GootLoader malware is abusing malformed ZIP archives that bypass common tools like WinRAR & deliver JavaScript payloads via Windows’ default extractor

The Tidyverse Blog offers insights, tutorials, and updates on the Tidyverse, a collection of R packages for data science and statistical computing. Covering topics such as data manipulation, visualization, and analysis, the blog provides resources for R developers looking to leverage the power of the Tidyverse for their data projects. Developers can learn how to use Tidyverse packages effectively to clean, transform, and analyze data in R.

The Hacker News

GootLoader malware now uses malformed ZIP archives created by concatenating 500-1,000 archives to evade detection. The technique exploits differences in how archiving tools parse ZIP files: common tools like WinRAR and 7-Zip fail to extract them, blocking automated analysis, while Windows' default unarchiver works reliably, allowing victims to execute the JavaScript payload. The malware employs hashbusting by randomizing archive values and truncating critical bytes, ensuring each downloaded file has a unique hash. Organizations can defend against this threat by blocking wscript.exe and cscript.exe from executing downloaded content and configuring JavaScript files to open in Notepad by default.

GootLoader Malware Uses 500–1,000 Concatenated ZIP Archives to Evade Detection