New "Zombie ZIP" attack can evade most antivirus scanners

Alfonso Maruccia

Posts: 2,563   +952
Staff
Is this a virus?: Classic ZIP bombs and other archive-based tricks have long given cybercriminals a convenient way to sneak malware onto unsuspecting systems. A newly documented technique claims to go even further, slipping past nearly all anti-malware engines while still delivering a malicious payload to a target PC.

Known as Zombie ZIP, the method hides malware inside a deliberately malformed compressed archive. According to its creators, most antivirus engines currently fail to detect the threat, potentially giving attackers a new delivery mechanism. At the same time, some researchers argue the technique is less a vulnerability and more a side effect of how the ZIP format was originally designed to work.

A recent security bulletin explains that Zombie ZIP relies on a malformed archive header to disguise the true nature of the compressed data. ZIP headers contain metadata used by archivers and other software to interpret the file, including the compression method, flags, and version information required to unpack the archive.

With Zombie ZIP, the header's compression method field is intentionally corrupted. Tools such as 7-Zip and WinRAR are therefore unable to identify how the archive was compressed, while antivirus scanners simply interpret the file as harmless "compressed noise." In reality, the payload remains compressed using Deflate, the decades-old lossless algorithm created by PKZIP developer Phil Katz in 1990.

A remote actor could abuse Zombie ZIP to safely deploy a malicious payload masked as a corrupted ZIP archive, potentially evading a full antivirus analysis. However, extracting the hidden payload would require a custom tool designed to ignore the compression method declared in the header and unpack the raw data stream directly.

The "vulnerability" is currently tracked as CVE-2026-0866. Its authors claim the technique can evade detection by roughly 98% of antivirus engines tested through VirusTotal. Major products including Bitdefender, Kaspersky, and Microsoft Defender reportedly fail to flag the malformed archive, highlighting what researchers describe as a simple yet effective threat vector involving compressed files.

Not everyone agrees that the issue deserves a CVE designation.

Some malware analysts argue that if standard archive utilities cannot interpret the data stream, the file is effectively just corrupted or encrypted data requiring a specialized extraction method. In that sense, they say, it behaves similarly to password-protected ZIP archives.

Researchers at Carnegie Mellon University's CERT Coordination Center note that some extraction tools can still recognize the malformed archive and decompress the embedded payload. They recommend that antivirus developers avoid relying solely on expected metadata structures when scanning compressed files. As always, users should treat downloaded archives with caution, particularly when they come from untrusted sources.

Permalink to story:

 
""A recent security bulletin explains that Zombie ZIP relies on a malformed archive header to disguise the true nature of the compressed data.""

id1ots. detecting the archive itself is not the focus of AV but a nice bonus for AV suits.. the real detection occurs on extraction or execution within the archive where the binary, script or link attempts to fire to ping/modify/alter local system or reach outbound and any *decent* AV will run behavior analysis on THAT set of actions and convict the file based on signatures, heuristics, ML, file/system-touch patterns, api calls, url or link access etc....

This is a blowhard making noise to get in the headlines... mangling file headers is so freaking 2001 like when I started doing AV support and specifically AV remediation for 24 years.
 
However, extracting the hidden payload would require a custom tool designed to ignore the compression method declared in the header and unpack the raw data stream directly.
Seriously?
In other words, the victim should be way more proficient than the cybercriminal, and has to execute flawlessly a series of complicated actions involving special tools in order to get infected.
Sounds ridiculous.
 
Seriously?
In other words, the victim should be way more proficient than the cybercriminal, and has to execute flawlessly a series of complicated actions involving special tools in order to get infected.
Sounds ridiculous.
It is one of the reason why many Cyber Security analysts are describing their field as a joke.

If you remember when Intel was plagued with MELTDOWN and SPECTRE, Intel decided to hire Cyber Security Analysts to throw dirt at AMD with FALLOUT, CHIMERA and RYZENFALL.

This is another example if you need a special executable on the host to be able to resurrect the malaware.
 
Seriously?
In other words, the victim should be way more proficient than the cybercriminal, and has to execute flawlessly a series of complicated actions involving special tools in order to get infected.
Sounds ridiculous
It's even more ridiculous than you state, as this so-called "attack" can be done not just with ZIP files, but any data you download or even view online. A text file, for instance, might contain source code which -- if you compiled and executed it -- constituted a virus, while an image viewed in your web browser might contain lower-order bits in the pixels that, if extracted and converted to assembly language, resulted in a malicious executable.
 
I think if you downloaded a zip and it was corrupted and you tried extracting anyways you're just asking for trouble. Just delete, clear cache, try downloading again and if still corrupted move on to other downloads source
 
Back