After a long period of silence, the Gootloader downloader malware has returned to the forefront.
Last November, the Huntress team detected a new campaign signaling the return of a developer previously associated with the Vanilla Tempest group. At the time, this group was using the Rhysida ransomware .
Expel’s analysis of new Gootloade samples revealed that the author has returned to its previous role as an initial access provider , but has relied on improved camouflage techniques. The malware’s return has been accompanied by updated tactics that make it more difficult to detect.
The main feature of the new approach is the use of an unusual ZIP archive , which at first glance appears corrupted. However, this technique allows attackers to bypass automatic analysis and hide from antivirus solutions , while still managing to execute malware on victim systems.
Gootloader’s distribution mechanism remains the same: the infection begins with a JScript file compressed in a ZIP archive . Opening the file launches PowerShell , establishing a malicious presence on the system. But it’s the ZIP archive format that makes this campaign particularly noteworthy. The archives contain hundreds of ZIP files chained together— this is possible because unzipping begins at the end of the file. The number of these fragments varies, and each downloaded archive is unique, eliminating the possibility of detection via hashes.
The archive also violates the ZIP specification: its structure lacks the required bytes at the end of the directory , and some fields, such as the disk number or modification date, are filled with random values. This prevents tools like 7-Zip or WinRAR from working properly, but does not affect the built-in Windows unzip tool. Therefore, the malicious file remains executable by the user, but is inaccessible to most automatic analysis systems.
The Gootloader developer’s methodology is focused on stealth. Thanks to the “fake” ZIP file and its unique content, the malicious code is difficult to detect with standard tools . Even the JScript file is disguised as harmless: it contains thousands of lines of harmless code, hidden within it are malicious instructions.
The program launches directly from the Windows temporary folder, as the file is not manually extracted by the user. This creates an opportunity for detection: for example, the launch of ” wscript.exe ” can be traced from the AppDataLocalTemp directory. Another indicator is the presence of LNK files in the startup folder, which reference scripts in non-standard locations.
It’s also worth noting the method used to carry out the second stage of infection. The malware uses the old NTFS short file format, a rarity in modern systems and can serve as an additional indicator. Furthermore, upon startup, a chain of processes is observed, from CScript to PowerShell and beyond, which can also be used for detection.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
