If you’re relying on endpoint detection and response (EDR) as a primary detection layer, the last few weeks should give you pause.
Zombie ZIP: 50 out of 51 Engines Bypassed #
Security researchers recently disclosed a technique called “Zombie ZIP” that exploits how Windows handles ZIP file processing. The result: malware delivered via this method bypassed 50 out of 51 antivirus and EDR engines tested.
That’s not a marginal bypass. That’s near-total evasion of the security tools most organizations depend on.
The technique itself isn’t conceptually complex — it abuses legitimate file handling behavior that security tools don’t inspect deeply enough. That’s the pattern I keep seeing: attackers don’t need to be brilliant, they just need to find the gaps in what your tools actually examine.
BlackSanta: Killing the Watcher #
Around the same time, a campaign dubbed “BlackSanta” surfaced targeting HR departments with malware specifically designed to disable EDR tools. The goal wasn’t just evasion — it was elimination. Once the EDR agent is killed, attackers have free rein to exfiltrate employee and payroll data.
The campaign had been running for over a year before it was publicly identified. A year of operating inside networks with the security tools turned off.
What This Means Practically #
These aren’t theoretical attacks. They’re active campaigns exploiting production security tools. A few things to consider:
EDR is not a security strategy. It’s a component of one. If your entire detection capability is a single EDR product, these techniques turn your security program into a checkbox exercise. Defense in depth isn’t a buzzword — it’s the difference between detection and a year-long compromise.
Network-level visibility matters. When endpoint tools fail, network security controls become your backstop. Proper segmentation, monitoring of lateral movement, and anomaly detection at the network layer can catch what endpoints miss. If you haven’t assessed your network architecture and segmentation recently, now’s the time.
Test your assumptions. When was the last time you validated that your security tools actually detect the threats you think they detect? Tabletop exercises and red team assessments exist for exactly this reason.
Patch and update your security tools themselves. EDR vendors are responsive to these techniques, but only if you’re running current versions. Outdated security tooling is a compounding risk.
The Bigger Picture #
The arms race between detection tools and evasion techniques isn’t new. What’s changed is the sophistication and availability of evasion methods. Techniques that would have been reserved for nation-state actors five years ago are now showing up in commodity malware campaigns.
The organizations that weather this shift are the ones treating security as a layered program — not a product purchase. If your security program starts and ends with an EDR agent, it’s time to reassess.