of page
Search

Gootloader's Evasion Tactics: Exploiting Malformed ZIP Files

  • Jan 18
  • 1 min read

Key Findings


  • GootLoader malware uses malformed ZIP files made of hundreds of concatenated archives to evade detection.

  • GootLoader is used by ransomware actors for initial access, then handed off to others.

  • GootLoader runs on an access-as-a-service model and has been known to deliver threats like SunCrypt, REvil, Kronos, and Cobalt Strike.

  • The ZIP file is intentionally broken so many security and analysis tools can't open it, but Windows can, helping the malware avoid detection.


Background


  • GootLoader is part of the GootKit malware family, which has been active since 2014.

  • Mandiant tracks the threat actors behind GootKit as UNC2565.

  • After resurfacing in November 2025, GootLoader is now linked to Vanilla Tempest and Rhysida ransomware.


Malformed ZIP Technique


  • The ZIP file contains 500-1,000 ZIP archives glued together, which still works because ZIPs are read from the end.

  • Each download is unique, so security tools can't rely on file fingerprints.

  • The ZIP also has damaged and random metadata that confuses many analysis tools, while Windows can still open it.


Infection Chain


  • The attack starts by sending victims an encoded file that looks harmless during download.

  • In the user's browser, this data is decoded and repeatedly copied until it becomes a ZIP file, bypassing security checks.

  • When the victim opens it, Windows automatically shows a JavaScript file. Running it launches the malware.


Detection and Prevention


  • To detect GootLoader, focus on unusual ZIP behavior, script execution from temp folders, startup shortcut creation, and suspicious process chains.

  • Prevent JavaScript files from running by default, restrict or block wscript and cscript if not needed, and use GPO to open .js files in Notepad.


Sources


  • https://securityaffairs.com/187037/cyber-crime/gootloader-uses-malformed-zip-files-to-bypass-security-controls.html

  • https://www.scworld.com/news/how-gootloader-uses-malformed-zip-archives-to-evade-detection

  • https://www.facebook.com/groups/2600net/posts/4436889649867459/

  • https://www.threads.com/@thehackernews/post/DTlMXyCEwQi/goot-loader-now-uses-zip-files-glued-together-the-broken-zip-wont-open-in-win

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page