Pierluigi Paganini January 18, 2026

GootLoader malware uses malformed ZIP files made of hundreds of concatenated archives to evade detection.

GootLoader is used by ransomware actors for initial access, then handed off to others. Built to evade detection, it accounted for 11% of bypassing malware in the past years.

GootLoader runs on an access-a-as-a-service model, it is used by different groups to drop additional malicious payloads on the compromised systems. GootLoader has been known to use fileless techniques to deliver threats such as the SunCrypt, and REvil (Sodinokibi) ransomware, Kronos trojans, and Cobalt Strike. In the past, GootLoader distributed malware masquerading as freeware installers and it used legal documents to trick users into downloading these files. 

GootLoader is a part of the GootKit malware family, which has been active since 2014. Mandiant tracked the threat actors behind GootKit as UNC2565.

After resurfacing in November 2025, it’s now linked to Vanilla Tempest and Rhysida ransomware, using malformed ZIP files in its first-stage loader to evade analysis.

GootLoader spreads as a ZIP file that contains a malicious JScript file. When opened on Windows, the script runs and starts the infection. The ZIP file is intentionally broken so many security and analysis tools can’t open it, but Windows can. This helps the malware avoid detection while still working for victims.

“The actor creates a malformed archive as an anti-analysis technique. That is, many unarchiving tools are not able to consistently extract it, but one critical unarchiving tool seems to work consistently and reliably: the default tool built into Windows systems.” reads the report published by Expel. “By being inaccessible to many specialized tools (such as 7zip and WinRAR) it prevents many automated workflows from analyzing the contents of the file, but by being accessible to the default Windows unarchiver, it ensures that the actor’s target audience (potential victims) can open and run the JScript.”

The ZIP actually contains hundreds of ZIP files glued together, which still works because ZIP files are read from the end. Each download is unique, so security tools can’t rely on file fingerprints.

The ZIP also has damaged and random metadata that confuses many analysis tools, while Windows can still open it. This lets the malware slip past defenses, forcing security teams to rely on behavior-based detection instead of file signatures.

GootLoader uses a malformed ZIP file made of 500–1,000 ZIP archives glued together, which still works because ZIPs are read from the end. The file is built on the victim’s system from encoded data to evade network detection. Its directory structure is partially broken and key fields are randomized, confusing many archive tools while remaining usable on Windows.

“The file consists of 500–1,000 ZIP archives concatenated together. Because ZIP archives are read from the end of the file, the ZIP archive can still function properly.” continues the report. “The number of ZIP archives concatenated together is random, and the ZIP archive itself is generated at the time of download.”

The attack starts by sending victims an encoded file that looks harmless during download. In the user’s browser, this data is decoded and repeatedly copied until it becomes a ZIP file, bypassing security checks. When the victim opens it, Windows automatically shows a JavaScript file. Running it launches the malware, creates a startup shortcut for persistence, and uses PowerShell to continue the attack.

To reduce risk, organizations should block wscript and cscript when not needed and prevent JavaScript files from running automatically.

To defend against GootLoader, organizations should prevent JavaScript files from running by default, restrict or block wscript and cscript if not needed, and use Group Policy Objects (GPO) to open .js files in Notepad. Detection should focus on unusual ZIP behavior, script execution from temp folders, startup shortcut creation, and suspicious process chains like cscript launching PowerShell.

“Detection should focus on the abnormal behavior of the ZIP archives and the subsequent process execution chain.” concludes the report.

• “Monitor for wscript.exe executing a .js file located within the AppData\Local\Temp directory.
• Monitor for the creation of .LNK files in the user’s Startup folder pointing to scripts in non-standard directories.
• Flag instances where cscript.exe executes a .js file using legacy NTFS shortnames (e.g., FILENA~1.js).
• Alert on the specific process tree: cscript.exe → powershell.exe””

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)