Threat Management, Threat Intelligence, Ransomware, Malware, Endpoint/Device Security

‘Zombie ZIP’ slips malware past 98% of antivirus engines

A proof-of-concept exploit called “Zombie ZIP” could enable malware to be smuggled past antivirus (AV) software in a crafted ZIP archive.

The exploit, developed by Chris Aziz of Bombadil Systems, uses Python to generate a ZIP file with a manipulated header that declares the compression method is STORED (0) while the contents are actually compressed using the DEFLATE method (8).

This causes antivirus engines to scan the file as though it were uncompressed, processing the compressed noise and failing to detect any malware signatures. Aziz tested the Zombie ZIP on 51 AV engines via VirusTotal and only Kingsoft detected the malicious signatures: a 98% success rate.

Due to the malformed header, namely the fact that the CRC is set to the checksum of the uncompressed payload despite the compression method being set as 0, standard archive extraction tools like 7-Zip and WinRAR cannot open Zombie ZIP files.

However, the proof-of-concept uploaded to GitHub also includes a simple loader that can extract the files, offering an alternative method for malicious payload delivery and extraction.

The exploit is tracked as CVE-2026-0866 and was reported by Aziz to the CERT Coordination Center (CERT/CC), which issued a Vulnerability Note on Monday tracked as VU#976247.

CERT/CC recommends antivirus and endpoint detection and response (EDR) solutions validate the compression method for archive files against content characteristics rather than trusting the archive metadata.

The vulnerability note lists Cisco as the only vendor so far that has confirmed it is affected by the issue, saying its ClamAV cannot scan Zombie ZIP files.

“However, this is not considered a vulnerability, but rather, a hardening suggestion. It will be taken into consideration for future releases,” the company said.

CERT/CC noted that CVE-2026-0866 is similar to CVE-2004-0935, a 22-year-old vulnerability in ESET Anti-Virus versions before 1.020 that allowed a compressed file to bypass antivirus protection through the use of headers set to 0. This vulnerability was assigned a high CVSS Version 2.0 score of 7.5.

Earlier this year, attackers were found to be using a different type of malformed ZIP archive to distribute the Gootloader malware loader. These ZIP archives contained several anomalies including mismatched metadata, missing bytes from the End of Central Directory, and the use of up to 1,000 identical ZIP archives concatenated together.

This caused unarchiving tools like 7-Zip and WinRAR to fail, potentially preventing automated extraction and analysis of the archives, while the default Windows unarchiving tool could still be used to extract the malicious contents for payload delivery.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Black HatBusiness Email Compromise (BEC)Distributed ScansDrive-by DownloadExtranetFirmwareGoogle HackingInformation WarfareKeyloggerReconnaissance

You can skip this ad in 5 seconds