A straightforward vulnerability published recently allows malware payloads to bypass nearly every common antivirus solution. The so-called "Zombie ZIP" technique exposes a fundamental weakness in how modern security tools process compressed files: they trust what archives claim to be, rather than verifying what they actually contain.
ZIP files begin with a header that contains information about contents and how they are compressed. If a ZIP lies by saying contents are uncompressed when they actually contain compressed data, most antivirus solutions ignore the discrepancy entirely. To security software, the "uncompressed" data simply looks like random bytes, and thus fails to match known malware signatures.
The implications are stark. Six days after the vulnerability became public, 60 out of 63 common antivirus suites failed to catch this sleight of hand, a success rate of just over 95%. Other testing is even more damning: across 51 antivirus engines tested via VirusTotal, only Kingsoft detected the malicious signatures, representing a 98% success rate for the evasion technique.
What makes this threat particularly concerning is its simplicity. The researcher who discovered the vulnerability published a proof-of-concept in Python requiring roughly a dozen lines of code. For enterprise environments, the risk multiplies significantly. What troubles the average user becomes a nightmare scenario for corporations with thousands of users and sensitive data to protect.
Understanding why antivirus solutions cannot simply adapt reveals the deeper tension in security. If AV solutions targeted the loading scripts that handle compressed data, the number of false positives would almost certainly be enormous, since loading zipped data is such a common operation in most software, including but not limited to games. Security vendors face a genuine dilemma: tighten defences and break functionality, or maintain usability and accept blind spots.
Most standard data extraction tools such as 7-Zip, unzip, bsdtar, and Python's zipfile fail to extract Zombie ZIPs, meaning users cannot simply download and run the malware. However, some extraction software can still decompress the ZIP archive despite malformed headers, the CERT Coordination Center at Carnegie Mellon University warned. The real threat lies in staged delivery: malware bypasses email gateways and endpoint scanners in its disguised form, then a custom loader on a compromised system extracts and executes it.
The new vulnerability was assigned CVE-2026-0866. However, researchers noted its similarity to a bug from 2004 that showed antivirus protection failed against compressed files with tampered global headers. A 22-year-old vulnerability pattern that remains unresolved raises uncomfortable questions about the pace of security improvement across the industry.
Cisco was the first vendor to acknowledge the issue, stating its free antivirus tool ClamAV was unable to scan this type of malformed ZIP file. However, the company characterised this not as a vulnerability but rather as a hardening suggestion to be considered for future releases. That measured response, while honest, underscores how many vendors view this problem: a defect worth noting, but not urgent enough to treat as a security failure.
The CERT Coordination Center recommends antivirus and endpoint detection and response solutions validate the compression method for archive files against content characteristics rather than trusting the archive metadata. Until such patches arrive, organisations must assume their automated scanners cannot catch this threat.
The vulnerability raises a broader principle worth emphasising: no single security layer should ever be trusted completely. Email gateways, antivirus engines, and EDR tools all occupy the same blind spot. Organisations that have consolidated their defences into primarily automated detection systems have inadvertently created a shared failure point. Human judgment, manual inspection processes, and suspicion of files that extraction tools reject remain essential controls that automated systems cannot replace.
Users should treat archive files with caution, especially those from unknown contacts, and delete them immediately if their attempts to decompress them end with an "unsupported method" error. That simple rule, applied consistently, may prove more effective than any single software update.