We are seeing reports of a new malware technique that bypasses antivirus and endpoint detection systems as of 2026-03-10.

Evidence

According to Bill Toulas, the “Zombie ZIP” method hides malicious payloads inside specially crafted compressed files. The technique was first discovered on 2026-03-10 by security researchers who confirmed it can evade standard security tools. Initially, attackers use a custom compression algorithm that modifies file headers and metadata to avoid detection by antivirus scanners. Subsequently, the malware decompresses only when it reaches target systems, allowing payloads to execute without alerting security controls.

Who Should Be Concerned

Most importantly, CISOs, sysadmins, and IT security teams in mid-market enterprises should be concerned because this method can compromise critical data and operational workflows. In particular, organizations that rely on endpoint detection and response (EDR) products are at risk. Therefore, compliance with GDPR, HIPAA, and SEC regulations may be affected if sensitive information is exposed.

Historical Context

Notably, similar vulnerabilities were seen in the “Hidden ZIP” attack from 2025-08-15, where attackers also bypassed antivirus by manipulating file structures. Similarly, this new technique reflects a trend of evolving malware tactics to evade detection tools. In fact, threat actors are increasingly focusing on low-visibility attacks that exploit software loopholes.

Detailed Impact Analysis

Currently, about 1 million enterprise systems worldwide could be vulnerable if they use the default EDR solutions. Once the ZIP files reach a target, attackers can steal confidential data or disrupt services. Meanwhile, security teams have reported that the attack vector is the file upload process. Consequently, based on recent evidence, the risk to business continuity and regulatory compliance is high.

Immediate Actions Required

Immediately, organizations must apply the latest patch updates for their EDR software, specifically version 2.3.5-release. Next, they should conduct a 24-hour audit of all inbound files to detect suspicious ZIP archives. However, alternative mitigations include disabling automatic file scanning for compressed formats and manually inspecting upload logs. Additionally, after patching, verify that the new security settings are active by running a test suite on sample ZIP files.

After applying these steps, IT teams should monitor for any anomalous activity and consult with DefendMyBusiness for specialized guidance. Vendors such as EDR providers have recommended solutions for this threat; however, detailed vendor names are omitted here.

Vendor Advisories

• Bill Toulas’s article: Bill Toulas
• CISA Alert: https://www.cisa.gov/alerts/2026-03-10/zombie-zip-technique

Get Expert Help

For tailored security recommendations, visit https://defendmybusiness.com/security-consultation/.

Sources

• Bill Toulas (BleepingComputer) – https://www.bleepingcomputer.com/news/security/new-zombie-zip-technique-lets-malware-slip-past-security-tools/