"This leads to a scenario where the archive cannot be processed by tools like WinRAR or 7-Zip, and, therefore, prevents many automated workflows from analyzing the contents of the file. At the same time, it can be opened by the default Windows unarchiver, thereby ensuring that victims who fall victim to the social engineering scheme can extract and run the JavaScript malware."
"Like other loaders, it's designed to deliver secondary payloads, including ransomware. The malware has been detected in the wild since at least 2020. In late October 2025, malware campaigns propagating the malware resurfaced with new tricks: leveraging custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploiting the WordPress comment endpoint ("/wp-comments-post.php") to deliver the ZIP payloads when a user clicks a "Download" button on the site."
GootLoader employs malformed ZIP archives formed by concatenating 500–1,000 individual archives and truncating the end of central directory (EOCD) record to bypass many unarchiving tools and automated analysis workflows. Many third-party extractors such as WinRAR and 7-Zip fail to consistently extract these files, while the default Windows unarchiver reliably processes them, allowing users to extract and execute the JavaScript loader. Distribution relies on SEO poisoning and malvertising that direct victims to compromised WordPress sites hosting malicious ZIPs. The loader stages secondary payloads including ransomware and has persisted since at least 2020, with recent campaigns adding WOFF2 glyph obfuscation and WordPress comment-endpoint delivery.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]