A novel evasion technique dubbed "Zombie ZIP" has been disclosed, enabling threat actors to conceal malicious payloads within specially crafted ZIP archives that bypass detection by most antivirus (AV) and endpoint detection and response (EDR) solutions. The method exploits a fundamental trust in ZIP file headers, where security scanners parse the archive metadata to determine how to inspect the contents. By manipulating a specific header field to falsely declare compressed data as uncompressed, the archive appears benign to security tools while remaining unreadable to standard extraction utilities, creating a potent delivery mechanism for malware.
The technique, discovered by security researcher Chris Aziz of Bombadil Systems, hinges on the manipulation of the 'Method' field within the ZIP local file header. This field typically indicates the compression algorithm used, such as '0' for STORED (uncompressed) or '8' for DEFLATE (compressed). In a Zombie ZIP file, the header is crafted to declare Method=0 (STORED), signaling to parsers that the subsequent file data is raw, uncompressed bytes. However, the actual payload data is compressed using the standard DEFLATE algorithm. Consequently, security engines that trust the header scan the DEFLATE-compressed data stream as if it were plaintext, seeing only meaningless, compressed "noise" that contains no recognizable malware signatures, thereby evading detection.
This evasion is highly effective; testing against 51 AV engines on VirusTotal revealed that 50 failed to detect malware embedded using this method. Standard archive utilities like WinRAR or 7-Zip also fail to extract these files correctly, often returning errors or corrupted data, as they too follow the misleading header. The malicious viability comes from a custom loader—a piece of malware deployed separately—that is programmed to ignore the fraudulent header. This loader correctly identifies and inflates the DEFLATE-compressed payload, executing the hidden malware. This bifurcated approach separates the delivery vehicle (the Zombie ZIP) from the execution mechanism, complicating defense.
The researcher has published a proof-of-concept (PoC) on GitHub, including sample archives and technical details, to raise awareness and spur improvements in defensive parsing. This disclosure follows a week of significant cybersecurity developments, including reports of hackers abusing .arpa DNS and IPv6 to evade phishing defenses, Microsoft's warning about AI abuse throughout the cyberattack lifecycle, and campaigns like 'InstallFix' pushing infostealers via fake Claude AI coding guides. Defenders are advised to enhance security postures by not solely relying on static file header analysis, implementing behavioral detection for anomalous archive processing, and applying patches such as the recent Windows 10 KB5078885 Extended Security Update.
