Full Report
A new technique dubbed "Zombie ZIP" helps conceal payloads in compressed files specially created to avoid detection from security solutions such as antivirus and endpoint detection and response (EDR) products. [...]
Analysis Summary
# Tool/Technique: Zombie ZIP
## Overview
Zombie ZIP is an evasion technique that leverages malformed ZIP archive headers to bypass signature-based scanning by Antivirus (AV) and Endpoint Detection and Response (EDR) solutions. By inducing a discrepancy between the declared compression method and the actual state of the data, the technique renders the malicious payload invisible to security parsers while remaining accessible to a custom-built loader.
## Technical Details
- **Type**: Evasion Technique
- **Platform**: Cross-platform (Windows, Linux, macOS)
- **Capabilities**: Header manipulation, security solution bypass, extraction utility interference.
- **First Seen**: Disclosed March 10, 2026 (CVE-2026-0866).
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information**
- **T1027.009 - Embedded Payloads**
- **T1204.002 - User Execution: Malicious File**
## Functionality
### Core Capabilities
- **Header Manipulation**: The ZIP "Method" field is manually set to `0` (STORED, meaning uncompressed).
- **Scanner Deception**: Security engines trust the header and scan the data as raw, uncompressed bytes. Because the data is actually **DEFLATE** compressed, the scanner sees "compressed noise," failing to trigger any signatures.
- **Extraction Sabotage**: Standard utilities (7-Zip, WinRAR, unzip) typically fail to extract the file, often reporting "unsupported method" or "corrupted data."
### Advanced Features
- **Integrity Trickery**: To maximize confusion for extraction tools, the CRC-32 value is set to the checksum of the *uncompressed* payload, further validating the fake "STORED" status to some engines while breaking others.
- **Custom Loader Compatibility**: Despite being unreadable by standard tools, a purpose-built loader can ignore the header flags and programmatically decompress the data using the DEFLATE algorithm to execute the payload.
## Indicators of Compromise
- **File Hashes**: *Note: Hashes vary based on the specific payload used in the PoC.*
- **File Names**: Currently associated with proof-of-concept archives; check for unusual ZIP files that fail to open in standard software.
- **Behavioral Indicators**:
- A process attempting to manually decompress a ZIP archive while ignoring standardized header flags.
- Downloads of ZIP files where the internal metadata contradicts the file entropy (high entropy data marked as "STORED").
## Associated Threat Actors
- **Bombadil Systems**: Credit for discovery/research (Chris Aziz).
- **General Threat Actors**: While currently a research PoC, the technique is designed for use by malware authors seeking to bypass automated gateway and endpoint scanners.
## Detection Methods
- **Signature-based detection**: Hard to maintain as the technique obfuscates the payload; signatures must be developed for the loaders themselves.
- **Behavioral detection**: Monitor for "Archive Inconsistency" where the stated compression method does not match the data structure.
- **Heuristic Analysis**: Flagging ZIP files that result in extraction errors in sandboxed environments but contain high-entropy data.
- **YARA Rules**: Focus on identifying ZIP files with `Method 0000` but containing signatures or byte distributions indicative of DEFLATE compression.
## Mitigation Strategies
- **Vendor Hardening**: Security vendors should update engines to validate compression method fields against actual data structures and detect archive inconsistencies.
- **User Education**: Instruct users to delete archives that produce "unsupported method" or "corrupted" errors immediately, rather than seeking alternative ways to open them.
- **Aggressive Inspection**: Configure security appliances to block or quarantine archives that fail valid structure headers.
## Related Tools/Techniques
- **CVE-2004-0935**: A legacy vulnerability involving malformed headers affecting ESET products.
- **Archive Bombing/Zip Slip**: Other techniques focusing on archive manipulation.
- **Steganography**: Using non-standard data storage within files to hide payloads.