The Gootloader malware campaign has adopted a sophisticated evasion technique using malformed ZIP archives composed of up to 1,000 concatenated parts. These complex archives are designed to crash standard analysis tools like 7-Zip and WinRAR while still being successfully unpacked by the default Windows extraction utility. This allows the malicious JScript payload to be delivered and executed while bypassing many automated security scanners.
To further hinder analysis, the threat actors implement multiple obfuscation methods, including truncating critical directory records, randomizing disk number fields, and introducing mismatches between file headers. Each sample is uniquely generated, and the ZIP file is delivered as an XOR-encoded blob that is reassembled on the victim's machine, evading network-based detection. Once executed via Windows Script Host, the malware establishes persistence by placing shortcut files in the Startup folder.
Security researchers recommend changing the default application for JScript files to Notepad to prevent automatic execution and blocking wscript.exe and cscript.exe from running downloaded content if possible. They have also developed YARA rules that can identify these malformed archives based on structural anomalies, such as repeated file headers and corrupted end-of-directory records. This evolution highlights the ongoing arms race between malware authors and defensive security tools.
