CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GootLoader Resurfaces with New Font Obfuscation and ZIP Evasion Tactics

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

GootLoader, a JavaScript-based malware loader, has resurfaced with advanced tactics to evade detection. The malware now uses custom WOFF2 fonts to obfuscate filenames, modifies ZIP files to appear harmless in analysis tools, and employs concatenated ZIP archives of up to 1,000 parts. Since October 27, 2025, three infections have been observed, two of which led to domain controller compromises within 17 hours. GootLoader, linked to the Hive0127 threat actor, exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads. The malware's latest campaign targets users searching for legal templates, redirecting them to compromised WordPress sites hosting malicious ZIP archives. The ZIP files are designed to evade static analysis by displaying harmless text in analysis tools while extracting malicious JavaScript files on Windows. The payload deploys the Supper backdoor, which provides remote control and SOCKS5 proxying capabilities. Threat actors have used this backdoor to move laterally to domain controllers and create admin-level user accounts. The latest findings highlight GootLoader's use of malformed ZIP archives that evade detection by tools like WinRAR or 7-Zip, while still being extractable by the default Windows unarchiver. The malware employs hashbusting techniques, including randomizing values in non-critical fields and concatenating a unique number of files, to evade detection. The ZIP archive is delivered as an XOR-encoded blob, decoded and repeatedly appended to itself on the client-side to evade network-based detection. The JavaScript malware creates a Windows shortcut (LNK) file in the Startup folder to establish persistence and executes a second JavaScript file using cscript.

Timeline

  1. 16.01.2026 00:54 2 articles · 1d ago

    GootLoader Implements Advanced Evasion Techniques with Concatenated ZIP Archives

    GootLoader now uses concatenated ZIP archives of up to 1,000 parts to evade detection. The malware employs a truncated End of Central Directory (EOCD) to break parsing by most tools, randomizes disk number fields to cause tools to expect non-existent multi-disk archives, and adds metadata mismatches between Local File Headers and Central Directory entries. The ZIP files are delivered as XOR-encoded blobs, decoded and repeatedly appended client-side to evade network-based detection. The payload establishes persistence by adding shortcut (.LNK) files to the Startup folder and is executed via Windows Script Host (WScript) and PowerShell. The malware uses a malformed ZIP archive designed to evade detection by tools like WinRAR or 7-Zip, while still being extractable by the default Windows unarchiver. GootLoader employs hashbusting techniques, including randomizing values in non-critical fields and concatenating a unique number of files, to evade detection.

    Show sources
    Open in new tab
  2. 11.11.2025 17:44 3 articles · 2mo ago

    GootLoader Resurfaces with New Font Obfuscation and ZIP Evasion Tactics

    GootLoader has resurfaced with new tactics, including the use of custom WOFF2 fonts to obfuscate filenames and modified ZIP files to evade detection. The malware exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads. The latest campaign targets users searching for legal templates, redirecting them to compromised WordPress sites hosting malicious ZIP archives. The ZIP files are designed to evade static analysis by displaying harmless text in analysis tools while extracting malicious JavaScript files on Windows. The payload deploys the Supper backdoor, which provides remote control and SOCKS5 proxying capabilities. Threat actors have used this backdoor to move laterally to domain controllers and create admin-level user accounts. Additionally, GootLoader now uses concatenated ZIP archives of up to 1,000 parts, truncated End of Central Directory (EOCD), randomized disk number fields, and metadata mismatches to evade detection. The malware uses a malformed ZIP archive designed to evade detection by tools like WinRAR or 7-Zip, while still being extractable by the default Windows unarchiver. GootLoader employs hashbusting techniques, including randomizing values in non-critical fields and concatenating a unique number of files, to evade detection. The ZIP archive is delivered as an XOR-encoded blob, decoded and repeatedly appended to itself on the client-side to evade network-based detection. The JavaScript malware creates a Windows shortcut (LNK) file in the Startup folder to establish persistence and executes a second JavaScript file using cscript.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

TigerJack Campaign Targets Developers with Malicious VSCode Extensions

The TigerJack campaign continues to target developers with malicious Visual Studio Code (VSCode) extensions, which have now been found to leak access tokens posing a critical software supply chain risk. The campaign has distributed at least 11 malicious VSCode extensions since the beginning of the year, with two extensions, C++ Playground and HTTP Format, removed from VSCode but remaining on OpenVSX. These extensions steal cryptocurrency, plant backdoors, and exfiltrate source code. The threat actor republishes the same malicious code under new names, making detection and removal challenging. Developers are advised to be cautious when downloading extensions from these platforms. Over 100 VSCode extensions were found to leak access tokens, allowing attackers to distribute malicious updates. The leaked tokens include AI provider secrets, cloud service provider secrets, and database secrets. Microsoft has revoked the leaked PATs and is adding secret scanning capabilities to enhance security. Organizations are recommended to develop an extension inventory and consider a centralized allowlist for extensions. A new malicious extension named susvsex with basic ransomware capabilities was published on Microsoft's official VS Code marketplace. The extension was published by 'suspublisher18' and its malicious functionality was openly advertised in its description. The extension's malicious functionality includes file theft to a remote server and encryption of all files with AES-256-CBC. The extension activates on any event, including on installation or when launching VS Code, initializing the 'extension.js' file that contains its hardcoded variables (IP, encryption keys, command-and-control address). The extension calls a function named zipUploadAndEncrypt which checks the presence of a marker text file, and starts the encryption routine. The extension creates a .ZIP archive of the files in the defined target directory and exfiltrates them to the hardcoded C2 address. All the files are then replaced with their encrypted versions. The extension polls a private GitHub repository for commands, periodically checking an 'index.html' file that uses a PAT token for authentication, and tries to execute any commands there. The owner of the repository is likely based in Azerbaijan. The extension is an overt threat and may be the result of an experiment to test Microsoft's vetting process. Secure Annex labels susvsex an 'AI slop' with its malicious actions exposed in the README file, but notes that a few tweaks would make it far more dangerous. Microsoft ignored the report about the extension and did not remove it from the VS Code registry initially, but it was no longer available by the time the article was published. Two new malicious extensions, Bitcoin Black and Codo AI, were found on Microsoft's Visual Studio Code Marketplace. Bitcoin Black masquerades as a color theme and Codo AI as an AI assistant, both published under the developer name 'BigBlack'. Bitcoin Black features a '*' activation event that executes on every VSCode action and can run PowerShell code. Bitcoin Black uses a batch script to download a DLL file and an executable, with the activity occurring with the window hidden. Codo AI includes code assistance functionality via ChatGPT or DeepSeek but also has a malicious section. Both extensions deliver a legitimate executable of the Lightshot screenshot tool and a malicious DLL file that deploys the infostealer under the name runtime.exe. The malware creates a directory in '%APPDATA%\Local\' and stores stolen data including screenshots, WiFi credentials, system information, and cryptocurrency wallets. The malware steals cookies and hijacks user sessions by launching Chrome and Edge browsers in headless mode. The malware steals cryptocurrency wallets like Phantom, Metamask, Exodus, and looks for passwords and credentials. The malicious DLL is flagged as a threat by 29 out of the 72 antivirus engines on Virus Total. Microsoft has removed the extensions BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme from the Marketplace. The extensions activate on every VS Code action and embed malicious functionality within a working tool to bypass detection. Earlier versions of the extensions executed a PowerShell script to download a password-protected ZIP archive from an external server. Subsequent versions of the extensions used a batch script to download the executable and DLL, hiding the PowerShell window. The legitimate Lightshot binary is used to load the rogue DLL via DLL hijacking. The rogue DLL gathers clipboard contents, installed apps, running processes, desktop screenshots, Wi-Fi credentials, and detailed system information. The malware launches Google Chrome and Microsoft Edge in headless mode to grab stored cookies and hijack user sessions. A campaign involving 19 Visual Studio (VS) Code extensions that embed malware inside their dependency folders has been uncovered by cybersecurity researchers. Active since February 2025 but identified on December 2, the operation used a legitimate npm package to disguise harmful files and bundled malicious binaries inside an archive masquerading as a PNG image. This approach, observed by ReversingLabs (RL), enabled attackers to bypass conventional checks and target developers directly. Some extensions imitate popular tools, while others advertise new features but secretly execute unwanted code. In this new campaign, attackers embedded a modified version of the npm package path-is-absolute inside the extensions’ node_modules folders. The original package is widely used, with more than 9 billion downloads since 2021, but the altered version included a class designed to trigger malware when VS Code starts. The attackers also included a file named banner.png, which appeared harmless but opened as an archive containing two binaries. The dropper launched these files via cmstp.exe, a common living-off-the-land binary (LOLBIN). One executable closed the process by simulating a keypress, while the other was a Rust-based Trojan still being analyzed at the time of this report. Although the techniques differed, the goal remained the same: covertly execute malware through trusted components. Detecting malicious VS Code extensions has become increasingly urgent, ReversingLabs warned. The firm said detections grew from 27 in 2024 to 105 in the first 10 months of 2025. To reduce risk, teams are encouraged to inspect extensions before installation, audit all bundled dependencies, and use security tools capable of evaluating package behavior. All the mentioned extensions have been reported to Microsoft.

Open in new tab

Credential-themed ZIP Archives Deliver DLL Implants via Windows Shortcuts

A campaign delivers DLL implants using Windows shortcut (.lnk) files embedded in ZIP archives. The ZIP files contain credential-themed lures, such as passport scans and payment records. When a user clicks on the shortcut, it triggers a minimized and obfuscated PowerShell script that downloads a malicious payload. The attack targets management vertical users, focusing on executive workflows like identity verification and payment approval. The campaign uses several evasion tactics to avoid detection, including obfuscation, byte array commands, and antivirus process checks. The PowerShell script runs quietly, suppressing visible windows and progress messages. It downloads DLLs disguised as .ppt files and invokes them using rundll32.exe, blending the malicious activity with normal system behavior. This approach helps the implant remain undetected and provides a quiet foothold on the machine.

Open in new tab

Command injection flaw in Libraesva ESG exploited by state actors

Libraesva has released an emergency update for its Email Security Gateway (ESG) solution to address a command injection vulnerability (CVE-2025-59689). This flaw, exploited by a state-sponsored actor, allows arbitrary shell command execution via a crafted email attachment. The vulnerability affects all versions from 4.5 onwards and has been patched in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. The exploit was discovered and patched within 17 hours of detection. The vulnerability is triggered by improper sanitization of compressed archive formats, enabling non-privileged users to execute arbitrary commands. The patch includes a sanitization fix, automated scans for indicators of compromise, and a self-assessment module to verify the update's application. The vulnerability has a CVSS score of 6.1, indicating medium severity. Libraesva has identified one confirmed incident of abuse by a foreign hostile state entity. Customers using versions below 5.0 must upgrade manually to a supported release, as they have reached end-of-life and will not receive a patch for CVE-2025-59689.

Open in new tab

Malicious npm package 'fezbox' uses QR codes to deliver cookie-stealing malware

A malicious npm package named 'fezbox' was discovered using QR codes to fetch and execute cookie-stealing malware. The package, disguised as a utility library, was downloaded at least 327 times before being removed from the npm registry. The malware targets user credentials and employs steganographic techniques to evade detection. The package was found to fetch a JPG image containing a QR code, which then executes a second-stage payload. The QR code is designed to be unusually dense and difficult to read with standard phone cameras, making it harder to detect. The package was published by a Chinese-speaking attacker using the alias 'janedu' and included multiple layers of obfuscation to evade detection. The malware specifically targets cookies to steal usernames and passwords, sending the stolen information via an HTTPS POST request to a command-and-control server. The package was removed and flagged as malware posing a supply-chain risk. The attacker's activity status on the npm registry remains unclear. The package's ReadMe mentioned a QR Code Module, making its existence seem legitimate. The package used reversed strings as an anti-analysis technique. The payload could read a web cookie and extract the username and password if both were present.

Open in new tab

Vidar Infostealer Campaigns Employ New Obfuscation Techniques

Vidar infostealer, active since late 2018, has resurfaced with enhanced stealth and persistence mechanisms. This malware-as-a-service targets a wide range of sensitive data, including credentials, OS details, cookies, financial data, and authentication tokens. It spreads through phishing, compromised websites, and malvertising. New techniques include encrypted C2 channels, LOLBins abuse, and covert exfiltration methods. The malware employs PowerShell scripts for initial infection, uses obfuscation at every stage, and evades defenses by disguising traffic, suppressing errors, and randomizing filenames. It also creates scheduled tasks for persistence and hooks into CryptProtectMemory API to access encrypted data. The C2 server uses TLS encryption for data exfiltration. Vidar 2.0, released in October 2025, has been rewritten in C, supports multi-threading for data theft, and includes extensive anti-analysis checks. It bypasses Chrome's App-Bound encryption and captures screenshots, sending data to delivery points including Telegram bots and URLs stored on Steam profiles.

Open in new tab