Tech
New ‘Zombie ZIP’ technique lets malware slip past security tools
A new technique dubbed “Zombie ZIP” helps conceal payloads in compressed files specially created to avoid detection from security solutions such as antivirus and endpoint detection and response (EDR) products.
Trying to extract the files with standard utilities like WinRAR or 7-Zip results in errors or corrupted data. The technique works by manipulating ZIP headers to trick parsing engines into treating compressed data as uncompressed.
Instead of flagging the archive as potentially dangerous, security tools trust the header and scan the file as if it were a copy of the original in a ZIP container.
The “Zombie ZIP” technique was devised by Bombadil Systems security researcher Chris Aziz, who found that it works against 50 of the 51 AV engines on VirusTotal.
“AV engines trust the ZIP Method field. When Method=0 (STORED), they scan the data as raw uncompressed bytes. But the data is actually DEFLATE compressed – so the scanner sees compressed noise and finds no signatures,” the researcher explains.
A threat actor can create a loader that ignores the header and treats the archive for what it is: data compressed using the standard Deflate algorithm used in modern ZIP files.
The researcher has published a proof-of-concept (PoC) on GitHub, sharing sample archives and additional details on how the method works.
To cause popular extraction tools (e.g., 7-Zip, unzip, WinRAR) to generate an error, the researcher says that the CRC value that ensures data integrity has to be set to the uncompressed payload’s checksum.
“However, a purpose-built loader that ignores the declared method and decompresses as DEFLATE recovers the payload perfectly,” Aziz says.
Yesterday, the CERT Coordination Center (CERT/CC) published a bulletin to warn about “Zombie ZIP” and raise awareness of the risks posed by malformed archive files.
While a malformed header may trick security solutions, the agency says that some extraction tools are still able to correctly decompress the ZIP archive.
The CVE-2026-0866 identifier has been assigned for the security issue, which the agency says is similar to a vulnerability disclosed more than two decades ago, CVE-2004-0935, affecting an early version of the ESET antivirus product.
CERT/CC proposes that security tool vendors must validate compression method fields against actual data, add mechanisms to detect inconsistencies in archive structure, and implement more aggressive archive inspection modes.
Users should treat archive files with caution, especially those from unknown contacts, and delete them immediately if their attempts to decompress them end with an “unsupported method” error.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.