The JavaScript (aka JScript) malware loader called GootLoader has been observed using a malformed ZIP archive that’s designed to sidestep detection efforts by concatenating anywhere from 500 to 1,000 archives.
“The actor creates a malformed archive as an anti-analysis technique,” Expel security researcher Aaron Walton said in a report shared with The Hacker News. “That is, many unarchiving tools are not able to consistently extract it, but one critical unarchiving tool seems to work consistently and reliably: the default tool built into Windows systems.”
This leads to a scenario where the archive cannot be processed by tools like WinRAR or 7-Zip, and, therefore, prevents many automated workflows from analyzing the contents of the file. At the same time, it can be opened by the default Windows unarchiver, thereby ensuring that victims who fall victim to the social engineering scheme can extract and run the JavaScript malware.
GootLoader is typically distributed via search engine optimization (SEO) poisoning tactics or malvertising, targeting users looking for legal templates to take them to compromised WordPress sites hosting malicious ZIP archives. Like other loaders, it’s designed to deliver secondary payloads, including ransomware. The malware has been detected in the wild since at least 2020.
In late October 2025, malware campaigns propagating the malware resurfaced with new tricks: leveraging custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploiting the WordPress comment endpoint (“/wp-comments-post.php”) to deliver the ZIP payloads when a user clicks a “Download” button on the site.
The latest findings from Expel highlight continued evolution of the delivery methods, with the threat actors employing more sophisticated obfuscation mechanisms to evade detection –
- Concatenate together 500-1,000 archives to craft the malicious ZIP file
- Truncate the archive’s end of central directory (EOCD) record such that it misses two critical bytes from the expected structure, triggering parsing errors
- Randomize values in non-critical fields, such as disk number and Number of Disks, causing unarchiving tools to expect a sequence of ZIP archives that are non-existent
“The random number of files concatenated together, and the randomized values in specific fields are a defense-evasion technique called ‘hashbusting,'” Walton explained.
“In practice, every user who downloads a ZIP file from GootLoader’s infrastructure will receive a unique ZIP file, so looking for that hash in other environments is futile. The GootLoader developer uses hashbusting for the ZIP archive and for the JScript file contained in the archive.”
The attack chain essentially involves the delivery of the ZIP archive as an XOR-encoded blob, which is decoded and repeatedly appended to itself on the client-side (i.e., on the victim’s browser) until it meets a set size, effectively bypassing security controls designed to detect the transmission of a ZIP file.
As soon as the downloaded ZIP archive is double-clicked by the victim, it will cause Windows’ default unarchiver to open the ZIP folder containing the JavaScript payload in File Explorer. Launching the JavaScript file, in turn, triggers its execution via “wscript.exe” from a temporary folder, since the file contents were not explicitly extracted.
The JavaScript malware then creates a Windows shortcut (LNK) file in the Startup folder to establish persistence, ultimately executing a second JavaScript file using cscript, spawning PowerShell commands to take the infection to the next stage. In previous GootLoader attacks, the PowerShell script is used to collect system information and receive commands from a remote server.
To counter the threat posed by GootLoader, organizations are advised to consider blocking “wscript.exe” and “cscript.exe” from executing downloaded content if not required and use a Group Policy Object (GPO) to ensure that JavaScript files are opened in Notepad by default, instead of executing them via “wscript.exe.”
