A new evasion technique known as Zombie ZIP is exposing blind spots in how security tools scan archived files. By manipulating ZIP metadata, attackers can conceal malware inside archives that appear corrupted but still deliver payloads on compromised systems. Review the Cybersecurity Threat Advisory now to mitigate your risk.
What is the threat?
Zombie ZIP is a newly observed evasion technique that uses deliberately malformed ZIP archives to conceal malware from antivirus (AV) and endpoint detection and response (EDR) tools. Attackers alter the ZIP compression method field to falsely indicate that files are uncompressed (“STORED”), even though the data is still DEFLATE‑compressed. Because many security engines trust this metadata, they scan the contents as raw bytes and fail to detect embedded malware.
Although these archives often look corrupted—and commonly fail to open in standard tools such as WinRAR or 7‑Zip—a custom loader can correctly decompress and execute the hidden payload on the victim’s system.
Why is it noteworthy?
Zombie ZIP is notable because it exploits parsing inconsistencies, not a traditional software flaw. Early public testing shows that many AV and security tools fail to detect malicious content inside these manipulated ZIP files. In many cases, engines simply treat them as “corrupt,” “unscannable,” or “unsupported,” and stop analysis prematurely—giving attackers a reliable method for bypassing defenses.
Some researchers argue it’s not a vulnerability in the traditional sense, since these archives generally require a custom loader to function and cannot be opened with standard utilities. Still, regardless of classification, the technique serves as an effective way to hide second‑stage payloads from AV/EDR tools and gateways that do not fully validate ZIP structure.
What is the exposure or risk?
The primary risk is silent malware delivery, especially through common channels such as phishing emails or shared files. ZIP attachments are widely trusted, which means a Zombie ZIP file may pass through email gateways unscanned. It can reach users even if it contains well‑known malicious binaries or scripts.
Web and cloud‑based delivery pose similar risks. Users may download Zombie ZIP files from legitimate‑looking websites, collaboration tools, or cloud storage platforms that incorrectly deem the archives safe after scanning.
Endpoints are also vulnerable if local AV or EDR tools rely on strict ZIP parsing and fail to unpack malformed files. In those cases, user behavior or generic behavioral detection may be the only safety net once the payload executes. This can lead to initial compromise, lateral movement, data theft, or ransomware deployment. The risk is particularly concerning for organizations that assume ZIP‑based threats are adequately mitigated by existing gateway and file‑scanning controls.
What are the recommendations?
Barracuda strongly recommends the following defensive measures:
- Treat ZIP archives that trigger “corrupt,” CRC errors, or “unsupported method” warnings as high‑risk.
- Enable and tune advanced threat protection or sandboxing for archive files; avoid excluding “corrupted” ZIPs from deeper analysis.
- Monitor logs for repeated archive‑parsing failures or inconsistent ZIP header values.
- Reinforce user training: do not trust ZIP files from unknown or unexpected sources.
- Ensure AV, EDR, email, and web security tools are using the latest detection engines and updates.
References
For more in-depth information about the recommendations, please visit the following links:
- New ‘Zombie ZIP’ technique lets malware slip past security tools
- ‘Zombie ZIP’ slips malware past 98% of antivirus engines | news | SC Media
- CVE-2026-0866: Dissecting ‘Zombie Zip’ — A New Era of Archive-Based System Exploits
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.
