Security practitioners are facing a devilish challenge: malware that succeeds precisely because it breaks. According to a report published by Expel, a managed detection and response provider, Gootloader, an initial access broker feeding ransomware operations, has returned from a seven-month hiatus with a ZIP archive that deliberately fails to parse in security tools while opening flawlessly in Windows Explorer.
The adaptation highlights how threat actors adapt to law enforcement pressure—and why 2025 saw a record 7,515 ransomware victims according to cybersecurity consultancy GuidePoint Security.
According to Expel, the malware is delivered following users' search for legal documents, such as contracts or forms, and end up on compromised websites that often rank highly in Google search results and offer free templates in ZIP files.
When downloaded and opened, victims trigger the execution of JScript (Microsoft's legacy implementation of the ECMAScript standard—the same language family to which JavaScript belongs), thereby establishing initial access for Vanilla Tempest, a ransomware affiliate that has historically deployed BlackCat, Quantum Locker, and Zeppelin ransomware, and is currently primarily deploying Rhysida payloads.
What makes this campaign remarkable isn't the social engineering—it's the technical sophistication of this delivery mechanism.
Crafty Evasions
Expel found Gootloader's ZIP archives contain 500 to 1,000 identical copies concatenated together, creating files 76 megabytes in size despite containing a single 287-kilobyte JScript file. The technique cleverly exploits how ZIP parsers work: they read files from the end backward, so the concatenation doesn't break extraction in Windows Explorer. But security tools like 7-Zip and WinRAR strictly validate the ZIP specification. The misaligned files cause parsing failures.
The archive's "End of Central Directory" structure is intentionally truncated—missing two critical bytes that tools expect, according to their analysis. Metadata fields contain deliberate mismatches: compressed sizes don't match uncompressed sizes, modification dates conflict, and CRC32 checksums fail validation. Every user who downloads Gootloader receives a cryptographically unique file via "hashbusting," rendering signature-based detection ineffective.
The delivery mechanism adds another layer. Rather than transmitting the malformed ZIP over the network—where it could be intercepted and analyzed—Gootloader serves an XOR-encoded blob to the victim's browser. Client-side JavaScript decodes and reconstructs the concatenated archives before writing to disk, evading network detection entirely. Custom WOFF2 fonts obscure keywords in HTML source code through glyph substitution, preventing automated scanners from identifying the page's malicious intent.
The result: a file that security workflows cannot analyze but that victims can open trivially.
The Threat Actor Behind It
Storm-0494 operates Gootloader's infrastructure and has held this specialized role since at least 2020. The group doesn't deploy ransomware itself—it sells initial access to ransomware gangs. This division of labor has become the industry standard. Once Storm-0494 compromises a corporate network, Vanilla Tempest takes over and conducts post-exploitation within 20 minutes, achieving Domain Controller compromise in 17 hours. The speed enables mass-scale operations: high-velocity, repeatable attacks across dozens of victims monthly.
This partnership channel reflects broader ecosystem fragmentation. GuidePoint's 2026 GRIT report documented 124 distinct ransomware groups in 2025, a 46% increase year-over-year. Law enforcement disruptions of LockBit and Alphv didn't eliminate ransomware—they fragmented it, allowing mid-tier groups like Qilin to absorb displaced affiliates and exceed prior peak-performing groups in volume. Within this landscape, initial access brokers have become critical infrastructure. Check Point research showed IABs "blossomed" as the ransomware ecosystem specialized.
"In at least some cases, some IABs may work for a percentage of the ransom paid, though we lack insight into the frequency of this dynamic or typical payment rates in these instances," says Jason Baker, managing security consultant, threat intelligence, GuidePoint Security.
“The effects of law enforcement disruption on cybercrime’s supporting infrastructure almost certainly forced some threat actors to choose alternate pathways, though an abundance of options minimized the downstream impact on ransomware operations. For example, when Lumma Stealer’s infrastructure was disrupted in May 2025, users may have had to pivot to alternatives such as RedLine,” Baker says.
"Downstream, at the level of ransomware affiliates, we assess that the disruption or dissolution of RaaS groups has driven affiliates to affiliate with other RaaS groups, rather than leading to substantial impacts on affiliates. We do not know what investigative leads may have been surfaced in the course of or following law enforcement efforts, though we would expect these to take time to develop," he continues.
Defending Against Gootloader
Expel's technical analysis provides concrete mitigations. The most effective: reassociate .js and .jse file extensions via Group Policy Object to open in Notepad instead of Windows Script Host. This single configuration change eliminates the primary execution vector. Organizations should also block wscript.exe and cscript.exe from running downloaded content if JScript isn't required for business operations.
Detection-focused defenses include monitoring for wscript.exe executing .js files from AppData\Local\Temp—indicating execution directly from an extracted ZIP. Flag .LNK files appearing in user Startup folders pointing to scripts in non-standard directories. Alert on cscript.exe executing .js files using legacy NTFS shortnames like "FILENA~1.js," which Gootloader exploits to evade string-based detection. The process chain cscript.exe →powershell.exe → powershell.exe (obfuscated) provides a reliable high-fidelity detection trigger.
Expel released a YARA rule detecting the malformed archives by identifying 100+ occurrences of specific local file header and End of Central Directory hex patterns.
"To prioritize threat intelligence, we recommend reviewing and prioritizing defenses aligned to the tactics, techniques, and procedures of the most prolific threat groups, as these often overlap but may circumvent or overcome existing security measures," Baker advises.
Threat actors persist despite coordinated disruption efforts
According to the GuidePoint Security Report, 2026 Ransomware and Cyber Threat Report, there were 7,515 ransomware victims in 2025, with December alone reporting 814 cases—the highest single-month total documented. The fourth quarter set a quarterly record with 2,287 victims. This surge partly reflects the sustained law enforcement pressure throughout 2025, which increased operational costs for major groups, prompting them to scale through affiliate networks and to outsource initial access work.
Gootloader's evolution reflects that dynamic. A seven-month hiatus followed by a return with advanced evasion demonstrates how threat actors persist despite coordinated disruption efforts. The malformed ZIP innovation directly counters defensive improvements—traditional hash matching, sandbox analysis, and signature detection all fail against a file that changes with every download and cannot be parsed by standard tools.
"We typically see far lower volume from the newest groups, which are often ephemeral in nature and do not persist for more than a few months. However, we noted several instances in 2025 of apparent “new” groups that rapidly gained momentum in a way that does not align with the behavior commonly associated with new groups, suggesting the presence or affiliation of more experienced operators. An example of this is Sinobi, which first appeared in July but rapidly expanded to claim 187 victims before the end of the year, closing as the 10th most prolific group of 2025," Baker says.
For security teams, the message is stark: initial access brokers such as Gootloader operate at sophisticated technical levels, leverage specialized knowledge of file-format quirks, and maintain operational resilience through rapid innovation. Defenders cannot rely solely on signature-based protections or network inspection. Behavioral detection, attack surface reduction through JScript policies, and rapid response to anomalous process chains remain the most viable mitigations in an ecosystem where ransomware volume has never been higher, and threat actor specialization has never been more refined.
