EN
EN DE
EN
EN DE
Contact Us
Sign Up
Topics
Finance & insurance
Trade
Industry
IT & Consulting
Tourism
Transport
Law
Public

Hackers now use ZIP file concatenation to evade detection

0
Share:

Hackers are targeting Windows machines using the ZIP file concatenation technique to deliver malicious payloads in compressed archives without security solutions detecting them.

The technique exploits the different methods ZIP parsers and archive managers handle concatenated ZIP files.

This new trend was spotted by Perception Point, who discovered a a concatentated ZIP archive hiding a trojan while analyzing a phishing attack that lured users with a fake shipping notice.

The researchers found that the attachment was disguised as a RAR archive and the malware leveraged the AutoIt scripting language to automate malicious tasks.

Phishing email hiding a trojan in a concatenated ZIP file
Phishing email hiding a trojan in a concatenated ZIP file
Source: Perception Point

Hiding malware in “broken” ZIPs

The first stage of the attack is the preparation, where the threat actors create two or more separate ZIP archives and hide the malicious payload in one of them, leaving the rest with innocuous content.

Next, the separate files are concatenated into one by appending the binary data of one file to the other, merging their contents into one combined ZIP archive.

Although the final result appears as one file, it contains multiple ZIP structures, each with its own central directory and end markers.

Internal structure of ZIP files
Internal structure of ZIP files
Source: Perception Point

Exploiting ZIP app flaws

The next phase of the attack relies on how ZIP parsers handle concatenated archives. Perception Point tested 7zip, WinRAR, and Windows File Explorer to different results:

  • 7zip only reads the first ZIP archive (which could be benign) and may generate a warning about additional data, which users may miss
  • WinRAR reads and displays both ZIP structures, revealing all files, including the hidden malicious payload.
  • Windows File Explorer may fail to open the concatenated file or, if renamed with a .RAR extension, might display only the second ZIP archive.

Depending on the app’s behavior, the threat actors may fine-tune their attack, such as hiding the malware in the first or the second ZIP archive of the concatenation.

Trying the malicious archive from the attack on 7Zip, Perception Point researchers saw that only a harmless PDF file was shown. Opening it with Windows Explorer, though, revealed the malicious executable.

7zip (top) and Windows File Explorer (bottom) opening the same file
7zip (top) and Windows File Explorer (bottom) opening the same file
Source: Perception Point

To defend against concatenated ZIP files, Perception Point suggests that users and organizations use security solutions that support recursive unpacking.

Generally, emails attaching ZIPs or other archive file types should be treated with suspicion, and filters should be implemented in critical environments to block the related file extensions.

Bill Toulas

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
2:43 pm, Jun 30, 2025
weather icon 32°C
L: 30° | H: 34°
clear sky
Humidity: 44 %
Pressure: 1016 mb
Wind: 7 mph SW
Wind Gust: 17 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 1%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:46 am
Sunset: 9:21 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
30° | 34°°C 0 mm 0% 10 mph 44 % 1015 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
20° | 33°°C 0 mm 0% 11 mph 67 % 1016 mb 0 mm/h
Wed Jul 02 10:00 pm
weather icon
18° | 23°°C 0.38 mm 38% 12 mph 80 % 1023 mb 0 mm/h
Thu Jul 03 10:00 pm
weather icon
15° | 26°°C 0 mm 0% 6 mph 76 % 1028 mb 0 mm/h
Fri Jul 04 10:00 pm
weather icon
16° | 28°°C 0 mm 0% 11 mph 55 % 1027 mb 0 mm/h
Today 4:00 pm
weather icon
30° | 32°°C 0 mm 0% 9 mph 44 % 1015 mb 0 mm/h
Today 7:00 pm
weather icon
28° | 31°°C 0 mm 0% 10 mph 41 % 1015 mb 0 mm/h
Today 10:00 pm
weather icon
24° | 27°°C 0 mm 0% 2 mph 43 % 1014 mb 0 mm/h
Tomorrow 1:00 am
weather icon
23° | 23°°C 0 mm 0% 4 mph 54 % 1015 mb 0 mm/h
Tomorrow 4:00 am
weather icon
20° | 20°°C 0 mm 0% 4 mph 66 % 1014 mb 0 mm/h
Tomorrow 7:00 am
weather icon
24° | 24°°C 0 mm 0% 7 mph 67 % 1015 mb 0 mm/h
Tomorrow 10:00 am
weather icon
27° | 27°°C 0 mm 0% 5 mph 52 % 1015 mb 0 mm/h
Tomorrow 1:00 pm
weather icon
32° | 32°°C 0 mm 0% 4 mph 35 % 1014 mb 0 mm/h
Weather from OpenWeatherMap
Name Price24H (%)
Bitcoin(BTC)
€91,901.21
-0.32%
Ethereum(ETH)
€2,105.34
0.73%
Tether(USDT)
€0.85
0.00%
XRP(XRP)
€1.86
-0.28%
Solana(SOL)
€128.80
-0.24%
USDC(USDC)
€0.85
0.00%
Dogecoin(DOGE)
€0.140526
0.14%
Shiba Inu(SHIB)
€0.000009
-1.92%
Pepe(PEPE)
€0.000009
0.47%
Risikomonitor
Know and monitor IT vulnerabilities with just one click before it is too late.

Utility link

Useful link

Newsletter

Follow Us

Facebook Twitter Youtube Linkedin

© 2025 risikomonitor.com gmbh

Scroll to Top