New 'Zombie ZIP' Technique Lets Malware Slip Past Security Tools

The “Zombie ZIP” technique exploits a long‑standing assumption that the ZIP Method field accurately reflects the underlying data format. By setting the method to STORED while embedding DEFLATE‑compressed bytes, the archive appears benign to signature‑based scanners, which treat the payload as raw, uncompressed noise. Standard decompression utilities, however, rely on CRC checks and raise errors when the checksum does not match the declared method, effectively blocking casual analysis while allowing a purpose‑built loader to retrieve the hidden malware.

For security vendors, this discovery highlights the limits of surface‑level inspection. Most antivirus engines and EDR solutions parse only the header metadata before deciding whether to deep‑scan the contents, a shortcut that the Zombie ZIP method deliberately subverts. The vulnerability echoes the 2004 CVE‑2004‑0935 issue in early ESET products, showing that archive‑parsing flaws can persist across generations. To counteract such evasion, vendors must implement dual‑validation logic that cross‑checks the compression method against actual byte patterns and introduces heuristic analysis for anomalous CRC values.

Enterprises should treat compressed attachments with heightened scrutiny, especially from unknown senders. Deploying updated AV definitions that recognize the CVE‑2026‑0866 indicator, enabling strict archive inspection modes, and employing sandboxed extraction can mitigate the risk. Additionally, security teams can leverage threat‑intelligence feeds to flag ZIP files that exhibit the mismatched header‑payload behavior. As attackers continue to weaponize malformed file formats, a layered defense that combines signature updates, behavioral analytics, and user education remains the most effective safeguard.