Case Study: Detecting Gootloader's Concatenated ZIP Evasion
The Threat
Gootloader is a JavaScript-based malware loader distributed through SEO poisoning campaigns and used as an initial access vector for ransomware deployment. In late 2025, Gootloader operators adopted a novel evasion technique: concatenating 500 to 1,000 identical ZIP archives into a single file.
This exploits how ZIP parsers read from the end of the file, the last archive is valid and extractable, while the hundreds of prepended copies create a massive, unique file that defeats:
- Hash-based detection: Every download is unique because the randomized archive count changes the file hash every time.
- Signature-based scanning: Most AV engines cannot parse the malformed structure at all.
- Automated sandboxes: Tools like 7-Zip and WinRAR fail to open the file, blocking automated dynamic analysis.
- Size-based filtering: Files range from 30–96 MB, unusual for a JavaScript payload but not high enough to trigger routine size filters.
The technique is documented publicly by Expel and The Hacker News. Detection rates across the industry remain low.
The Test
We tested HADES against 9 real Gootloader samples obtained from MalwareBazaar, ranging from 31 MB to 96 MB. Each sample was scanned via the standard batch pipeline with default settings, no tuning, no custom rules, no sample-specific tweaks.
| Sample (SHA-256 prefix) | Size | PK Headers | EOCD Records | HADES Score |
|---|---|---|---|---|
1690a371… | 31 MB | 319 | 319 | 96 CRITICAL |
1e3af6f8… | 56 MB | 573 | 573 | 96 CRITICAL |
2e46b1a7… | 62 MB | 637 | 637 | 96 CRITICAL |
36b76204… | 59 MB | 602 | 602 | 96 CRITICAL |
9a5409c5… | 94 MB | 961 | 961 | 96 CRITICAL |
9b2b9e91… | 78 MB | 798 | 798 | 96 CRITICAL |
c4311c31… | 96 MB | 982 | 982 | 96 CRITICAL |
edcebe5e… | 66 MB | 675 | 675 | 96 CRITICAL |
f0bc72f9… | 93 MB | 951 | 951 | 96 CRITICAL |
How HADES Detects It
HADES uses a purpose-built YARA rule (HADES_GOOTLOADER_ZIP_BOMB) that identifies the structural anomaly rather than any specific content signature:
- ZIP local file header count: Looks for more than 100
PK\x03\x04signatures in a single file. - End-of-central-directory count: Looks for more than 100
PK\x05\x06records (one per concatenated archive). - Combined condition: Both thresholds must be exceeded simultaneously to trigger.
This approach is resilient to Gootloader's hashbusting because it detects the structural technique, not any specific hash or content signature. Every Gootloader variant, regardless of the random archive count or the payload inside, triggers the rule.
The detection engine then applies a loader family severity boost, promoting the score from HIGH to CRITICAL. This reflects the fact that Gootloader is an active initial access vector for ransomware deployment, not a merely suspicious file.
Why Other Scanners Miss It
| Scanner Approach | Why It Fails |
|---|---|
| Hash matching | Every download has a unique hash (hashbusting) |
| Signature scanning | Payload is inside a valid-but-nested ZIP, signatures are compressed |
| Behavioral sandbox | 7-Zip and WinRAR cannot open the malformed archive |
| File size heuristics | 30–96 MB is unusual but not inherently malicious |
| MIME type filtering | File identifies as application/zip, a common, trusted format |
HADES succeeds because it analyzes ZIP structural integrity rather than content signatures. The 500+ duplicate local file headers and EOCD records are a definitive indicator of concatenation-based evasion, regardless of what the payload inside contains.
Performance
HADES processes these 30–96 MB files in 12–31 seconds each with no timeouts or crashes. The batch scanner handled all 9 samples sequentially in under 2 minutes total, using a single worker.
Why This Matters
Gootloader's concatenated ZIP technique is not a one-off. It represents a broader class of evasion that targets the assumptions built into traditional scanning engines, specifically, the assumption that a file's hash, content, or behavioral trace is the right detection surface. HADES is designed around a different assumption: that structure itself is signal. A file that is structurally anomalous, a PDF with 500 incremental updates, a ZIP with 1,000 duplicate headers, a JPEG that's also a valid PE binary, is saying something about its intent, independent of what it carries inside.
This structural-first approach is why HADES catches hashbusting loaders, polyglot files, VBA stomping, PDF shadow attacks, and many other techniques that defeat content-focused scanners.
Tested April 2026 • HADES v1.1.0 • Samples sourced from MalwareBazaar (abuse.ch)