A newly disclosed vulnerability called "Zombie ZIP" allows malware to bypass detection by the vast majority of antivirus programs. The exploit works by creating a corrupted ZIP file that falsely declares its contents as uncompressed, causing security software to scan inert data while missing the actual compressed malware payload.
This simple technique is reportedly evading 95% of common antivirus suites, as the malicious archive appears as random, non-threatening data. While standard extraction tools fail to open these corrupted files, a small custom program can easily unpack the hidden malware.
The vulnerability has been assigned CVE-2026-0866, and security advisories have been issued. System administrators are advised to be cautious with ZIP files until antivirus solutions are updated to address this flaw.
Main topics: Zombie ZIP vulnerability, antivirus bypass technique, cybersecurity threat, vulnerability disclosure and response.
Zombie ZIP vulnerability lets compressed malware leisurely stroll past 95% of antivirus apps — security suites are blissfully unaware of security issue
"It doesn't look like anything to me."
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
You are now subscribed
Your newsletter sign-up was successful
The ongoing arms race of cybersecurity and countermeasures has become incredibly advanced and complicated. More often than not, finding a software or hardware exploit requires competent crafting of carefully constructed contraptions. However, even in 2026, you'll occasionally find a simple vulnerability like the recently published Zombie ZIP, which allows malware payloads to bypass nearly every common antivirus solution.
The concept is as straightforward as they come. The first part of a ZIP file is called a header, and it contains information about the contents and how they're compressed. If you make a ZIP that lies by saying the contents are uncompressed, but actually contains compressed data, most antivirus solutions won’t even raise an eyebrow.
To that software, the "uncompressed" data just looks like random bytes, and thus doesn't match known malware signatures. Evoking Westworld, "it doesn't look like anything to me." At the time of this writing, six days after the vulnerability went public, 60 out of 63 common antivirus suites don't catch this proverbial sleight-of-hand — a success rate of just over 95%.
Article continues belowThe archive file will fail to extract with common tools like 7-Zip or WinRAR because it's technically corrupted. However, it's trivial to combine it with a tiny, seemingly innocuous program that understands the slight mismatch and extracts the actual malware.
The researcher who discovered the vulnerability published a proof-of-concept in Python that requires roughly a dozen lines of code. This is concerning enough for the average user, but it can become a nightmare scenario for corporations with thousands of users and sensitive data to protect.
If you're wondering why AV solutions won't just target the loading scripts, it's because the number of false positives would almost certainly be enormous, since loading zipped data is such a common operation in most software, including but not limited to games.
The CERT is already on the case and has published the VU#976247 advisory. Likewise, CVE-2026-0866 has already been assigned. Until security suites catch up, systems administrators should be particularly wary of ZIP files traveling through their networks.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals.
Meridiano
