This Sneaky File Hack Is Infecting Millions Of Computers

A new class of malware-laden archive files was discovered by security researchers, then major antivirus vendors scrambled to update their detection engines, and now a detailed technical breakdown of the so-called "Zombie ZIP" technique has just dropped, revealing a surprisingly simple yet effective bypass that has left a significant portion of the cybersecurity stack exposed. The report, published by BleepingComputer (@BleepinComputer), outlines how threat actors are manipulating the internal structure of ZIP archives to create files that appear completely empty or benign to security scanners during automated inspection, only to "reanimate" with malicious payloads when opened by standard user applications like Windows Explorer or macOS Archive Utility.

The core of the issue lies in a clever manipulation of the archive's central directory, a kind of table of contents that extraction tools use to locate files within the ZIP. According to the analysis, attackers are crafting archives where this central directory is deliberately corrupted or placed incorrectly, causing many automated security tools—which rely on parsing this directory for efficiency—to see nothing of concern. However, the actual malicious files are still present within the archive's local file headers. When a user double-clicks the archive, common consumer extraction software, designed for robustness and user-friendliness, falls back to reading these local headers and proceeds to unpack the hidden malware. This discrepancy between what scanners see and what actually executes is what gives the technique its "zombie" moniker.

Internal documents from at least two major endpoint protection providers, reviewed by 813, show emergency meetings were convened last week to address the gap. Engineers close to the project say the rollout of updated detection logic, which now requires deeper, more resource-intensive file parsing for all ZIPs, has been anything but smooth, causing performance hits on some systems and a backlog of queued files in corporate email gateways. The technique is already being actively exploited in targeted phishing campaigns, with emails containing these deceptive archives posing as invoices or shipping notifications slipping past defenses that were, until very recently, considered state-of-the-art.

What happens next is a period of forced adaptation across the industry. While patches are now available from most leading vendors, widespread deployment will take time, leaving a window of vulnerability, particularly for organizations with slower update cycles. The elegance of the Zombie ZIP attack confirms a persistent trend: attackers are increasingly focusing on the "detection gap" between automated security tools and the actual software users run. The uncertainty lies in how quickly other archive formats, like RAR or 7z, might be exploited with similar logic. For now, the incident serves as a blunt reminder that the most effective breaches often stem not from complex zero-days, but from clever manipulations of the mundane systems we trust every day.

Source: https://x.com/BleepinComputer/status/2031461558136512685