After a brief lull, the notorious Gootloader malware has resurfaced with new techniques to evade both analysts and automated detection tools.
The campaign, uncovered by RussianPanda and the Huntress research team, shows that this longstanding threat actor continues to innovate with precision, this time adding a unique ZIP archive evasion mechanism and an evolved persistence chain.
Legal-Themed Lures Continue to Drive Infections
Gootloader’s operation remains anchored in its refined social engineering strategy. The group continues to exploit legal-related keywords such as “contract,” “form,” and “agreement” to attract victims via search engine results.
Over 100 compromised websites are currently hosting thousands of these poisoned pages, each leading unsuspecting users to download a ZIP file masquerading as legitimate documentation.
The downloaded archive contains a malicious JScript (.JS) payload that grants initial access to the infected device. Once executed, the script establishes the groundwork for follow-on activity, often culminating in ransomware deployment.
This approach underscores Gootloader’s role as an access broker enabling other threats to move laterally within compromised environments.
ZIP Archive Trickery to Evade Analysis
A key feature of this wave is the actor’s manipulation of ZIP archives. When extracted in Windows Explorer, the archive displays a valid JS payload, the core malware dropper.
However, when analyzed with non-Windows tools such as 7-Zip, VirusTotal, or Python-based utilities, it appears to be a harmless .TXT file.
This variability effectively defeats many sandbox environments and antivirus scanners that rely on cross-platform analysis, giving attackers valuable undetected dwell time.
Further complicating detection, the campaign employs carefully filtered content to disguise its delivery infrastructure.
Visitors are screened based on geography, operating system, traffic source, and time of day. Users who fail these criteria see a benign AI-generated blog post. At the same time, eligible targets receive convincing imitation sites, such as “Tһе Υаle Law Jοurnаl,” that download the infected ZIP file when users interact with them.
The domains use subtle obfuscation, such as replacing Latin characters with Cyrillic ones, to avoid easy identification.
Reinvented Persistence and Payload Execution
Unlike previous iterations that relied solely on scheduled tasks, Gootloader now uses chained shortcut (.LNK) files to maintain persistence.
One shortcut is dropped into the Startup folder, pointing to another .LNK in the AppData directory, which then executes a secondary JScript on system startup.
Intriguingly, the malware also creates custom hotkey bindings (Ctrl + Alt + letter) to trigger execution manually. During initial infection, it automatically simulates these key presses to activate the payload.
Gootloader’s latest evolution demonstrates its adaptability in an increasingly defended landscape. Security teams are urged to inspect ZIP archives that unpack differently across platforms a new, highly indicative sign of compromise.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
