Malware Evasion

Zombie ZIP: The Archive Trick That Blinds 98% of Antivirus Engines

NH
NoHackie
March 18, 2026 10 min read

On March 10, 2026, the CERT Coordination Center at Carnegie Mellon University published Vulnerability Note VU#976247 and assigned it the identifier CVE-2026-0866. The underlying technique, quickly named Zombie ZIP by its discoverer, had already been circulating in security circles for several days. Within 72 hours it was in newsletters, vendor advisories, forum threads, and a growing number of dark-web posts about adapting the proof-of-concept for active campaigns. The reason for the urgency was blunt: in initial testing, a single-byte header change made a malicious ZIP archive invisible to 50 out of 51 antivirus engines on VirusTotal. Later testing pushed that figure to roughly 60 out of 63 engines — a bypass rate of approximately 95 to 98 percent.

This article covers exactly what Zombie ZIP is, why the underlying mechanism is so effective, where the legitimate debate about its CVE classification stands, how it connects to a documented lineage of archive-smuggling techniques, what the real exposure looks like for organizations and individuals, and what practical steps defenders can take right now.

What Zombie ZIP Is

Zombie ZIP is a malware-delivery and evasion technique that exploits a parsing inconsistency in how antivirus engines, email security gateways, and endpoint detection and response (EDR) tools read ZIP archives. It was documented and publicly disclosed by Christopher Aziz, a security researcher and founder of the consulting firm Bombadil Systems. Aziz published a full proof-of-concept on GitHub under the repository Bombadil-Systems/zombie-zip, alongside sample archives and a six-line Python loader demonstrating payload recovery.

The name derives from the central observation: the archive appears dead to security scanners — corrupted, unreadable, and benign — but can be brought back to life by a purpose-built loader that ignores the misleading metadata and correctly decompresses the hidden payload. Aziz reported the issue to CERT/CC in January 2026. CERT/CC then coordinated outreach to approximately 30 vendors before publishing the public advisory. Cisco was among the first to formally respond, acknowledging that its open-source antivirus tool ClamAV was unable to scan this class of malformed ZIP file, though it characterized the issue as a hardening suggestion rather than a security vulnerability.

"Change one byte in a ZIP header and 55 of 56 antivirus engines go blind. Set the compression method to STORED. Leave the data DEFLATE-compressed. Scanners trust the metadata, scan compressed noise, detect nothing." — Christopher Aziz, Bombadil Systems, via LinkedIn

How the Mechanics Work

A ZIP archive is built around a series of metadata headers, file records, and a central directory at the end of the file. Each stored file has a local file header containing, among other fields, a two-byte compression method value. This tells software how to interpret the data that follows. Method 0 (STORED) means the data is raw and uncompressed. Method 8 (DEFLATE) means the data has been compressed using the standard algorithm that underlies most ZIP archives in use today.

Security scanning engines that rely on static signature matching face a performance constraint: they need to process large volumes of files quickly. A common shortcut is to trust the declared compression method field rather than independently verify whether the actual data stream matches. This is the gap Zombie ZIP exploits.

The technique works as follows. An attacker takes a malicious payload and compresses it using DEFLATE, as any standard ZIP utility would. The archive is then manually edited so that the compression method field is changed from Method 8 to Method 0. The data itself is not changed — only the metadata. There is one additional step: the CRC-32 checksum must be set to the value of the uncompressed payload rather than the compressed data stream. This creates a deliberate mismatch. Standard utilities such as 7-Zip, WinRAR, unzip, and Python's built-in zipfile library encounter this mismatch and either generate a CRC error, report the file as corrupted, or fail to extract anything.

From the perspective of an antivirus scanner, this is precisely what the attacker wants. The scanner reads the declared Method 0, treats the data as raw uncompressed bytes, and scans those bytes for known malware signatures. What it finds is DEFLATE-compressed data — high entropy, no recognizable malicious binary pattern. The scanner finds nothing, marks the file clean, and moves on.

"AV engines trust the ZIP Method field. When Method=0 (STORED), they scan the data as raw uncompressed bytes. But the data is actually DEFLATE compressed — so the scanner sees compressed noise and finds no signatures. The CRC is set to the uncompressed payload's checksum, creating an additional mismatch that causes standard extraction tools to report errors or extract corrupted output. However, a purpose-built loader that ignores the declared method and decompresses as DEFLATE recovers the payload perfectly." — Christopher Aziz, Bombadil Systems GitHub
Zombie ZIP Delivery Chain
STAGE 1 Craft Archive STAGE 2 Phish / Deliver STAGE 3 Scanner Bypassed STAGE 4 Loader Executes STAGE 5 Payload Live
From archive creation through AV bypass to payload execution — the Zombie ZIP delivery chain requires a custom loader at Stage 4, meaning the technique targets automated scanning pipelines, not direct user extraction

SANS Internet Storm Center senior handler Didier Stevens analyzed Zombie ZIP files using his open-source toolset and documented a detection method: comparing the compressedsize and uncompressedsize fields in the ZIP header. When those values are identical in a file that declares Method 0 but the data entropy indicates compression, it signals manipulation. Stevens updated his zipdump.py tool to version 0.0.35 with a new forcedecompress option specifically to handle malformed Zombie ZIP files during forensic analysis.

Detection signal

One reliable indicator of a Zombie ZIP is a mismatch between compressedsize and uncompressedsize when the declared method is STORED (Method 0). In a legitimately uncompressed file those two values are identical. A discrepancy combined with a Method 0 declaration is a strong indicator of header manipulation and warrants immediate quarantine.

The CVE Debate

The assignment of CVE-2026-0866 generated immediate pushback from a portion of the research community. The core argument against treating this as a traditional vulnerability is that the technique requires a custom loader already running on the target system in order to extract and execute the payload. If a custom loader is already running, the machine is already compromised — meaning the evasion benefit exists only at the point of initial delivery through automated scanning pipelines, not at the point of execution on the endpoint.

"What makes CVE-2026-0866 not real is that ZIP files modified in this new way are NOT openable on the target system. As such, not a vulnerability." — Anonymous researcher, via BleepingComputer
"I don't quite understand why this is a CVE if standard unarchivers fail to unpack these ZIPs. If you corrupt or encrypt any file and need to deploy a custom loader to extract it you have same result." — Karsten Hahn, GData researcher, via BleepingComputer

The Malwarebytes security team offered a more calibrated position. Their analysis acknowledged that the bypass only affects the initial inspection of the ZIP file, not the execution of already-known malware. In their own testing, Malwarebytes and ThreatDown products detected both the malformed archive and the custom loader, meaning the bypass window is narrow rather than absolute. CERT/CC framed its response differently, drawing a direct comparison to CVE-2004-0935 — a vulnerability disclosed over two decades ago that affected an early version of ESET antivirus and exploited similar parsing inconsistencies in compressed file handling. CERT/CC's position is that the recurrence of this class of issue demonstrates a systemic failure: security engines have continued to accept file metadata at face value without validating it against the actual data stream structure.

CERT/CC's proposed remediations are directed at vendors, not end users: validate compression method fields against actual data streams, add structural inconsistency detection to archive parsing logic, and implement more aggressive archive inspection modes that do not defer to potentially misleading metadata.

Archive Smuggling Lineage

Zombie ZIP does not exist in isolation. The Bombadil Systems GitHub repository explicitly classifies it as a staged delivery and smuggling technique, placing it in the same lineage as ISO smuggling, HTML smuggling, and CAB file abuse — all sharing the same fundamental characteristic: attackers use custom loaders and container format manipulation rather than consumer-grade extraction tools, allowing them to deliver payloads through channels that security tools scan but do not fully parse.

HTML smuggling, widely used in phishing campaigns from around 2021, encodes a malicious payload as a Base64 blob inside an HTML file and reconstructs it in the browser using JavaScript at the moment the user opens the page. Email gateways scan the attachment and see an HTML file with no recognizable malicious binary. The structural parallel to Zombie ZIP is direct: both exploit the gap between what a security scanner sees and what a custom execution environment can reconstruct. ISO smuggling became prominent when attackers needed to bypass mark-of-the-web protections on downloaded Office documents. Microsoft eventually addressed that vector, and attackers moved to other container formats.

The Bombadil Systems researchers describe Zombie ZIP as introducing a new primitive they call "method field desynchronization" within this same vulnerability class. The significance is that it targets a format — the ZIP archive — that is deeply trusted, pervasively used, and unlikely to be blocked at the perimeter by most organizations. Unlike ISO files, which became suspicious enough to draw enhanced gateway scrutiny after widespread abuse, ZIP files remain a default-trusted delivery mechanism in virtually every corporate environment.

The Red Report 2026, which analyzed over 1.1 million malicious samples, noted a broader trend that Zombie ZIP fits precisely: ransomware encryption rates dropped 38% compared to the prior year, not because threat actors became less active, but because they shifted toward stealth, data exfiltration, and extended pre-encryption dwell time. Techniques that enable undetected initial access serve that goal directly.

Real-World Exposure

The primary attack surface is automated scanning infrastructure — email security gateways, cloud storage scanning pipelines, web proxy inspection engines, and pre-execution EDR scanning. A Zombie ZIP file delivered as an email attachment can pass through a gateway that flags ZIP files for malware scanning and receive a clean verdict. The file reaches the user's inbox with no indication of risk.

It is important to be precise about what does and does not happen next. The user cannot simply double-click the Zombie ZIP and have malware execute automatically. Standard extraction tools will fail to open it. WinRAR reports a CRC error. 7-Zip either fails to extract or produces corrupted output. Python's zipfile module throws an exception. For the payload to run, a custom loader must arrive as a separate component of the attack chain — typically alongside a dropper delivered through a separate mechanism, or embedded within a document that executes macro code. The Zombie ZIP serves as a stealthy container for the heaviest and most detectable component of the toolkit while the loader that opens it may be small enough, or obfuscated enough, to pass behavioral analysis on its own.

There is also an active intelligence concern. Purple Ops threat researchers noted that Telegram monitoring showed an increase in the distribution of pre-configured loaders specifically targeting the Method 0 / Method 8 discrepancy shortly after public disclosure. Dark web forum intelligence indicated that malformed archive builders were being integrated into commercial "crypter" services sold to ransomware affiliates. The lag between a public proof-of-concept and active threat actor adoption has historically been measured in days to weeks for techniques with simple implementation requirements. Zombie ZIP qualifies: the GitHub PoC is public and the loader code is six lines of Python.

If you receive a ZIP that fails to open

Do not attempt to open the file with a different tool or run any accompanying program described as a decoder, viewer, or extractor. Delete the file and report it to your security team. Extraction failures on ZIP files received from external sources are not routine errors in the current threat environment — they are a potential indicator of a Zombie ZIP delivery attempt.

What Defenders Should Do

For security teams managing email and web gateways, the first priority is to treat ZIP archives that return "corrupt," "unscannable," "unsupported method," or CRC error results as high-risk requiring quarantine or sandboxing — not as benign and ignorable. Many organizations have historically configured gateways to pass files that cannot be scanned rather than block them, on the basis that blocking unrecognized files generates too many false positives. Zombie ZIP makes that policy dangerous.

For endpoint teams, the most critical control is application execution policy. Zombie ZIP archives cannot execute without a custom loader. Enforcing strict execution controls through AppLocker or Windows Defender Application Control (WDAC) breaks the attack chain at payload execution regardless of whether the ZIP file evaded gateway scanning.

For security operations teams monitoring SIEM logs, Barracuda's Managed XDR Security Operations Center recommended monitoring specifically for abnormal spikes in endpoint archiving application crashes or CRC error events. A sudden cluster of ZIP extraction failures on endpoints that would not normally generate such errors is a meaningful indicator of a delivery attempt. For security tool vendors, CERT/CC's guidance is explicit: validate compression method fields against actual data streams, add detection for structural inconsistencies in archive headers, and confirm that aggressive archive inspection modes are active and handle malformed archives rather than defaulting to a clean verdict. Vendor advisories should be tracked specifically for references to CVE-2026-0866 and VU#976247.

# Forensic analysis of a suspected Zombie ZIP using Didier Stevens' zipdump.py
# Option --forcedecompress bypasses the declared Method field and attempts DEFLATE decompression
# regardless of what the header claims — added in zipdump.py v0.0.35

python zipdump.py --forcedecompress suspicious.zip

Key Takeaways

  1. Header metadata is not ground truth: Security tools that trust declared compression method values without validating them against the actual data stream can be trivially deceived. This is a structural assumption affecting a wide range of commercial products simultaneously.
  2. The CVE debate does not change the threat posture: Whether CVE-2026-0866 deserves its designation is a legitimate technical discussion. What is not in dispute is that the technique bypasses the initial scanning stage of the vast majority of current security tools and that proof-of-concept code is already being adapted by threat actors.
  3. Execution controls matter more than signature updates for this threat: Because Zombie ZIP requires a custom loader to execute, application execution policy enforcement is a higher-value control than signature updates alone.
  4. Quarantine archive parsing errors — do not ignore them: Organizations with gateway policies that pass unscannable or corrupt archives should treat those policies as an active liability until vendor updates for CVE-2026-0866 are confirmed deployed and effective.
  5. This pattern will recur: The direct parallel to CVE-2004-0935 — a vulnerability from over two decades ago in the same class — confirms a persistent industry habit of trusting file metadata without structural validation. Zombie ZIP is the most recent demonstration, and it will not be the last.

The ZIP format has been a trusted workhorse of file delivery for more than three decades. That trust is precisely what makes it an attractive target. Zombie ZIP does not require a zero-day in any specific product, an advanced persistent threat actor, or a sophisticated exploit chain. It requires changing a single byte in a widely supported file format and delivering the result through channels that many organizations have trained their users to treat as routine. Defenders who understand the mechanism — not just the name — are in a significantly better position to respond.

Sources

Christopher Aziz, Bombadil Systems. zombie-zip. GitHub, March 10, 2026. github.com/bombadil-systems/zombie-zip
CERT Coordination Center. Vulnerability Note VU#976247 — CVE-2026-0866. Carnegie Mellon University, March 10–11, 2026.
Bill Toulas. New 'Zombie ZIP' technique lets malware slip past security tools. BleepingComputer, March 2026.
Malwarebytes Labs. Zombie ZIP method can fool antivirus during the first scan. March 16, 2026. malwarebytes.com
Didier Stevens. Analyzing Zombie Zip Files (CVE-2026-0866). SANS Internet Storm Center, March 11, 2026. isc.sans.edu
Barracuda Managed XDR SOC. Cybersecurity Threat Advisory: Zombie ZIP archive evasion technique. Smarter MSP, March 2026.
Purple Ops. Zombie ZIP CVE-2026-0866 Bypass Technique. March 2026. purple-ops.io
Cybernews. A "Zombie ZIP" trick hides malware from nearly all antivirus software. March 2026. cybernews.com

← all articles