New "Zombie ZIP" attack can evade most antivirus scanners
However some experts argue the technique is not a true security flaw
by Alfonso Maruccia · TechSpotServing tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.
Is this a virus?: Classic ZIP bombs and other archive-based tricks have long given cybercriminals a convenient way to sneak malware onto unsuspecting systems. A newly documented technique claims to go even further, slipping past nearly all anti-malware engines while still delivering a malicious payload to a target PC.
Known as Zombie ZIP, the method hides malware inside a deliberately malformed compressed archive. According to its creators, most antivirus engines currently fail to detect the threat, potentially giving attackers a new delivery mechanism. At the same time, some researchers argue the technique is less a vulnerability and more a side effect of how the ZIP format was originally designed to work.
A recent security bulletin explains that Zombie ZIP relies on a malformed archive header to disguise the true nature of the compressed data. ZIP headers contain metadata used by archivers and other software to interpret the file, including the compression method, flags, and version information required to unpack the archive.
With Zombie ZIP, the header's compression method field is intentionally corrupted. Tools such as 7-Zip and WinRAR are therefore unable to identify how the archive was compressed, while antivirus scanners simply interpret the file as harmless "compressed noise." In reality, the payload remains compressed using Deflate, the decades-old lossless algorithm created by PKZIP developer Phil Katz in 1990.
A remote actor could abuse Zombie ZIP to safely deploy a malicious payload masked as a corrupted ZIP archive, potentially evading a full antivirus analysis. However, extracting the hidden payload would require a custom tool designed to ignore the compression method declared in the header and unpack the raw data stream directly.
The "vulnerability" is currently tracked as CVE-2026-0866. Its authors claim the technique can evade detection by roughly 98% of antivirus engines tested through VirusTotal. Major products including Bitdefender, Kaspersky, and Microsoft Defender reportedly fail to flag the malformed archive, highlighting what researchers describe as a simple yet effective threat vector involving compressed files.
// Related Stories
- Hackers are selling a critical Windows zero-day exploit for $220,000 on the dark web
- WinRAR 7.20 speeds up archive management, expands command-line flexibility
Not everyone agrees that the issue deserves a CVE designation.
Some malware analysts argue that if standard archive utilities cannot interpret the data stream, the file is effectively just corrupted or encrypted data requiring a specialized extraction method. In that sense, they say, it behaves similarly to password-protected ZIP archives.
Researchers at Carnegie Mellon University's CERT Coordination Center note that some extraction tools can still recognize the malformed archive and decompress the embedded payload. They recommend that antivirus developers avoid relying solely on expected metadata structures when scanning compressed files. As always, users should treat downloaded archives with caution, particularly when they come from untrusted sources.