Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Gootloader adopts malformed ZIP archives for stealthier delivery

Malware Activity
First reported
Last updated
Happening score
H score 12
2 unique sources, 2 articles

Summary

Hide ▲

The Gootloader loader has adopted malformed ZIP archives that concatenate up to 1,000 archives, making delivery stealthier and frustrating analysis tools. The payload still unpacks on Windows with the default utility, but 7-Zip and WinRAR fail on the samples. It then runs JScript through Windows Script Host (WScript) and establishes Startup folder persistence with .LNK files.

Related Happenings

Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)

Vulnerability
First: 12.02.2026 23:01 Last: 12.02.2026 23:01 Sources 1

About this happening: **Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...

Open Happening

Phorpiex MaaS botnet ransomware-delivery activity

Malware Activity
First: 10.02.2026 18:00 Last: 10.02.2026 18:00 Sources 1

About this happening: The **Phorpiex** botnet is being delivered through a **high-volume phishing** chain that can hand off to **ransomware**, increasing the risk of secondary payload delivery. The lur...

Open Happening

WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)

Vulnerability
First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited**, enabling arbitrary file writes and malicious payload placement for persistence. Attackers abu...

Open Happening

WinRAR path-traversal exploitation wave (CVE-2025-8088)

Exploitation Wave
First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: **CVE-2025-8088** in **WinRAR** remains part of an **ongoing exploitation wave**, with **multiple threat groups** using the flaw for **initial access** and payload delivery. The a...

Open Happening

AI-generated PowerShell backdoor with LNK/CAB loader chain and C2 polling

Malware Activity
First: 24.01.2026 17:23 Last: 24.01.2026 17:23 Sources 1

About this happening: The **AI-generated PowerShell malware** is targeting **blockchain developers and engineers** in the **Asia-Pacific region**, raising the risk of credential and wallet theft on inf...

Open Happening

Timeline

  1. 16.01.2026 00:54 3 articles · 4mo ago

    Gootloader uses malformed ZIP archives for stealthy delivery

    Initial Disclosure

    Gootloader now delivers JScript through malformed ZIP archives that concatenate 500 to 1,000 ZIP archives, use a truncated End of Central Directory record, randomize disk-number fields, and create metadata mismatches to frustrate parsers. The payload still unpacks with the default Windows utility but breaks tools that rely on 7-Zip and WinRAR, then runs through Windows Script Host from a temporary directory and creates .LNK files in the Startup folder for persistence. Defenders can spot the current ZIP structure with a YARA rule and reduce exposure by blocking wscript.exe and cscript.exe from executing downloaded content or by changing JScript file handling away from Windows Script Host.

    Show sources
    Open in new tab