A new vulnerability, CVE-2026-0866, has been published under the name Zombie Zip. It describes a method to create a malformed ZIP file that will bypass detection by most anti-virus engines, and the file cannot be opened with a standard ZIP utility, requiring a custom loader. The trick relies on changing the compression method to STORED while the content is still DEFLATED, meaning the header flags state the data is not compressed, even though it is.
The article demonstrates two analysis paths: a simple method using search-for-compression[.]py on the ZIP file, which contains an EICAR test file, and a complex method using the latest version of zipdump[.]py to inspect the file, revealing a file named eicar[.]com with a compressiontype of 0 (STORED). It further shows that forcedecompress, a new option, can reveal the EICAR content when decompression is forced regardless of compression type. This analysis is presented by Didier Stevens, according to Didier Stevens.