Hackers can evade antivirus detection by altering just a single byte in a ZIP archive, allowing malware to slip through security defenses while masquerading as a corrupted file. A security researcher demonstrated the technique dubbed “Zombie ZIP” showing that 65 out of 66 antivirus solutions failed to detect the hidden malware, including Windows Defender.
More than two decades after this class of vulnerability was first identified, attackers can still manipulate ZIP file headers to bypass modern antivirus and endpoint protection systems.
Christopher Aziz, a security researcher and founder of Bombadil Systems, showed that modifying a single byte in a ZIP archive can effectively render antivirus software “blind.” ZIP headers contain structured metadata that tells extraction tools how to process an archive, including details such as the compression method, flags, and version information.
By embedding malware into a ZIP file and then altering the compression method field to falsely indicate that the contents are uncompressed, antivirus scanners trust the metadata and skip decompression. As a result, scanners analyze what appears to be random data rather than the actual compressed payload, failing to detect any malicious content. To security tools, the archive simply looks corrupted.
Before the manipulation, the malicious ZIP was correctly flagged by 55 of 67 vendors on VirusTotal. After tampering, only Kingsoft detected the malformed archive among 66 vendors tested.
“Change one byte in a ZIP header and 55 of 56 antivirus engines go blind,” Aziz explained in a LinkedIn post. “Set the compression method to STORED. Leave the data DEFLATE‑compressed. Scanners trust the metadata, scan compressed noise, detect nothing.”
Aziz documented the proof‑of‑concept on GitHub under the name Zombie ZIP, claiming the technique successfully evades detection by 98% of antivirus engines.
“Same payload. Same bytes. Different container,” he noted, highlighting how attackers can repurpose the technique for malware delivery.
Fortunately, many common extraction tools including 7‑Zip, unzip, bsdtar, and Python’s zipfile module also fail to extract Zombie ZIP archives, meaning users cannot easily unpack and execute the malware.
However, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University warned that some extraction utilities are still capable of decompressing malformed ZIP files, despite the corrupted headers.
For attackers, Zombie ZIP files can function as a stealthy malware delivery mechanism. If initial access to a system is already achieved, attackers could package malware inside a Zombie ZIP, bypass security scanning, and later recover the original contents with minimal effort.
“A remote attacker may craft a ZIP archive with manipulated metadata that prevents antivirus or EDR solutions from properly decompressing and inspecting its contents,” the CERT/CC advisory states. “While many products may flag the file as corrupted, it can still evade full analysis.”
“To execute malicious code, however, a user must extract or otherwise process the archive.”
Zombie ZIP files could also play a role in convincing phishing campaigns. Cybercriminals increasingly rely on ClickFix techniques, where victims are tricked into manually running malicious commands often via terminal prompts rather than executing files directly.
ZIP and RAR archives have long been among the most common malware delivery formats. The newly documented issue has been assigned CVE‑2026‑0866, though researchers point out its resemblance to a vulnerability reported in 2004, which similarly allowed malware to evade detection through tampered global ZIP headers.
Patches and mitigations are now in progress. Aziz reported the issue to CERT/CC in January, which subsequently coordinated remediation efforts with 30 vendors.
Cisco was the first to publicly acknowledge the issue, confirming that its open‑source antivirus engine ClamAV could not scan this type of malformed ZIP file.
“However, this is not considered a vulnerability but rather a hardening opportunity,” Cisco stated. “The issue will be taken into consideration for future releases.”
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
