A new technique called “Zombie ZIP” manipulates ZIP headers so scanners treat DEFLATE-compressed payloads as uncompressed data, allowing signatures to be missed and extraction tools to report errors. Researcher Chris Aziz of Bombadil Systems published a PoC showing it bypassed 50 of 51 VirusTotal engines, prompting a CERT/CC bulletin and CVE-2026-0866; users and vendors are urged to validate compression methods and handle malformed archives cautiously. #ZombieZIP #CERT_CC
Keypoints
- Zombie ZIP sets the ZIP Method field to STORED (0) while data is actually DEFLATE-compressed to evade scanners.
- Standard extractors like WinRAR, 7-Zip, and unzip can error or produce corrupted output when opening these archives.
- Chris Aziz of Bombadil Systems published a GitHub PoC and reported that 50 of 51 AV engines on VirusTotal were bypassed.
- CERT/CC assigned CVE-2026-0866 and recommends vendors validate compression method fields and implement deeper archive inspection.
- Users should delete archives from unknown sources if decompression fails with an “unsupported method” error.