Windows computers are being attacked using a trick in ZIP files.

Cybercriminals are using the concatenation of ZIP files as a technique to evade security solutions and infect devices with malware through emails, cybersecurity experts warn. Recently, a detailed investigation into certain phishing campaigns by security analysts has highlighted this phenomenon.

The concatenation of ZIP files involves joining multiple ZIP files into one to confuse archiving programs and antivirus solutions. According to researchers, criminals create at least two ZIP files: one containing a harmless file, such as a clean PDF, and another housing the malware. These files are then combined into a single ZIP file, which, while presented as one, includes multiple central directories linked to various file entries.

Different compression programs, such as Winzip, WinRaR, and 7zip, handle these files differently, allowing criminals to evade security measures. For example, 7zip only recognizes the first ZIP file, which could lead to a vulnerability. While this program may alert the user about additional data, WinRaR analyzes all ZIP structures and reveals the malware, whereas Windows File Explorer only displays the second ZIP file.

In practice, this means that criminals send typical phishing emails, such as warnings about overdue invoices or undelivered packages. By opening or executing the attachment, the victim may be compromised by a Trojan or another type of malware.

Analysts point out that traditional detection tools often fail to fully decompress and analyze these complex ZIP files. To address this issue, they propose more advanced solutions that allow for thorough examination of each layer of the files, ensuring that no hidden threats go unnoticed.

However, experts also emphasize the importance of being cautious when handling email attachments and avoiding downloading content from unverified sources as a good practice to maintain security.