Zombie ZIP: Evading Security Tools via ZIP Concatenation

A new evasion method dubbed the ‘Zombie ZIP’ technique is allowing attackers to deliver malicious payloads while bypassing standard security inspection tools. According to Bleeping Computer, this method leverages discrepancies in how various file archive parsers interpret the ZIP file format. By concatenating multiple ZIP archives into a single file, threat actors ensure that a security scanner sees one set of benign files while the end user is presented with a different, malicious set upon extraction. This represents a significant TTP for bypassing perimeter defenses.

Technical Analysis of ZIP Concatenation

The ZIP file format relies on the ‘End of Central Directory’ (EOCD) record to locate files within the archive. Security tools, including EDR and email gateways, often parse files from the start of the document to identify content. However, several common utilities, such as 7-Zip or Windows Explorer, may look for the EOCD at the end of the file or handle multiple EOCD records differently.

When an attacker creates a ‘Zombie ZIP,’ they essentially glue two separate ZIP files together. The first part contains decoy files that are harmless, while the second part contains the actual malware. A security product scanning the file might only identify and analyze the first ZIP structure, resulting in a clean verdict. Conversely, when a user opens the file using a tool that prioritizes the final EOCD record, the malicious payload is presented instead. This is not a CVE in the traditional sense but an architectural abuse of how file formats are interpreted by different developers.

How to Detect Zombie ZIP Technique

To successfully identify these threats, security researchers should look for multiple EOCD signatures (0x06054b50) within a single file. Standard ZIP files should typically only have one such record at the very end of the file. The presence of multiple records is a strong IoC that the file has been manipulated for evasion. Automated analysis tools should be updated to flag any archive that contains overlapping or multiple central directory structures.

Impact on Defensive Layers

This technique undermines the effectiveness of automated sandboxing and static analysis. If a SOC analyst relies on automated reports that only see the decoy content, the malicious activity will go unnoticed until execution. This evasion strategy is particularly effective against signature-based detection and SIEM rules that do not account for non-standard file headers. In many cases, these archives are used in Phishing campaigns to deliver Ransomware or C2 beacons without triggering initial alerts.

Mitigating ZIP Parser Evasion

Mitigation requires a combination of endpoint visibility and network-level inspection. Since this technique relies on the behavior of the extraction utility, enforcing the use of specific, vetted archive tools across the enterprise can reduce the likelihood of a ‘Zombie ZIP’ behaving unexpectedly. Furthermore, mapping this activity to the MITRE ATT&CK framework—specifically under Archive via Utility (T1560) and Obfuscated Files or Information (T1027)—allows organizations to better align their detection strategies with known adversary behaviors.

Implementing a Zero Trust approach to file attachments—where all compressed archives are treated with high suspicion regardless of their initial scan result—is the best path toward preventing ZIP concatenation malware delivery. Organizations should prioritize security engines that perform recursive or ‘full-file’ parsing, scanning the entire byte stream for hidden or overlapping structures rather than stopping after the first valid header.