The Gootloader malware campaign has resurfaced with sophisticated evasion techniques that allow it to bypass automated security analysis.
This persistent threat has been targeting victims for over five years using legal-themed search engine optimization poisoning tactics.
The malware operators deploy thousands of unique keywords across more than 100 compromised websites to lure unsuspecting users into downloading malicious ZIP archives containing JScript payloads that establish initial access for ransomware deployment.
The threat actor continues to refine their social engineering approach by using legal terminology such as “contract,” “form,” and “agreement” as bait to attract potential victims through search engines.
Once a user discovers what appears to be legitimate legal resources through search results, they are directed to compromised websites that host the malicious downloads.
The campaign’s ultimate objective remains unchanged: convincing victims to execute malicious JScript files that open the door for subsequent attacks.
Security researchers at Huntress identified this new variant during active threat hunting operations in early November 2025. The discovery revealed significant technical modifications to the malware’s delivery mechanism and persistence strategy.
The research team, led by analyst RussianPanda, documented the evolution of Gootloader’s tactics and published their findings to warn the security community about the emerging threat.
The malware’s gated content system creates a split reality where different users see entirely different web pages based on various conditions.
Users who do not meet specific criteria, such as geographic location, operating system, referrer source, or browsing time, only see harmless blog content generated through language models.
However, victims who pass these filters encounter convincing reproductions of legitimate websites featuring spoofed domain names using Cyrillic characters that visually resemble Latin letters.
ZIP Archive Manipulation Technique
The most significant innovation in this campaign involves manipulating ZIP archives to produce different extraction results depending on the tool used.
When opened with Windows Explorer, the archive extracts a valid .JS file containing the malicious payload.
However, automated analysis platforms like VirusTotal, Python’s built-in zip utilities, or 7-Zip unpack the same archive as a harmless .TXT file instead.
This clever evasion technique exploits inconsistencies in how different decompression engines interpret ZIP file structures, allowing the malware to hide from automated scanning systems while remaining functional for intended victims on Windows systems.
The persistence mechanism also evolved from scheduled tasks to a chain of .LNK shortcuts, with one placed in the user’s Startup folder pointing to another in AppData that executes a secondary JScript payload.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Gootloader is Back with New ZIP File Trickery that Decive the Malicious Payload appeared first on Cyber Security News.
