GootLoader malware uses malicious ZIP archives with obfuscation techniques to evade detection and deliver JavaScript payloads. It exploits Windows’ default unarchiver, bypassing most automated analysis tools, to infect systems via SEO poisoning and malicious WordPress sites. #GootLoader #ZIPArchiveSecurity
Keypoints
- GootLoader employs concatenated malformed ZIP archives to evade detection and analysis.
- The malware’s archive manipulations include truncating EOCD records and randomizing fields, a technique called ‘hashbusting.’
- It leverages Windows’ default unarchiver to execute JavaScript payloads without detection by other unarchiving tools.
- Recent campaigns use custom WOFF2 fonts and WordPress comment endpoints to deliver malicious ZIP files.
- Organizations are advised to block ‘wscript.exe’ and ‘cscript.exe’ and enforce policies to mitigate these threats.
Read More: https://thehackernews.com/2026/01/gootloader-malware-uses-5001000.html