Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Zombie ZIP archive-header evasion technique

Technical Analysis
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

Zombie ZIP is a new archive-evasion technique that can let payloads slip past AV and EDR scanning by abusing ZIP header parsing, making malicious content harder to detect. It matters because security tools may inspect compressed bytes as harmless raw data and miss signatures even when the archive is malformed. A proof of concept shows the method is practical enough to bypass many engines and create a stealthier delivery path.

Related Happenings

Beast ransomware group’s RaaS model and shared TTPs exposed through an open server

Threat Actor Meta
First: 20.03.2026 18:31 Last: 20.03.2026 18:31 Sources 1

About this happening: An exposed **Beast ransomware group** server now shows its **RaaS operating model** and reusable toolset, complicating attribution across ransomware crews. The recovered materials...

Open Happening

2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates

Target Trend
First: 17.03.2026 23:41 Last: 17.03.2026 23:41 Sources 1

About this happening: **Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...

Open Happening

BlackSanta EDR killer malware activity targeting HR departments

Malware Activity
First: 11.03.2026 00:57 Last: 11.03.2026 00:57 Sources 1

About this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...

Open Happening

WinRAR path-traversal exploitation wave (CVE-2025-8088)

Exploitation Wave
First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: **CVE-2025-8088** in **WinRAR** remains part of an **ongoing exploitation wave**, with **multiple threat groups** using the flaw for **initial access** and payload delivery. The a...

Open Happening

WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)

Vulnerability
First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited**, enabling arbitrary file writes and malicious payload placement for persistence. Attackers abu...

Open Happening

Timeline

  1. 10.03.2026 22:05 1 articles · 2mo ago

    CERT/CC issues Zombie ZIP bulletin and assigns CVE-2026-0866

    Legal Policy Action Update

    CERT/CC issued a bulletin warning that malformed ZIP archives can confuse security tools, assigned CVE-2026-0866, and urged vendors to validate compression method fields, detect structural inconsistencies, and use more aggressive archive inspection. The agency also noted that some extraction tools can still decompress the archives correctly and said the issue is similar to CVE-2004-0935 affecting an early ESET antivirus product.

    Show sources
    Open in new tab
  2. 10.03.2026 22:05 2 articles · 2mo ago

    Zombie ZIP research shows AV and EDR header-parsing bypass

    Technical Analysis Update

    Bombadil Systems security researcher Chris Aziz devised Zombie ZIP, showing that manipulated ZIP headers can make AV and EDR products inspect DEFLATE-compressed payloads as if they were raw uncompressed bytes. A purpose-built loader can ignore the misleading ZIP Method field and recover the payload, and a GitHub proof-of-concept was published with sample archives and additional details.

    Show sources
    Open in new tab