What happened
The Gootloader infection chain uses malformed ZIP archives to bypass security tools and deliver initial access that is later used for ransomware activity. The report says Gootloader resurfaced in November 2025 and is being leveraged by the threat actor Vanilla Tempest alongside Rhysida ransomware campaigns. Delivery begins via compromised websites that serve deceptive ZIP files containing hundreds of concatenated archives designed to break common unpackers while still opening in the default Microsoft Windows extractor. Expel analysts described evasion features including randomized fields and truncated sections that trigger parsing errors in scanners. When opened, an embedded JScript executes via Windows Script Host, establishes persistence by placing link files in the Startup folder pointing to a second JScript, then spawns obfuscated PowerShell to fetch follow-on payloads using “hashbusting” to make each sample structurally unique.
Who is affected
Organizations whose users download files from compromised websites are directly exposed to Gootloader’s initial-access stage. The impact is often indirect at first—endpoint compromise and persistence—followed by potential escalation when additional payloads are delivered, including ransomware deployment tied to Rhysida operations.
Why CISOs should care
Initial-access brokers compress the time between a single user execution event and enterprise-wide ransomware impact. Evasion-by-archive-structure and per-victim “hashbusting” reduces the effectiveness of signature-based controls, increasing dwell time risk and making consistent detection and triage harder across fleets and SOC workflows.
3 practical actions
-
Disable high-risk script execution paths: Reassociate .js files away from Windows Script Host via policy controls and restrict JScript execution on endpoints where it is not required.
-
Hunt for the specific execution chain: Alert on JScript → PowerShell parent/child patterns and Startup-folder link creation that points to randomly located script files.
-
Add content-based detections for malformed ZIPs: Implement scanning that flags concatenated or structurally abnormal ZIP files and deploy YARA-based checks where supported.