A Malwarebytes article explains that the “Zombie ZIP” method alters the ZIP header so the archive falsely claims to be uncompressed while the contents are still compressed, enabling many antivirus engines to skip proper decompression and inspection. In tests conducted about a week after disclosure, around 60 of 63 common antivirus suites failed to detect malware hidden in this way, roughly 95% of engines letting it pass.
The technique creates a malformed ZIP that requires a custom loader to open correctly, and normal tools such as Windows extractor, 7-zip, and WinRAR will flag it as malformed. The vulnerability is tracked as CVE-2026-0866, though several cybersecurity researchers dispute whether it should be a CVE at all, and the need for a custom loader makes infection unlikely on already compromised systems.
However, it still allows anti-malware solutions to detect the custom loader and any known malware once the payload is properly decompressed, so the bypass only affects the initial scan, not the execution of already known malware. Security researcher Didier Stevens published a method to safely examine the content of a malformed Zombie ZIP file, with a quick spot to spot manipulation being differing compressedsize and uncompressedsize fields. According to Malwarebytes ThreatDown, both files were detected by their products.