{"id":1835,"date":"2026-03-11T10:05:00","date_gmt":"2026-03-11T10:05:00","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/"},"modified":"2026-03-11T10:05:00","modified_gmt":"2026-03-11T10:05:00","slug":"analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/","title":{"rendered":"Analyzing “Zombie Zip” Files (CVE-2026-0866), (Wed, Mar 11th)"},"content":{"rendered":"
\n

A new vulnerability\u00a0(CVE-2026-0866) has been published<\/a>: Zombie Zip<\/a>.<\/p>\n

It’s a method to create a malformed ZIP file that will bypass detection by most anti-virus engines.<\/p>\n

The malformed ZIP file can not be opened with a ZIP utility, a custom loader is required.<\/p>\n

The trick is to change the compression method to STORED while the contend is still DEFLATED: a flag in the ZIP file header states the content is not compressed, while in reality, the content is compressed.<\/p>\n

I will show you how to use my tools to analyze such a malformed ZIP file.<\/p>\n

Simple Method<\/u><\/p>\n

Just run my tool search-for-compression.py<\/a> on the ZIP file (you can download the Zombie ZIP file here<\/a>, it contains an EICAR<\/a> file):<\/p>\n

\"\"<\/p>\n

The largest compression blob is number 2, it is 77 bytes long. Let’s select it:<\/p>\n

\"\"<\/p>\n

That’s the EICAR<\/a> file.<\/p>\n

Complex Method<\/u><\/p>\n

We can use the latest version of zipdump.py<\/a> to analyze the file:<\/p>\n

Just using the tool fails (because the zip file is malformed):<\/p>\n

\"\"<\/p>\n

Using option -f to bypass the Python ZIP library for parsing, and using custom code to look for ZIP records (-f l) shows us this is a ZIP file, containing a file with the name eicar.com:<\/p>\n

\"\"<\/p>\n

Selecting the FILE record (at position 0x00000000, PK0304 fil) shows us all the meta data:<\/p>\n

\"\"<\/p>\n

The compressiontype is 0 (STORED), this means that the content of the file is just stored inside the ZIP file, not compressed.<\/p>\n

But notice that the compressedsize and uncompressedsize are different (70 and 68). It should be the same for a STORED file.<\/p>\n

Let’s select the raw file content (-s data) and perform an asciidump (-a):<\/p>\n

\"\"<\/p>\n

This does not look like the EICAR file.<\/p>\n

Let’s force the decompression of the data: -s forcedecompress:<\/p>\n

\"\"<\/p>\n

This reveals the EICAR file content.<\/p>\n

Option forcedecompress is a new option that I just coded in zipdump.py<\/a> version 0.0.35. Option decompress will only decompress if the compression type is DEFLATED, thus it can’t be used on this malformed ZIP file. Option forcedecompress will always try to decompress (and potentially fail), regardless of the compression type.<\/p>\n

\u00a0<\/p>\n

Didier Stevens
\nSenior handler
\nblog.DidierStevens.com<\/a><\/p>\n

(c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

A new vulnerability\u00a0(CVE-2026-0866) has been published: Zombie Zip. It’s a method to create a malformed ZIP file that will bypass detection by most anti-virus engines. The malformed ZIP file can not be opened with a ZIP utility, a custom loader is required. The trick is to change the compression method to STORED while the contend […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-1835","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\nAnalyzing "Zombie Zip" Files (CVE-2026-0866), (Wed, Mar 11th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analyzing "Zombie Zip" Files (CVE-2026-0866), (Wed, Mar 11th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"A new vulnerability\u00a0(CVE-2026-0866) has been published: Zombie Zip. It’s a method to create a malformed ZIP file that will bypass detection by most anti-virus engines. The malformed ZIP file can not be opened with a ZIP utility, a custom loader is required. The trick is to change the compression method to STORED while the contend […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-11T10:05:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/20260311-103803.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Analyzing “Zombie Zip” Files (CVE-2026-0866), (Wed, Mar 11th)\",\"datePublished\":\"2026-03-11T10:05:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/\"},\"wordCount\":379,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/20260311-103803.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/\",\"name\":\"Analyzing \\\"Zombie Zip\\\" Files (CVE-2026-0866), (Wed, Mar 11th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/20260311-103803.png\",\"datePublished\":\"2026-03-11T10:05:00+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/20260311-103803.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/20260311-103803.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Analyzing “Zombie Zip” Files (CVE-2026-0866), (Wed, Mar 11th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analyzing \"Zombie Zip\" Files (CVE-2026-0866), (Wed, Mar 11th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/","og_locale":"en_US","og_type":"article","og_title":"Analyzing \"Zombie Zip\" Files (CVE-2026-0866), (Wed, Mar 11th) - Imperative Business Ventures Limited","og_description":"A new vulnerability\u00a0(CVE-2026-0866) has been published: Zombie Zip. It’s a method to create a malformed ZIP file that will bypass detection by most anti-virus engines. The malformed ZIP file can not be opened with a ZIP utility, a custom loader is required. The trick is to change the compression method to STORED while the contend […]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-03-11T10:05:00+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/20260311-103803.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Analyzing “Zombie Zip” Files (CVE-2026-0866), (Wed, Mar 11th)","datePublished":"2026-03-11T10:05:00+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/"},"wordCount":379,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/20260311-103803.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/","name":"Analyzing \"Zombie Zip\" Files (CVE-2026-0866), (Wed, Mar 11th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/20260311-103803.png","datePublished":"2026-03-11T10:05:00+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/20260311-103803.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/20260311-103803.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/11\/analyzing-zombie-zip-files-cve-2026-0866-wed-mar-11th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Analyzing “Zombie Zip” Files (CVE-2026-0866), (Wed, Mar 11th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1835","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=1835"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1835\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=1835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=1835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=1835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}