Zombie ZIP Shakes Cyber World, New Technique Can Deceive 95 Percent of Antivirus Software

The cybersecurity world has recently been alarmed by the discovery of a new method to deceive antivirus software, identified as Zombie ZIP by the researcher who uncovered it.

The technique is essentially a straightforward way for attackers to alter the beginning or header of a ZIP file to falsely declare that its contents are uncompressed, when in fact the data inside remains compressed. The primary problem arises because many antivirus products trust this header and fail to properly decompress or inspect the actual payload. In testing conducted approximately a week after disclosure, around 60 of 63 common antivirus packages failed to detect malware hidden in this manner, meaning approximately 95% of scanning engines allowed it to slip through.

Zombie ZIP is a method for creating defective ZIP files capable of bypassing detection by most antivirus scanners. However, the technique has significant limitations because the manipulated ZIP files require a specialised loader or custom tool to open correctly. Normal archiving utilities such as Windows’ built-in extractor, 7-Zip, WinRAR, and others will instead flag the file as corrupted or damaged. Although this vulnerability is tracked as CVE-2026-0866, some cybersecurity researchers continue to debate whether this method warrants categorisation as a vulnerability or assignment of a CVE number at all.

The fact that this technique requires a custom loader makes it nearly impossible to infect systems that have not already been compromised. Additionally, anti-malware solutions can still detect both the custom loader and known malware after the payload is properly decompressed. In other words, this bypass only affects the initial inspection of the ZIP file, not the actual execution of known malware.

According to Malwarebytes, the researcher who discovered this method explained the mechanics of Zombie ZIP in depth through a GitHub page. By changing the compression type of the file to 0 or STORED, tools attempting to read the archive will assume that the file content is simply stored within the ZIP without compression.

The method works by altering the ZIP Method field. When Method=0 (STORED), antivirus scanning engines scan the data as raw, uncompressed bytes. However, the data is actually compressed using DEFLATE, so the scanner only sees compressed noise and fails to find malware signatures. Additionally, the CRC value is set to the checksum of the uncompressed payload, creating further inconsistency that causes standard extraction tools like 7-Zip or WinRAR to report errors or produce corrupted output. However, custom loaders that ignore the declared method can still recover the payload perfectly.

The researcher emphasised that “the vulnerability lies in scanner evasion: security controls state ‘no malware present’ when malware is actually there and can be recovered easily by attacker tools.”

To counter this threat, security researcher Didier Stevens published a method for safely examining Zombie ZIP file contents. One way to recognise this manipulation is by comparing ZIP header fields between compressed and uncompressed sizes. If they differ, it indicates that the ZIP file is not actually in STORED mode but rather compressed.

Although the technique is claimed to bypass nearly 98% of antivirus engines on VirusTotal, including major products such as Bitdefender, Kaspersky, and Microsoft Defender, some malware analysts argue that if standard archive utilities cannot interpret the data stream, then the file is effectively just corrupted or encrypted data requiring custom extraction methods, similar to the behaviour of password-protected ZIP archives.

Researchers at the CERT Coordination Centre of Carnegie Mellon University recommend that antivirus developers should not rely solely on expected metadata structures when scanning compressed files. Users are also advised to exercise caution with downloaded archives, particularly from untrusted sources.