Planned failure: Gootloader’s malformed ZIP actually works perfectly

This report analyzes a Gootloader campaign that delivers JScript via purposely malformed ZIP archives (many concatenated ZIPs, truncated End of Central Directory fields, randomized metadata) to evade analysis while remaining openable by Windows Explorer; it documents file-format artifacts, provides a YARA rule to detect the malformed archives, describes the post-execution chain (WScript/CScript → PowerShell, LNK persistence, NTFS shortnames), and recommends mitigations such as re-associating .js to Notepad via GPO, blocking/monitoring wscript/cscript and PowerShell process trees, and alerting on LNK creation in Startup folders.