/data/photo/2026/03/16/69b75954103f6.jpg)
New ‘Zombie ZIP’ Technique: How Hackers Are Hiding Malware in Plain Sight
Computer users need to exercise increased caution when opening ZIP files downloaded from the internet. Security researchers have recently uncovered a new attack technique dubbed “Zombie ZIP,” allowing malicious software to bypass many antivirus programs.
What is Zombie ZIP?
Zombie ZIP is a technique that enables malware to conceal itself within ZIP files, evading detection by a significant number of antivirus solutions. Standard ZIP files are used to compress one or more files or folders into a smaller package, simplifying storage and data transfer. The file extension typically ends in .zip, and is natively supported by Windows, macOS, and other systems.
How Does it Work?
Unlike typical malware distribution methods, Zombie ZIP creates archive files that appear corrupted or contain random data, causing many antivirus programs to overlook them as threats. This allows malware to slip into a victim’s system undetected.
In testing using the VirusTotal malware analysis service, the Zombie ZIP technique reportedly avoids detection by 95 to 98 percent of antivirus programs. Popular security products, including Microsoft Defender, Bitdefender, and Kaspersky, were found to not immediately flag these files as malicious.
Exploiting ZIP File Structure
To understand how this technique works, it’s important to understand how ZIP files are structured. Every ZIP file contains a header section. This section holds crucial information about the archive’s contents, including the compression method used and how software should extract the files.
With Zombie ZIP, this header is deliberately manipulated. The file is made to appear as if it uses a specific compression method, while the actual data inside is compressed using a different method. When an antivirus scans the file, it only reads the information in the header. Because the data appears as random bytes, the antivirus considers the file ordinary and non-threatening.
However, hidden within the archive is a potentially malicious program or payload. Zombie ZIP files often cannot be opened with common archive applications like 7-Zip or WinRAR, as they are recognized as corrupted archives.
However, hackers can include a slight, specialized program capable of reading the actual data structure and extracting the malware from the archive.
Protecting Yourself from Zombie ZIP Attacks
While the technique is relatively new, understanding how it works is the first step toward protection. Here are some precautions to grab:
- Be cautious with downloaded ZIP files: Exercise extreme caution when opening ZIP files from unknown or untrusted sources.
- Verify the source: Always confirm the sender and the legitimacy of the file before downloading.
- Keep antivirus software updated: Ensure your antivirus software is up-to-date with the latest definitions. While many current solutions are bypassed, updates may include detection improvements.
- Use sandboxing: Consider using a sandboxing environment to open and analyze suspicious ZIP files.
FAQ
Q: What is a ZIP file?
A: A ZIP file is a compressed archive format used to reduce the size of files and folders for easier storage and transfer.
Q: Is my antivirus software enough protection?
A: Currently, many antivirus programs are not detecting Zombie ZIP files. It’s important to be extra cautious and follow the preventative measures outlined above.
Q: Can I scan a ZIP file online?
A: Yes, you can use online services like VirusTotal to scan ZIP files for potential threats, but keep in mind that even these services may not detect Zombie ZIP files.
