Find notable cyber news and cases, enriched with sources, timelines, and signals.

Gootloader adopts malformed ZIP archives for stealthier delivery

Malware Activity
First reported
Last updated
Happening score
H score 16
2 unique sources, 2 articles

Summary

Hide ▲

The Gootloader loader has adopted malformed ZIP archives that concatenate up to 1,000 archives, making delivery stealthier and frustrating analysis tools. The payload still unpacks on Windows with the default utility, but 7-Zip and WinRAR fail on the samples. It then runs JScript through Windows Script Host (WScript) and establishes Startup folder persistence with .LNK files.

Related Happenings

Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)

Vulnerability
H score32 First: 12.02.2026 23:01 Last: 12.02.2026 23:01 Sources 1

About this happening: **Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...

Phorpiex MaaS botnet ransomware-delivery activity

Malware Activity
H score23 First: 10.02.2026 18:00 Last: 10.02.2026 18:00 Sources 1

About this happening: The **Phorpiex** botnet is being delivered through a **high-volume phishing** chain that can hand off to **ransomware**, increasing the risk of secondary payload delivery. The lur...

WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)

Vulnerability
H score21 First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...

WinRAR path-traversal exploitation wave (CVE-2025-8088)

Exploitation Wave
H score20 First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: **CVE-2025-8088** in **WinRAR** remains an **ongoing exploitation wave**. **Trend Micro** says **Russia-aligned groups** **Earth Dahu (Gamaredon)** and **SHADOW-EARTH-066 (UAC-022...

AI-generated PowerShell backdoor with LNK/CAB loader chain and C2 polling

Malware Activity
H score23 First: 24.01.2026 17:23 Last: 24.01.2026 17:23 Sources 1

About this happening: The **AI-generated PowerShell malware** is targeting **blockchain developers and engineers** in the **Asia-Pacific region**, raising the risk of credential and wallet theft on inf...

Timeline

  1. 16.01.2026 00:54 3 articles · 5mo ago

    Gootloader uses malformed ZIP archives for stealthy delivery

    Initial Disclosure

    Gootloader now delivers JScript through malformed ZIP archives that concatenate 500 to 1,000 ZIP archives, use a truncated End of Central Directory record, randomize disk-number fields, and create metadata mismatches to frustrate parsers. The payload still unpacks with the default Windows utility but breaks tools that rely on 7-Zip and WinRAR, then runs through Windows Script Host from a temporary directory and creates .LNK files in the Startup folder for persistence. Defenders can spot the current ZIP structure with a YARA rule and reduce exposure by blocking wscript.exe and cscript.exe from executing downloaded content or by changing JScript file handling away from Windows Script Host.

    Show sources