Gootloader Malware Uses 1,000 Stacked ZIPs to Dodge Detection

Gootloader is back with a clever new trick. The initial access malware, frequently used to deploy ransomware, now packages its payloads inside deliberately malformed ZIP archives containing up to 1,000 concatenated files. The technique crashes most security analysis tools while executing perfectly on Windows targets.

Security researchers at Expel published details this week after analyzing samples from recent campaigns. They found that the unusual archive structure defeats forensic workflows while remaining functional through Windows' native archive handling.

How the Technique Works

Standard ZIP files contain a directory structure at the end of the file that indexes compressed contents. Windows reads this structure from the end, which means the operating system processes whichever data appears last in the file.

Gootloader's new archives concatenate between 500 and 1,000 individual ZIP files together. Each component is technically valid, but when tools attempt to parse the combined structure, they encounter conflicting metadata and fail. Most analysis tools—including those based on 7-Zip and WinRAR libraries—crash or refuse to extract contents.

But Windows' built-in archive utility reads from the end and finds a valid ZIP structure. It extracts the contents without complaint, delivering the malicious JScript payload that initiates Gootloader's infection chain.

From Expel's analysis: "The ZIP archive is not a single compressed file but a massive concatenation of hundreds of ZIP files. This tactic works because the ZIP file format is read from the end, so the last ZIP structure remains valid despite all previous junk data."

Hashbusting at Scale

The technique also defeats hash-based detection. Gootloader randomizes values in non-critical ZIP header fields—things like "Disk Number" and "Number of Disks"—for each archive generated. These changes don't affect functionality but produce unique file hashes for every download.

Traditional signature-based detection relies on matching known malicious file hashes. When every victim receives a unique file, hash lookups become useless. Defenders can't search their environments for specific indicators because each infection uses different ones.

The randomized fields also cause some archive utilities to expect multi-part ZIP sequences that don't exist, adding another layer of confusion for analysis tools.

The Infection Chain

Once extracted, Gootloader follows a familiar pattern. The JScript payload executes via Windows Script Host from a temporary directory. It establishes persistence by dropping shortcut files into the Startup folder that point to a second JScript file.

This second-stage payload runs at first launch and every subsequent boot, spawning CScript processes that eventually invoke PowerShell. The chain provides multiple persistence mechanisms and execution paths, complicating removal and analysis.

Gootloader has historically served as initial access for ransomware operations. Huntress and other researchers link current campaigns to Vanilla Tempest, a threat actor associated with Rhysida ransomware. Organizations compromised by Gootloader should assume ransomware deployment is the end goal.

Detection and Defense

Despite the evasion techniques, Expel's researchers identified structural anomalies that enable detection. They developed a YARA rule that "can consistently identify the current ZIP archives" based on the distinctive concatenation patterns.

The more practical mitigation is preventing JScript execution entirely. Researchers recommend changing the default application for .js files from Windows Script Host to Notepad. This breaks the infection chain by opening the script in a text editor instead of executing it.

Organizations can also block wscript.exe and cscript.exe from executing downloaded content if JScript isn't needed for legitimate business operations. Most enterprises have no reason to allow script execution from user-writable directories.

Why This Matters

Gootloader demonstrates the ongoing arms race between malware developers and security tools. When defenders rely on specific analysis techniques—parsing archives with particular libraries, matching file hashes, executing samples in sandboxes—attackers develop countermeasures.

The ZIP concatenation technique isn't new in concept, but Gootloader's implementation pushes it to extremes. Stacking 1,000 archives together creates files that simply break tools designed to analyze them. Combined with per-victim hash randomization, the technique defeats both automated and manual analysis workflows.

For security teams, this serves as a reminder that defense in depth matters. Relying solely on archive scanning or hash matching leaves gaps that attackers will find. Behavioral detection, execution prevention, and endpoint monitoring provide layers that survive when individual controls fail.

Gootloader's return after a brief hiatus suggests the operators refined their techniques during the pause. Expect continued evolution as they probe defenses and adapt to detection capabilities.