By rssfeeds-admin The campaign, uncovered by RussianPanda and the Huntress research team, shows that this longstanding threat actor continues to innovate with precision, this time adding a unique ZIP archive evasion mechanism and an evolved persistence chain.
Legal-Themed Lures Continue to Drive Infections
Gootloader’s operation remains anchored in its refined social engineering strategy. The group continues to exploit legal-related keywords such as “contract,” “form,” and “agreement” to attract victims via search engine results.
Over 100 compromised websites are currently hosting thousands of these poisoned pages, each leading unsuspecting users to download a ZIP file masquerading as legitimate documentation.
The downloaded archive hides a malicious JScript (.JS) payload designed to grant initial access to the infected device. Once executed, the script establishes the groundwork for follow-on activity, often culminating in ransomware deployment.
This approach underscores Gootloader’s role as an access broker enabling other threats to move laterally within compromised environments.
ZIP Archive Trickery to Evade Analysis
A key feature of this wave is the actor’s manipulation of ZIP archives. When extracted in Windows Explorer, the archive displays a valid JS payload the core malware dropper.
However, when analyzed using non-Windows tools such as 7-Zip, VirusTotal, or Python-based utilities, it deceptively appears as a harmless .TXT file.
This variability effectively defeats many sandbox environments and antivirus scanners that rely on cross-platform analysis, giving attackers valuable undetected dwell time.
Further complicating detection, the campaign employs carefully filtered content to disguise its delivery infrastructure.
Visitors are screened based on geography, operating system, traffic source, and time of day. Users who fail these criteria see a benign AI-generated blog post, while eligible targets receive convincing imitation sites such as “Tһе Υаle Law Jοurnаl” that download the infected ZIP upon user interaction.
The domains use subtle obfuscation, such as Cyrillic characters replacing Latin ones, to avoid easy identification.
Reinvented Persistence and Payload Execution
Unlike previous iterations that relied solely on scheduled tasks, Gootloader now uses chained shortcut (.LNK) files to maintain persistence.
One shortcut is dropped into the Startup folder, pointing to another .LNK in the AppData directory, which then executes a secondary JScript on system startup.
Intriguingly, the malware also creates custom hotkey bindings (Ctrl + Alt + letter) to manually trigger execution. During initial infection, it automatically simulates these key presses to activate the payload.
Gootloader’s latest evolution demonstrates its adaptability in an increasingly defended landscape. Security teams are urged to inspect ZIP archives that unpack differently across platforms, a new and highly indicative sign of compromise.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Gootloader Makes a Comeback With Advanced ZIP-Based Payload Delivery appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.