The campaign, uncovered by RussianPanda and the Huntress research team, shows that this longstanding threat actor continues to innovate with precision, this time adding a unique ZIP archive evasion mechanism and an evolved persistence chain.
Gootloader’s operation remains anchored in its refined social engineering strategy. The group continues to exploit legal-related keywords such as “contract,” “form,” and “agreement” to attract victims via search engine results.
Over 100 compromised websites are currently hosting thousands of these poisoned pages, each leading unsuspecting users to download a ZIP file masquerading as legitimate documentation.
The downloaded archive hides a malicious JScript (.JS) payload designed to grant initial access to the infected device. Once executed, the script establishes the groundwork for follow-on activity, often culminating in ransomware deployment.
This approach underscores Gootloader’s role as an access broker enabling other threats to move laterally within compromised environments.
A key feature of this wave is the actor’s manipulation of ZIP archives. When extracted in Windows Explorer, the archive displays a valid JS payload the core malware dropper.
However, when analyzed using non-Windows tools such as 7-Zip, VirusTotal, or Python-based utilities, it deceptively appears as a harmless .TXT file.
This variability effectively defeats many sandbox environments and antivirus scanners that rely on cross-platform analysis, giving attackers valuable undetected dwell time.
Further complicating detection, the campaign employs carefully filtered content to disguise its delivery infrastructure.
Visitors are screened based on geography, operating system, traffic source, and time of day. Users who fail these criteria see a benign AI-generated blog post, while eligible targets receive convincing imitation sites such as “Tһе Υаle Law Jοurnаl” that download the infected ZIP upon user interaction.
The domains use subtle obfuscation, such as Cyrillic characters replacing Latin ones, to avoid easy identification.
Unlike previous iterations that relied solely on scheduled tasks, Gootloader now uses chained shortcut (.LNK) files to maintain persistence.
One shortcut is dropped into the Startup folder, pointing to another .LNK in the AppData directory, which then executes a secondary JScript on system startup.
Intriguingly, the malware also creates custom hotkey bindings (Ctrl + Alt + letter) to manually trigger execution. During initial infection, it automatically simulates these key presses to activate the payload.
Gootloader’s latest evolution demonstrates its adaptability in an increasingly defended landscape. Security teams are urged to inspect ZIP archives that unpack differently across platforms, a new and highly indicative sign of compromise.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Gootloader Makes a Comeback With Advanced ZIP-Based Payload Delivery appeared first on Cyber Security News.
Are the EarFun Air Pro 4 Plus the best sub-$100 earbuds around? These new buds,…
If you're looking to expand your library of physical games ahead of summer, we have…
A newly disclosed Linux kernel vulnerability dubbed Fragnesia allows any local unprivileged user to escalate…
Under a bill heading to Gov. Bill Lee's desk for signing into law, all Tennessee…
Ahead of Forza Horizon 6's fast approaching launch, Xbox and Crunchyroll have announced a new…
David Fincher’s Fight Club is one of the best movies released in the stacked year…
This website uses cookies.