ThreatsDay Bulletin: OAuth Trap, EDR Killer and More

The ThreatsDay bulletin pulled together a range of notable developments, including OAuth token theft, Signal and WhatsApp account hijacking, Zombie ZIP archive evasion, cloud weaknesses, malware delivered through Microsoft Teams, AI-platform compromise and botnet activity. One highlighted technique, Zombie ZIP (CVE-2026-0866), uses malformed ZIP headers to evade antivirus and EDR tools while still allowing some extraction tools to unpack the malicious archive. The broader message is that attackers continue blending old tricks with subtle technical tweaks, creating incidents that look ordinary until they suddenly are not.

This week in cyber: same chaos, different wrapping paper

Some weeks in cyber security produce a single big story. Other weeks produce a chaotic buffet of unpleasantness, and the latest ThreatsDay roundup very much falls into the second category.
The bulletin highlighted a string of emerging or fast-growing threats, including OAuth abuse, hijacking attempts against Signal and WhatsApp, malware activity involving Microsoft Teams, AI-platform compromise, botnet developments and a handy little evasion technique called Zombie ZIP. It is, in short, the sort of list that makes security teams reach for a stronger cup of tea.

Why Zombie ZIP stands out

Among the more eye-catching entries is Zombie ZIP, tracked as CVE-2026-0866. This technique abuses malformed ZIP headers so that antivirus and endpoint detection tools may fail to spot the malicious contents, while some extraction utilities still unpack the archive quite happily. It is a neat reminder that file formats remain fertile ground for attacker creativity, especially when defenders assume a ZIP is just a ZIP.

The bigger pattern

The bulletin’s real value is in the pattern it exposes. Much of this activity is not brand-new in principle. Instead, attackers are refining well-known approaches: stealing tokens instead of passwords, abusing collaboration platforms rather than suspicious websites, and hiding payloads in formats or workflows that seem mundane. It is less “groundbreaking innovation” and more “criminals polishing the classics”.

What defenders should take away

Organisations need to think beyond obvious malware files and traditional phishing emails. Secure OAuth permissions, monitor collaboration tools, and do not assume endpoint tooling will catch every malformed archive. If the week’s lesson had to be reduced to one sentence, it would be this: attackers are getting better at making bad things look routine.