Security News New 'Zombie ZIP' technique lets malware slip past security tools

[Parkinsond]

Content source

https://www.bleepingcomputer.com/news/security/new-zombie-zip-technique-lets-malware-slip-past-security-tools/

A new technique dubbed “Zombie ZIP” helps conceal payloads in compressed files specially created to avoid detection from security solutions such as antivirus and endpoint detection and response (EDR) products.

Trying to extract the files with standard utilities like WinRAR or 7-Zip results in errors or corrupted data. The technique works by manipulating ZIP headers to trick parsing engines into treating compressed data as uncompressed.

Instead of flagging the archive as potentially dangerous, security tools trust the header and scan the file as if it were a copy of the original in a ZIP container.

The “Zombie ZIP” technique was devised by Bombadil Systems security researcher Chris Aziz, who found that it works against 50 of the 51 AV engines on VirusTotal.

Users should treat archive files with caution, especially those from unknown contacts, and delete them immediately if their attempts to decompress them end with an “unsupported method” error.

New 'Zombie ZIP' technique lets malware slip past security tools

A new technique dubbed "Zombie ZIP" helps conceal payloads in compressed files specially created to avoid detection from security solutions such as antivirus and endpoint detection and response (EDR) products.

www.bleepingcomputer.com

 

[ForgottenSeer 123960]

Executive Summary

Confirmed Facts
The "Zombie ZIP" technique (VU#976247) utilizes intentionally malformed ZIP headers to bypass Antivirus (AV) and Endpoint Detection and Response (EDR) scanning engines.

Assessment
Because standard archiving utilities fail to extract these files, this is not a standalone exploit; it is a defense evasion container that requires a secondary, purpose-built loader on the target system to detonate the hidden payload.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1036
(Masquerading)

T1027
(Obfuscated Files or Information)

CVE Profile
[CVE-2026-0866] Base Score: Pending
[CISA KEV Status: Inactive]

Telemetry

String
CVE-2026-0866

String
Method=0 (STORED)

String
DEFLATE

Constraint
The actual payload type is undocumented in the source telemetry. The structure resembles standard "DEFLATE" compressed data intentionally mislabeled in the metadata as raw "Method=0 (STORED)" bytes.

This manipulation forces security scanners to read the DEFLATE-compressed data as raw text, resulting in a read of "compressed noise" that evades signature matching. Standard extraction utilities (e.g., WinRAR, 7-Zip, Python's zipfile) enforce integrity checks and will crash with CRC or "unsupported method" errors rather than extracting the file. An attacker must supply a custom loader to bypass the header and manually decompress the data.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Issue internal advisories warning personnel not to use unauthorized or custom extraction utilities to open "broken" archive files.

DETECT (DE) – Monitoring & Analysis

Command
Deploy YARA rules targeting ZIP archives where the declared compression method contradicts the file's internal entropy.

Command
Monitor SIEM logs for abnormal spikes in endpoint archiving application crashes or CRC error events.

RESPOND (RS) – Mitigation & Containment

Command
Quarantine un-scannable or malformed .zip attachments at the Secure Email Gateway (SEG) level before they reach the endpoint.

RECOVER (RC) – Restoration & Trust

Command
Validate AV/EDR engine updates against CVE-2026-0866 to ensure aggressive archive inspection modes are active.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Enforce strict execution control policies (e.g., AppLocker, WDAC) to prevent unauthorized, custom loaders from running in user space.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Delete the file immediately if your standard extraction tool (like 7-Zip or WinRAR) throws an "unsupported method" or "CRC" error upon opening an archive. Do not attempt to bypass the error.

Priority 2: Identity

Command
Do not download "archive repair" utilities from untrusted sources to open broken ZIP files, as these may serve as the custom loaders required to execute the hidden payload.

Priority 3: Persistence

Command
Check Scheduled Tasks and Startup Folders for unrecognized applications, which may indicate the presence of a silent loader designed to target these files.

Hardening & References

Baseline
CIS Benchmarks for Email and Web Browser protections (Attachment Sandboxing).

Framework
NIST CSF 2.0 / SP 800-61r3.

References
CERT/CC Vulnerability Note VU#976247

CVE Registry
CVE-2026-0866 (and historical analogue CVE-2004-0935).

Source

CERT Coordination Center (VU#976247)

Cyber Security News