A researcher disclosed 'Zombie ZIP,' a technique that manipulates a ZIP file's compression header to claim contents are uncompressed (STORED) while they are actually DEFLATE-compressed. Antivirus engines trust this header field and scan raw bytes, seeing only compressed noise with no recognizable malware signatures. Testing showed roughly 95% of AV engines (60 of 63) failed to detect malware hidden this way. The technique has a significant limitation: it requires a custom loader to correctly decompress the payload, meaning standard tools like 7-Zip and WinRAR will flag the file as malformed. This also means a system must already be partially compromised to execute the payload. Tracked as CVE-2026-0866, though researchers debate whether it qualifies as a true vulnerability. Detection is possible by comparing the ZIP header's compressedsize and uncompressedsize fields — a mismatch reveals the manipulation.
Sort: