DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

GootLoader Reads Backwards: The ZIP Evasion That's Fooling Your Security Stack

Patrick Duggan
Jan 25
4 min read

Executive Summary

GootLoader, the JavaScript loader behind Rhysida ransomware infections, has returned with a clever evasion: malformed ZIP archives that security tools can't parse but Windows opens perfectly. The trick exploits how ZIP files are structured—they're read from the END, not the beginning.

The Trick in 30 Seconds

ZIP files contain an "End of Central Directory" (EOCD) record that tells readers where the actual content lives. Windows reads from the end. Most security tools read from the start.

Concatenating 500-1,000 garbage ZIP files together
Appending one real ZIP at the end
Truncating the EOCD by 2 bytes (breaks parsers)
Randomizing fields (hashbusting)

Result: 7-Zip says "corrupt." WinRAR says "corrupt." Your sandbox says "corrupt." Windows Explorer says "here's your malware, freshly extracted."

The Architecture

┌────────────────────────────────────────────────────────────────┐
│                    GOOTLOADER ZIP STRUCTURE                     │
├────────────────────────────────────────────────────────────────┤
│                                                                │
│  [ZIP #1][ZIP #2][ZIP #3]...[ZIP #999][REAL PAYLOAD ZIP]      │
│     ↑       ↑       ↑           ↑              ↑               │
│     │       │       │           │              │               │
│   Junk    Junk    Junk        Junk     Actual malware          │
│                                                                │
│  Security tools: Parse from START → see garbage → "corrupt"   │
│  Windows:        Parse from END   → find EOCD   → extract     │
│                                                                │
│  Each download = unique file (500-1000 random concatenations) │
│  Hash-based detection = useless                                │
│                                                                │
└────────────────────────────────────────────────────────────────┘

Why It Works

The ZIP specification allows archives to be read from the end. The EOCD record at the tail contains pointers to the Central Directory, which contains pointers to the actual file data. Everything before the last valid archive is noise.

Most security tools assume well-formed input. They parse sequentially, hit malformed headers, and give up. Windows doesn't care—it jumps to the end, finds valid structure, and extracts.

The Kill Chain

┌─────────────────────────────────────────────────────────────────┐
│  1. SEO POISONING                                               │
│     └─ Compromised WordPress sites rank for legal queries       │
│     └─ "florida building code requirements for sheds"           │
│     └─ "non-compete agreement template california"              │
├─────────────────────────────────────────────────────────────────┤
│  2. FAKE FORUM                                                  │
│     └─ Simulated message board conversation                     │
│     └─ "Thanks! This template worked great for me"              │
│     └─ Download link to malicious ZIP                           │
├─────────────────────────────────────────────────────────────────┤
│  3. MALFORMED ZIP DELIVERY                                      │
│     └─ 500-1000 concatenated ZIPs + real payload                │
│     └─ Unique hash per download (hashbusting)                   │
│     └─ filename: "building_code_requirements(9306).zip"         │
├─────────────────────────────────────────────────────────────────┤
│  4. USER EXECUTION                                              │
│     └─ Windows extracts .js file                                │
│     └─ Double-click → wscript.exe executes                      │
│     └─ JScript drops second stage to AppData\Roaming            │
├─────────────────────────────────────────────────────────────────┤
│  5. PERSISTENCE                                                 │
│     └─ Scheduled task (random 2-3 word name)                    │
│     └─ .LNK in Startup folder                                   │
│     └─ Uses 8.3 short filenames to evade                        │
├─────────────────────────────────────────────────────────────────┤
│  6. RECONNAISSANCE                                              │
│     └─ PowerShell AD enumeration                                │
│     └─ Kerberoasting / SPN scanning                             │
│     └─ Environment variable collection                          │
├─────────────────────────────────────────────────────────────────┤
│  7. ACCESS SALE                                                 │
│     └─ Hive0127 sells access to Vanilla Tempest                 │
│     └─ Price: percentage of ransom                              │
├─────────────────────────────────────────────────────────────────┤
│  8. RANSOMWARE                                                  │
│     └─ Vanilla Tempest deploys Rhysida                          │
│     └─ Primary targets: Healthcare, Education                   │
│     └─ Double extortion (encrypt + leak)                        │
└─────────────────────────────────────────────────────────────────┘

The Partnership Model

GootLoader operators don't deploy ransomware themselves. They're access brokers.

Actor	Alias	Role	Active Since
Hive0127	Storm-0494, UNC2565	GootLoader developer/operator	2014
Vanilla Tempest	Vice Society, DEV-0832	Ransomware affiliate	2021

Current arrangement: Hive0127 provides initial access via GootLoader. Vanilla Tempest deploys Rhysida ransomware. Split the proceeds.

Previous customers: REvil, BlackCat/ALPHV, Quantum Locker, Zeppelin, INC, Hello Kitty

Detection Guidance

Process Hunting

# Suspicious execution chains
wscript.exe → executing .js from %TEMP%
cscript.exe → using NTFS 8.3 shortnames (e.g., SCRIPT~1.JS)
cscript.exe → spawning powershell.exe

Persistence Locations

# Scheduled tasks with random names
C:\Windows\System32\tasks\<TwoWordName>
C:\Windows\System32\tasks\<ThreeWordName>

Splunk Queries

# JScript execution from temp
index=windows EventCode=1
| where process_name="wscript.exe" OR process_name="cscript.exe"
| where match(command_line, "(?i)\\\\temp\\\\.*\\.js")

YARA Rule (from Expel)

rule gootloader_zip_archive_2025 {
    meta:
        description = "Detects GootLoader malformed ZIP with 100+ concatenated archives"
        author = "Expel"
        date = "2025-11-17"
    strings:
        $local_header = { 50 4B 03 04 }
        $eocd = { 50 4B 05 06 }
    condition:
        uint32(0) == 0x04034b50 and
        #local_header > 100 and
        #eocd > 100
}

Landing Page Regex

Hunt for compromised WordPress sites serving GootLoader:

/j\$k([0-9]{1,10})j\$k/

This pattern appears in the Description property of malicious landing pages.

IOCs

File Hash

SHA256: b05eb7a367b5b86f8527af7b14e97b311580a8ff73f27eaa1fb793abb902dc6e
Type: GootLoader malformed ZIP archive (500-1000 concatenated)
Source: Expel

Note: Hash-based detection is limited. GootLoader generates unique files per download.

Behavioral Indicators

Indicator	Description
.js file in downloaded ZIP	Initial payload
wscript.exe child of explorer.exe	User executed JScript
.dat or .log file in AppData renamed to .js	Second stage
Scheduled task with 2-3 word random name	Persistence
PowerShell with -enc flag after cscript.exe	Recon stage

Mitigation

The Easy Win: Kill JScript Execution

# Change default handler for .js files
# Via GPO or registry

Block Script Hosts

If your organization doesn't need wscript.exe or cscript.exe:

# AppLocker rule to block script hosts for downloaded content
# Or Windows Defender ASR rule:
# Block JavaScript and VBScript from launching downloaded content

Monitor Script Block Logging

Event ID 4104 captures PowerShell execution
Look for encoded commands, AD enumeration, Kerberoasting

The Bigger Picture

GootLoader has been around since 2020. It's survived because:

SEO poisoning works - People search for templates, find malware
Access brokerage is lucrative - Why deploy ransomware when you can sell access?
The partnership model scales - New ransomware affiliate? Same initial access.
Evasion evolves - Malformed ZIPs are just the latest trick

The January 2026 variant shows continued development investment. Someone is actively maintaining this loader, testing what breaks security tools, and shipping updates.

Resources

TL;DR

GootLoader now ships as 500-1000 concatenated ZIP files. Security tools parse from the start and fail. Windows parses from the end and extracts the malware. Hash-based detection is useless because every download is unique.

Fix: Change .js file association to Notepad. Block wscript.exe from executing downloaded content. Hunt for cscript.exe → powershell.exe chains.

Who's behind it: Hive0127 (loader operator) sells access to Vanilla Tempest (ransomware affiliate) who deploys Rhysida against healthcare targets.

DugganUSA Threat Intelligence - analytics.dugganusa.com

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.