A recently revealed technique known as Zombie ZIP demonstrates how attackers can embed malware inside fragmented and corrupted archives that can’t be fully scanned by most security solutions. By exploiting the way ZIP headers are processed, it enables malicious payloads to evade antivirus and EDR solutions even if the file appears corrupted to end users.
Zombie ZIP works by manipulating the ZIP header so that the archive claims its contents are stored with the “Method 0” (STORED) mode, which means uncompressed data. In reality, the payload is still compressed with the standard Deflate algorithm, so scanners that trust the header see only high-entropy “noise” instead of recognizable malware signatures. Standard utilities like WinRAR, 7‑Zip, or unzip will usually throw errors or report corruption when users attempt to extract these malformed files.
Security researcher Chris Aziz of Bombadil Systems tested this approach against VirusTotal and found that 50 out of 51 antivirus engines failed to detect the hidden payload when using Zombie ZIP archives. He also published proof-of-concept code and sample archives on GitHub, making it easier for security teams and, unfortunately, attackers to reproduce the method. A key trick is setting the CRC integrity value to match the uncompressed payload, which further confuses extraction and scanning tools.
While common archivers fail, a custom loader can simply ignore the misleading header and decompress the data as Deflate, recovering the embedded malware without issues. This means an attacker only needs to get the loader executed once on a target system to start unpacking any number of Zombie ZIP containers. Once the loader runs, traditional defenses lose the benefit of pre-execution scanning at the file level.
The CERT Coordination Center (CERT/CC) issued an advisory assigning CVE‑2026‑0866 to the issue and warning that malformed archives can undermine current detection models. CERT/CC notes that some tools do manage to decompress these archives correctly, but many popular solutions still fail, echoing an old flaw tracked as CVE‑2004‑0935 in early ESET antivirus versions. The agency urges vendors to validate compression method fields against actual data, detect structural inconsistencies, and enable more aggressive archive inspection.
Not all experts agree that Zombie ZIP deserves a CVE, however, with several researchers arguing it is a clever evasion trick rather than a true vulnerability. They point out that these archives are not openable with standard tools and that using a custom loader already implies the system is compromised in some way. As one researcher put it, corrupting or encrypting any file and then requiring a special loader achieves a similar outcome without necessarily exposing a new flaw.
For everyday users and organizations, the practical takeaway is to treat suspicious ZIP files with extra caution, especially from unknown senders. CERT/CC advises deleting archives that fail to extract and show “unsupported method” or similar errors, rather than repeatedly trying to open them. Meanwhile, defenders should pressure vendors to harden archive parsing and incorporate deeper content validation so that tricks like Zombie ZIP do not become a reliable blind spot in the malware detection chain.
