Malware Evasion Technique “Zombie ZIP” Bypasses 95% of Antivirus Scanners on First Scan
What Happened — Researchers disclosed “Zombie ZIP,” a crafted ZIP file that misreports its compression method, causing most AV engines to treat the payload as harmless raw data. In testing, 60 of 63 major antivirus products failed to flag the malicious content on the initial scan.
Why It Matters for TPRM —
- AV‑based controls are a common contractual security requirement for many third‑party vendors.
- A false‑negative scan can let malware reach downstream environments before detection.
- The technique highlights the need for layered scanning (static + dynamic) and file‑integrity verification.
Who Is Affected — Endpoint security vendors, managed security service providers (MSSPs), SaaS platforms that rely on AV scanning, and any organization that outsources file‑handling to third‑party services.
Recommended Actions —
- Verify that your security vendors employ multi‑engine or sandbox analysis that decompresses archives before signature matching.
- Add checksum or size‑validation rules for ZIP archives in your ingestion pipelines.
- Request proof of mitigation (e.g., updated AV signatures, behavioral detection) from vendors handling file uploads.
Technical Notes — The method flips the ZIP “Method” field to 0 (STORED) while the data remains DEFLATE‑compressed. AV engines trust the header and scan the compressed noise, missing signatures. The CRC is set to the uncompressed payload’s checksum, causing standard extractors to error. Detection is possible once a custom loader decompresses the payload, and Malwarebytes/ThreatDown already flag these files. CVE‑2026‑0866 tracks the issue, though its classification as a vulnerability is debated. Source: Malwarebytes Labs