Gootloader’s Sophisticated Anti-Detection Tactics Exposed in Latest Campaign A recent analysis by Huntress and Expel reveals how the Gootloader malware leverages deliberately malformed ZIP archives to evade security tools while maintaining functionality for targeted victims. The threat actor, known for its role as an initial access broker in ransomware operations, has partnered with Vanilla Tempest, a group deploying Rhysida ransomware, in an ongoing campaign active since November 2025. ### Evasion Through Malformed ZIP Archives Gootloader’s infection chain begins with weaponized ZIP files containing malicious JScript payloads, such as "Indiana_Animal_Protection_Laws_Guide.js." These archives are engineered to bypass analysis tools like 7-Zip and WinRAR while remaining extractable via Windows’ native unarchiving utility. Key evasion techniques include: - Concatenated ZIP structures: Each archive contains 500–1,000 nested ZIP files, with the End of Central Directory (EOCD) record strategically placed to direct extraction to the valid payload. - Truncated EOCD records: Missing critical bytes violate ZIP format standards, causing parsing failures in security tools. - Randomized metadata: Mismatched version numbers, timestamps, CRC32 checksums, and file sizes between local file headers and central directory records further disrupt analysis. - Client-side generation: Victims receive XOR-encoded data blobs decoded by browsers, assembling into identical ZIP structures until reaching 70–80 MB despite the extracted JScript payload being only ~287 KB. ### Execution & Persistence When victims extract and run the JScript file, Windows Script Host (WScript) processes it from `AppData\Local\Temp`, initiating a multi-stage attack: 1. Persistence: Creates LNK shortcuts in the Startup folder, referencing secondary scripts via NTFS short filenames (e.g., `FILENA~1.js`). 2. Obfuscated PowerShell execution: CScript launches the script, which spawns PowerShell processes with heavily obfuscated commands to establish command-and-control (C2) communications. ### Detection & Indicators of Compromise Security teams can identify Gootloader activity by monitoring: - Process patterns: `wscript.exe` executing JScript from temp directories, followed by `cscript.exe` invoking scripts via NTFS shortnames and spawning PowerShell. - File characteristics: ZIP archives with >100 instances of `PK\x03\x04` (local file headers) or `PK\x05\x06` (EOCD records). - Persistence artifacts: LNK files in `\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\`. Known IOCs: - File hash (SHA-256): `b05eb7a367b5b86f8527af7b14e97b311580a8ff73f27eaa1fb793abb902dc6e` - Malicious extensions: `.js`, `.jse` - Execution paths: Temp directories, NTFS shortname scripts Gootloader remains a persistent threat, historically accounting for 11% of malware bypassing enterprise security solutions. Its collaboration with Vanilla Tempest underscores its role in facilitating Rhysida ransomware attacks.

OysterLoader: A Sophisticated Malware Threat Delivering Ransomware and Infostealers A newly identified malware loader, OysterLoader, has emerged as a major cybersecurity threat, leveraging advanced obfuscation techniques to evade detection and deploy malicious payloads. First detected in June 2024 by Rapid7, this C++-based malware spreads through fake websites impersonating trusted software like PuTTY, WinSCP, Google Authenticator, and AI tools, often disguised as digitally signed Microsoft Installer (MSI) files to appear legitimate. OysterLoader operates through a four-stage infection chain, beginning with a TextShell packer and progressing to custom shellcode execution before delivering its final payload. While primarily linked to Rhysida ransomware a group tied to the WIZARD SPIDER threat actor it has also been observed distributing Vidar, a prevalent infostealer as of January 2026. Security researchers, including Sekoia analysts, have identified a two-tiered command-and-control (C2) infrastructure, with delivery servers handling initial connections and final C2 servers managing victim interactions. The malware employs anti-analysis techniques, such as API hammering, dynamic API resolution via custom hashing, and timing-based sandbox detection, to evade security measures. ### Advanced Evasion and Persistence Mechanisms OysterLoader’s infection process demonstrates high technical sophistication, including: - Environment checks to ensure the target system has at least 60 running processes before proceeding. - Steganography to conceal payloads within icon image files, using RC4 encryption with a hardcoded key. - Custom JSON encoding with a non-standard Base64 alphabet and random shift values, complicating network traffic analysis. - Persistence via scheduled tasks that execute a malicious DLL in the AppData directory every 13 minutes. The malware’s developers have continuously updated its code, refining communication protocols and obfuscation to maintain effectiveness against security solutions. Its connection to Rhysida ransomware and commodity malware underscores its role in high-impact cyberattacks, making it a critical concern for organizations.