CP
cyberpings
VulnerabilitiesHIGH

Zombie ZIP - New Method Evades Antivirus Detection

MWMalwarebytes Labs
CVE-2026-0866Zombie ZIPantivirus evasionmalware detectioncompression techniques
🎯

Basically, a new ZIP file trick can fool antivirus software during its first scan.

Quick Summary

A new technique called Zombie ZIP can trick antivirus software during scans. This affects many users relying on antivirus for protection. Stay informed and vigilant to avoid risks.

What Happened

Researchers have unveiled a technique known as Zombie ZIP, which manipulates the header of ZIP files to mislead antivirus software. This method allows malware to evade detection during the initial scan by claiming its contents are uncompressed when they are actually compressed. In tests, 60 out of 63 antivirus products failed to detect the hidden malware, marking a staggering 95% evasion rate.

The Zombie ZIP technique involves creating a malformed ZIP file that most antivirus scanners overlook. However, it requires a custom loader to access the contents correctly. Standard extraction tools like Windows' built-in extractor and popular utilities such as 7-Zip and WinRAR flag these files as malformed, making it difficult for the method to infect unprotected systems.

Who's Affected

The primary concern lies with users and organizations relying on antivirus software for protection. With the Zombie ZIP method bypassing detection, any system that encounters these specially crafted ZIP files may be at risk. However, the actual infection requires prior compromise, limiting the immediate threat to systems not already infected.

Cybersecurity experts are debating whether this should even be classified as a vulnerability, given that it necessitates a custom loader for execution. Nevertheless, the potential for widespread exploitation remains a significant concern for IT security teams and antivirus developers.

What Data Was Exposed

While the Zombie ZIP technique primarily affects the initial scanning of ZIP files, it does not compromise the integrity of known malware once the payload is decompressed. Malwarebytes and other security solutions can still detect both the custom loader and any malware once the payload is accessed. The method's effectiveness lies in its ability to deceive scanners, allowing malware to remain hidden during the first inspection.

The vulnerability is tracked under CVE-2026-0866, and researchers are actively working to address the implications of this technique. Users should remain vigilant and ensure their antivirus solutions are updated to handle such evasion tactics.

What You Should Do

To protect yourself from the risks associated with Zombie ZIP files, consider the following actions:

  • Update your antivirus software regularly to ensure it can detect the latest threats.
  • Be cautious with ZIP files from unknown sources, especially those that seem malformed or unusual.
  • Educate your team about the potential risks of ZIP file manipulations and the importance of using trusted extraction tools.

In conclusion, the Zombie ZIP method poses a significant challenge for antivirus detection, highlighting the need for ongoing vigilance and adaptation in cybersecurity practices. As this situation evolves, staying informed will be crucial for maintaining security.

🔒 Pro insight: The Zombie ZIP method illustrates a significant gap in antivirus detection capabilities, necessitating urgent updates to scanning algorithms.

Original article from

Malwarebytes Labs

Read Full Article

Share

Related Pings

HIGHVulnerabilities

CISA Issues Security Advisories for Multiple ICS Vulnerabilities

CISA has issued important advisories regarding vulnerabilities in various ICS products. Key systems from Honeywell and Siemens are affected. Users must apply updates to mitigate potential risks. Stay vigilant and secure your infrastructure.

Canadian Cyber Centre Alerts·
HIGHVulnerabilities

Red Hat Security Advisory - Critical Linux Kernel Updates

Red Hat has issued a security advisory addressing critical vulnerabilities in the Linux kernel. Multiple products are affected, posing serious risks to users. Immediate updates are necessary to ensure system security and integrity.

Canadian Cyber Centre Alerts·
HIGHVulnerabilities

Vulnerabilities in Microsoft Intune - Stryker Attack Raises Alarm

Researchers have revealed that Microsoft Intune may be exploited in attacks to wipe critical devices. This poses a significant risk for organizations relying on this tool. Immediate action is needed to safeguard sensitive data and maintain operational integrity.

Cybersecurity Dive·
CRITICALVulnerabilities

CVE-2026-20127 - Critical Cisco SD-WAN Vulnerability Exploited

A critical vulnerability in Cisco's SD-WAN is being actively exploited, allowing attackers unauthorized access. Organizations must act quickly to patch and secure their systems against potential breaches.

Intel 471 Blog·
HIGHVulnerabilities

Google Chrome Vulnerabilities - Security Advisory Released

Google has issued a security advisory for Chrome vulnerabilities affecting older versions. Users must update to protect against potential exploits. Staying updated is crucial for security.

Canadian Cyber Centre Alerts·
HIGHVulnerabilities

Ubuntu Vulnerabilities - Security Advisory Released

Ubuntu has issued critical security updates for vulnerabilities in its Linux kernel. Users of Ubuntu 22.04 and 24.04 LTS must update immediately to protect their systems. Ignoring these updates could lead to serious security risks. Stay safe by applying the necessary patches today.

Canadian Cyber Centre Alerts·