New 'Zombie ZIP' technique lets malware slip past security tools
Source: Bleeping Computer
Overview
A new technique dubbed “Zombie ZIP” helps conceal payloads in compressed files specially created to avoid detection from security solutions such as antivirus and endpoint detection and response (EDR) products. Standard utilities like WinRAR or 7‑Zip fail to extract the files, producing errors or corrupted data.
How the Technique Works
The method manipulates ZIP headers so that parsing engines treat compressed data as if it were uncompressed. Security tools trust the Method field in the ZIP header:
“AV engines trust the ZIP Method field. When Method=0 (STORED), they scan the data as raw uncompressed bytes. But the data is actually DEFLATE compressed – so the scanner sees compressed noise and finds no signatures,” the researcher explains(link)
Loader Bypass
A purpose‑built loader that ignores the declared method and decompresses the data as DEFLATE can recover the payload perfectly:
“However, a purpose‑built loader that ignores the declared method and decompresses as DEFLATE recovers the payload perfectly,” Aziz says.
The researcher, Chris Aziz of Bombadil Systems, published a proof‑of‑concept on GitHub, providing sample archives and detailed explanations.
CRC Manipulation
To trigger errors in popular extraction tools (7‑Zip, unzip, WinRAR), the CRC value is set to the checksum of the uncompressed payload, causing those tools to report an “unsupported method” or corrupted data.
Industry Response
Yesterday, the CERT Coordination Center (CERT/CC) issued a bulletin warning about “Zombie ZIP” and highlighting the risks of malformed archive files:
- The bulletin can be read here.
The agency notes that while some security solutions may be fooled, certain extraction tools can still correctly decompress the archive.
CVE Assignments
- CVE‑2026‑0866 – Assigned to this security issue.
- The issue is similar to CVE‑2004‑0935, which affected an early version of the ESET antivirus product.
Recommendations for Vendors
CERT/CC suggests that security‑tool vendors:
- Validate compression method fields against the actual data.
- Detect inconsistencies in archive structure.
- Implement more aggressive archive inspection modes.
Recommendations for Users
- Treat archive files with caution, especially those from unknown contacts.
- Delete archives immediately if attempts to decompress them end with an “unsupported method” error.