We explore the Zombie ZIP phenomenon, which deceives software scanners.
Researchers have identified a new technique for disguising malicious code in ZIP archives. Dubbed "Zombie ZIP," this method allows malware to hide payloads in archives so that most security solutions mistake their contents for safe data.
The technique was developed by Chris Aziz, a security specialist at Bombadil Systems. The method relies on manipulating ZIP archive headers. The attacker alters the field that specifies the compression method, tricking analyzers into thinking the file within the archive is stored uncompressed. Antivirus and threat detection systems trust this value and scan the contents as normal, uncompressed data.
In fact, the archive contains a file compressed with the Deflate algorithm, the standard ZIP compression method. As a result, the security mechanisms see only meaningless bytes and fail to detect any malicious code signatures. According to Chris Aziz, this technique bypasses 50 of the 51 antivirus engines available on the VirusTotal platform .
When attempting to unpack such an archive using standard utilities, including 7-Zip , WinRAR , or unzip, an error or message about corrupted data appears. This is due to a deliberately altered CRC check value, which corresponds to the checksum of the already unpacked file. Because of this discrepancy, popular programs consider the archive corrupted.
However, the malware can ignore the compression method specified in the header and simply decompress the data as Deflate. In this case, the hidden payload is extracted without errors. Chris Aziz has published demo code and sample archives on GitHub to demonstrate how this technique works.
The CERT Coordination Center (CERT) brought the situation to its attention. The organization issued a warning and assigned the issue the identifier CVE-2026-0866 . CERT representatives noted similarities with vulnerability CVE-2004-0935 , discovered over twenty years ago in early versions of ESET antivirus software.
The center's experts believe that security developers need to verify the consistency between the specified compression method and the actual archive data. Additional archive structure analysis mechanisms and more stringent verification modes will help identify such discrepancies.
The need to handle archive files from unknown sources with caution is also emphasized . An "unsupported method" error during unpacking may indicate an attempt to hide malicious content, so it's best to delete such files immediately.
Researchers have identified a new technique for disguising malicious code in ZIP archives. Dubbed "Zombie ZIP," this method allows malware to hide payloads in archives so that most security solutions mistake their contents for safe data.
The technique was developed by Chris Aziz, a security specialist at Bombadil Systems. The method relies on manipulating ZIP archive headers. The attacker alters the field that specifies the compression method, tricking analyzers into thinking the file within the archive is stored uncompressed. Antivirus and threat detection systems trust this value and scan the contents as normal, uncompressed data.
In fact, the archive contains a file compressed with the Deflate algorithm, the standard ZIP compression method. As a result, the security mechanisms see only meaningless bytes and fail to detect any malicious code signatures. According to Chris Aziz, this technique bypasses 50 of the 51 antivirus engines available on the VirusTotal platform .
When attempting to unpack such an archive using standard utilities, including 7-Zip , WinRAR , or unzip, an error or message about corrupted data appears. This is due to a deliberately altered CRC check value, which corresponds to the checksum of the already unpacked file. Because of this discrepancy, popular programs consider the archive corrupted.
However, the malware can ignore the compression method specified in the header and simply decompress the data as Deflate. In this case, the hidden payload is extracted without errors. Chris Aziz has published demo code and sample archives on GitHub to demonstrate how this technique works.
The CERT Coordination Center (CERT) brought the situation to its attention. The organization issued a warning and assigned the issue the identifier CVE-2026-0866 . CERT representatives noted similarities with vulnerability CVE-2004-0935 , discovered over twenty years ago in early versions of ESET antivirus software.
The center's experts believe that security developers need to verify the consistency between the specified compression method and the actual archive data. Additional archive structure analysis mechanisms and more stringent verification modes will help identify such discrepancies.
The need to handle archive files from unknown sources with caution is also emphasized . An "unsupported method" error during unpacking may indicate an attempt to hide malicious content, so it's best to delete such files immediately.