Zombie ZIP Exploit Bypasses 95% of Antivirus Solutions in 2026
A newly disclosed vulnerability, dubbed Zombie ZIP, allows malware to evade detection by nearly all major antivirus (AV) software. The flaw exploits a simple deception in ZIP file headers: by falsely marking compressed data as "uncompressed," attackers trick AV scanners into ignoring malicious payloads. To security tools, the mislabeled content appears as random bytes, bypassing signature-based detection.
Six days after the vulnerability was made public, 60 out of 63 tested AV suites over 95% failed to detect the exploit. While standard extraction tools like 7-Zip and WinRAR reject these malformed archives, attackers can pair them with custom extractors to deploy malware undetected.
The researcher behind the discovery released a proof-of-concept in Python, demonstrating how the attack can be executed with minimal code. The simplicity of the exploit raises concerns for both individual users and enterprises, where unchecked ZIP files could compromise sensitive data.
The issue stems from AV solutions’ reluctance to flag ZIP-handling scripts due to the high risk of false positives, as ZIP processing is common in legitimate software. The vulnerability has been assigned CVE-2026-0866, and CERT has issued advisory VU#976247 to address the threat. Until AV vendors update their defenses, administrators are advised to monitor ZIP file traffic closely.
win.rar GmbH cybersecurity rating report: https://www.rankiteo.com/company/win.rar-gmbh
Malwarebytes cybersecurity rating report: https://www.rankiteo.com/company/malwarebytes
"id": "WINMAL1773412456",
"linkid": "win.rar-gmbh, malwarebytes",
"type": "Vulnerability",
"date": "3/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Enterprises and individual '
'users',
'industry': 'Cybersecurity',
'type': 'Antivirus Software Vendors'}],
'attack_vector': 'Malformed ZIP file headers',
'date_publicly_disclosed': '2026',
'description': 'A newly disclosed vulnerability, dubbed *Zombie ZIP*, allows '
'malware to evade detection by nearly all major antivirus (AV) '
'software. The flaw exploits a deception in ZIP file headers '
"by falsely marking compressed data as 'uncompressed,' "
'tricking AV scanners into ignoring malicious payloads. The '
'mislabeled content appears as random bytes to security tools, '
'bypassing signature-based detection. The vulnerability has '
'been assigned CVE-2026-0866, and CERT has issued advisory '
'VU#976247 to address the threat.',
'lessons_learned': "AV solutions' reluctance to flag ZIP-handling scripts due "
'to false positives creates vulnerabilities. Enterprises '
'must monitor ZIP file traffic closely until patches are '
'available.',
'post_incident_analysis': {'corrective_actions': 'AV vendors to update '
'detection mechanisms for '
'malformed ZIP files.',
'root_causes': "AV solutions' avoidance of "
'flagging ZIP-handling scripts due '
'to high false-positive risk.'},
'recommendations': 'Monitor ZIP file traffic closely, await AV vendor '
'updates, and educate users on the risks of malformed ZIP '
'files.',
'references': [{'source': 'CVE'}, {'source': 'CERT Advisory'}],
'regulatory_compliance': {'regulatory_notifications': ['CERT Advisory '
'VU#976247']},
'response': {'containment_measures': 'Monitor ZIP file traffic closely'},
'title': 'Zombie ZIP Exploit Bypasses 95% of Antivirus Solutions',
'type': 'Vulnerability Exploit',
'vulnerability_exploited': 'CVE-2026-0866'}