Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Apple iOS 17 Scam Alerts Protect iPhone Users From Phishing
July 3, 2026
Former MEP Investigating Spyware Abuses Hacked With Pegasus
July 3, 2026
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Home/Threats/Gootloader with Low Detection Rate Bypasses Most Security Tools
Threats

Gootloader with Low Detection Rate Bypasses Most Security Tools

After a period of dormancy, Gootloader has reemerged as a serious threat, returning in November 2025 with renewed capabilities specifically engineered to bypass modern security systems. This malware...

Marcus Rodriguez
Marcus Rodriguez
January 20, 2026 3 Min Read
30 0

After a period of dormancy, Gootloader has reemerged as a serious threat, returning in November 2025 with renewed capabilities specifically engineered to bypass modern security systems.

This malware serves as an initial access broker, meaning its developers create the entry point for ransomware attacks and then hand over control to other threat actors who deploy the actual encryption tools.

The malware’s effectiveness lies in its ability to evade detection while maintaining functionality on compromised systems.

Organizations worldwide are racing to defend against this growing menace as the threat actor group known as Vanilla Tempest continues leveraging it in conjunction with Rhysida ransomware campaigns.

The malware travels through compromised websites embedded within deceptive ZIP archives that are deliberately malformed to confuse security tools.

When users download what appears to be a legitimate document, they receive a file packed with hundreds of concatenated ZIP archives designed to bypass both automated analysis and specialized extraction software.

A visual breakdown of a ZIP archive file’s structure (Source - Expel)
A visual breakdown of a ZIP archive file’s structure (Source – Expel)

The outer packaging is crafted so that most unarchiving tools like 7zip and WinRAR cannot extract the contents, yet the default Windows unarchiver opens it reliably, ensuring victims can execute the payload while defenders struggle to analyze it.

Expel analysts noted that Gootloader’s ZIP archives contain multiple sophisticated evasion features working in concert.

The structure includes hundreds of copies concatenated together, randomly generated values in critical fields, and deliberately truncated sections that cause parsing errors in traditional security scanners.

In previous years, this malware represented eleven percent of all malware detected bypassing security solutions, demonstrating its proven track record.

The Infection Mechanism and Persistence Strategy

Once the malicious ZIP file is opened, a JScript file embedded within executes automatically when double-clicked.

The script runs through Windows Script Host and immediately establishes persistence by creating link files in the user’s Startup folder. These links point to a second JScript file stored in a random directory, ensuring the malware reactivates with every system restart.

The JScript then spawns PowerShell with heavily obfuscated commands that communicate with attacker infrastructure to download secondary payloads.

The well-formed ZIP archive loaded and parsed by a pattern in ImHex (Source - Expel)
The well-formed ZIP archive loaded and parsed by a pattern in ImHex (Source – Expel)

The evasion strategy extends further through a technique called hashbusting, where every downloaded file contains unique characteristics.

Each victim receives a completely different archive structure with randomized field values, making signature-based detection virtually impossible. Organizations cannot rely on file hashes or static patterns to identify these samples across their networks.

Security teams should prioritize preventing JScript execution through Group Policy Objects by reassociating .js files to Notepad instead of Windows Script Host.

Additional protections include monitoring for suspicious PowerShell process chains, detecting NTFS shortname usage during script execution, and scanning for malformed ZIP structures using specialized YARA rules.

Early detection at the ZIP delivery stage offers the best opportunity to prevent ransomware deployment before attackers gain deeper system access.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareransomwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

WPair – Scanner Tool to Detect WhisperPair Flaw in Google’s Fast Pair Protocol

Next Post

Most SOCs Are Seeing Attacks Too Late. Here’s How to Fix It 

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us