Platform11-Feb-26|10 min read

Compression in Malware: The Detection Gap

Why your analysis tools only detect two compression formats when attackers have access to dozens

Definition:

The compression blind spot refers to the gap between the compression formats that security tools detect (primarily GZip and zlib) and the formats available to attackers (Zstandard, LZ4, LZString, Brotli, and others). These newer formats are standard in legitimate infrastructure but have near-zero coverage in YARA rules, Snort signatures, and automated analysis tools. This creates a detection gap that attackers can exploit with minimal effort.

When a malware analyst encounters a Base64-decoded binary blob, the first check is compression magic bytes. GZip starts with 1F 8B. Zlib starts with 78 9C. If neither matches, the standard playbook moves on to XOR, AES, or raw shellcode analysis. But what if the blob starts with 28 B5 2F FD? That's Zstandard. Or 04 22 4D 18? That's LZ4. Most analysis tools don't check for these. Most YARA rules don't match them. Most analysts have never encountered them in a malware context. That's the blind spot. Not a failure of skill or diligence, but a gap in the default toolkit. Security tools were built when GZip and Deflate were the only compression formats that mattered. The world moved on. The tooling, largely, did not.

The Two Formats Everyone Detects

GZip and zlib/Deflate dominate malware compression because they dominate everything else. They're the default in HTTP content encoding, ZIP archives, PDF streams, and PNG image data. Every programming language has built-in support. Every security tool has signatures for their magic bytes.

This universality made them the natural choice for malware authors. Why use an obscure format when the target machine already has the decompression library installed? PowerShell's [IO.Compression.GZipStream] and .NET's System.IO.Compression.DeflateStream are one-liners. The malware compresses its payload with GZip, Base64-encodes it, and decompresses at runtime.

The security industry responded with comprehensive detection. YARA rules match GZip headers. Network inspection devices decompress GZip content inline. Email gateways scan inside compressed attachments. The detection coverage is mature. And that maturity is exactly why the gap matters.

The Formats Nobody Checks

While security tooling focused on GZip and zlib, the software industry adopted a new generation of compression algorithms. These formats offer better compression ratios, faster decompression, or both. They're not experimental. They're in production at scale.

Zstandard (zstd)Developed by Facebook/Meta, Zstandard is the default compression for Cloudflare's edge network, the Linux kernel (since 4.14 for filesystems, with broad adoption in 5.x), and Meta's internal infrastructure. It compresses faster than zlib at comparable ratios and decompresses significantly faster. Magic bytes: 28 B5 2F FD. Python support via the zstandard package. Detection coverage in security tooling: near zero.
LZ4LZ4 prioritises decompression speed over compression ratio. It's standard in Docker image layers, Android boot images, the Linux kernel, and most game engines. Magic bytes: 04 22 4D 18 (frame format). Python support via the lz4 package. Detection coverage in security tooling: near zero.
LZStringUnlike the others, LZString is a JavaScript-native compression library with no magic bytes. It compresses text into printable character strings, designed for localStorage and URL parameter compression. Thousands of web applications use it. Compressed output passes through text-based filters because it contains only printable characters. An attacker can write eval(LZString.decompressFromBase64('...')) and most analysis tools will see only a Base64 string with no recognisable compression signature.
BrotliGoogle developed Brotli specifically for HTTP compression. Every modern browser supports it via the Accept-Encoding: br header. CDNs serve Brotli-compressed content by default when the client supports it. Unlike GZip, Brotli has no fixed magic bytes (it uses a variable-value window size prefix byte rather than a constant signature), making signature-based detection more complex.

Why the Gap Exists

Detection tooling is reactive. YARA rules get written for compression formats after they're observed in malware samples. Network signatures get added after incidents. The problem is that this reactive cycle has a bootstrapping gap: if nobody detects the format, nobody observes it in malware, so nobody writes detection rules, so nobody detects it.

Meanwhile, the legitimate adoption of these formats ensures that the decompression libraries are already present on target systems. Any Python environment can install zstandard and lz4 in seconds via pip. Any browser can decompress Brotli. Any JavaScript runtime has access to LZString via npm or a CDN. The attacker doesn't need to ship a decompression library with their payload.

CyberChef, the most widely used manual analysis tool, still has no native Zstandard or LZ4 operations as of early 2026. Analysts who rely on CyberChef for multi-layer decoding have no way to decompress these formats without switching to external tools.

The Detection Gap in Numbers

Key Examples
GZip
Magic bytes1F 8B
Detection coverageUniversal: YARA, Snort, IDS, CyberChef, all analysis tools
zlib/Deflate
Magic bytes78 9C / 78 DA
Detection coverageWidespread: most analysis tools and signature sets
LZMA
Magic bytes5D 00 00
Detection coverageModerate: some YARA rules, larger analysis frameworks
Zstandard
Magic bytes28 B5 2F FD
Detection coverageNear zero: no mainstream YARA rules or IDS signatures
LZ4
Magic bytes04 22 4D 18
Detection coverageNear zero: no mainstream YARA rules or IDS signatures
LZString
Magic bytesNone (printable output)
Detection coverageZero: no magic bytes, no signature possible
Brotli
Magic bytesVariable prefix
Detection coverageMinimal: HTTP-layer only, not in file analysis tools

The left side of this table is well-defended territory. The right side is open ground. An attacker switching from [IO.Compression.GZipStream] to Zstandard in their delivery script gains immediate evasion against every tool that relies on magic byte detection.

How Multi-Layer Chains Exploit the Gap

Compression rarely appears alone in malware delivery. It's typically one layer in a multi-layer obfuscation chain. A common pattern: Base64-encode the compressed payload, optionally XOR-encrypt it, then embed it in a script that reverses the chain at runtime.

When the compression layer uses GZip, automated tools handle the full chain: decode Base64, detect GZip magic, decompress, continue analysis. When the compression layer uses Zstandard or LZ4, the chain breaks at the compression step. The tool decodes Base64 successfully, encounters a binary blob with unrecognised magic bytes, and either stops or misclassifies the output.

The analyst sees "decoded binary data" and may assume it's encrypted payload requiring a key. In reality, it's compressed payload requiring the right decompression algorithm. The intelligence is one library call away, but the tool doesn't know which library to call.

This pattern is especially prevalent in Python loaders, where the standard library exposes zlib, bz2, and lzma without external dependencies. Modern Python obfuscators chain these compression algorithms with exec() and Base64 to produce loaders where each peeled layer reveals another compressed-then-encoded payload. Decoders that recognise GZip but not zlib (raw, no header) or lzma will stall on the first inner layer.

LZString: The Invisible Format

LZString deserves special attention because it breaks every assumption that magic-byte detection relies on.

Most compression formats produce binary output. LZString produces printable character strings. Its compressToBase64 variant outputs valid Base64 characters. Its compressToEncodedURIComponent variant outputs valid URL-encoded characters. A compressed LZString payload looks like a long string of random text, not a binary blob.

This means there are no magic bytes to detect. No binary signature to match. The compressed payload passes through text-based filters, email gateways, and WAF rules without triggering any alert. An eval(LZString.decompress(...)) call in JavaScript looks like a function call with a string argument. The compressed content is invisible to everything except a tool that specifically knows to try LZString decompression.

LZString's four compression variants (raw, Base64, URI component, UTF-16) each produce output in different character ranges. A tool that handles only one variant will miss the other three. Comprehensive detection requires trying all four modes, which adds complexity but is necessary for coverage.

Preparing for the Shift

The compressed-malware picture will shift. Not because of a specific threat actor announcement, but because the economics are too favourable for attackers to ignore. Switching compression formats is trivial. The evasion benefit is immediate. And the target systems already have the decompression capability installed.

Defenders can prepare now, before the shift becomes a wave. Practical steps:

  • Add magic byte rules for Zstandard (28 B5 2F FD) and LZ4 (04 22 4D 18) to YARA rule sets. Even without confirmed malware samples, these rules create early warning for format adoption.
  • Ensure your deobfuscation pipeline handles non-GZip compression in multi-layer chains. Base64(Zstd(payload)) should resolve the same way Base64(GZip(payload)) does.
  • Monitor for Base64-decoded binary blobs with unrecognised magic bytes. If your tool decodes Base64 and hits unknown binary, check whether it's Zstd, LZ4, or Brotli before assuming encryption.
  • Test LZString decompression against JavaScript payloads that contain long string arguments to eval() or Function() calls. The absence of binary data doesn't mean the absence of compression.

The Precedent: How GZip Became Standard

GZip didn't start as a malware technique. It became one because it was everywhere in legitimate software. The same Python stdlib that serves web content was available for compressing payloads. The same .NET class that handles HTTP responses was available for decompressing in a PowerShell dropper.

Zstandard, LZ4, and Brotli are on the same trajectory. They're in CDNs, container runtimes, databases, and web servers. The decompression code is already on the target machine. The only thing preventing widespread adoption in malware is inertia and the fact that GZip still works for most campaigns. When detection pressure on GZip increases sufficiently, the migration will be fast.

The window to build detection before that migration is now.

KlaroSkope supports Zstandard, LZ4, LZString (all four variants), GZip, Deflate, and LZMA decompression in multi-layer chains, detecting compression by magic bytes and attempting all formats when signatures are absent. Try KlaroSkope Free →

Frequently Asked Questions

Q

What compression formats do malware analysis tools detect?

Most malware analysis tools and YARA rules detect GZip (magic bytes 1F 8B) and zlib/Deflate (magic bytes 78 9C or 78 DA). Some also detect LZMA. Formats like Zstandard, LZ4, LZString, and Brotli have near-zero detection coverage in security tooling, despite being standard in legitimate web infrastructure, container images, and JavaScript applications.
Q

Is Zstandard used in malware?

Documented use of Zstandard (zstd) in malware delivery is currently rare, which is precisely the problem. Zstd is the default compression for Facebook, Cloudflare, and the Linux kernel. Its magic bytes (28 B5 2F FD) have no mainstream YARA signatures or Snort rules. When attackers adopt it, the detection gap will already be wide open.
Q

What is LZString and why is it a security concern?

LZString is a JavaScript-native compression library used by thousands of web applications for localStorage compression. It has no magic bytes, making detection by file signature impossible. Compressed output uses only printable characters, so it passes through text-based filters. Attackers can use eval(LZString.decompress('...')) to hide payloads in a format that most security tools have never encountered.
Q

Why would attackers use uncommon compression formats?

The same reason they use any obfuscation: to evade detection. If every YARA rule, Snort signature, and email gateway checks for GZip magic bytes but none check for Zstandard or LZ4, switching compression format provides immediate evasion with zero additional development effort. The decompression libraries are freely available and the technique is trivial to implement.
Q

How can defenders prepare for non-standard compression in malware?

Add magic byte detection for Zstandard (28 B5 2F FD), LZ4 (04 22 4D 18), and Brotli to YARA rules and network signatures. Ensure deobfuscation tools in the analysis pipeline support these formats. Monitor for Base64-decoded binary blobs that don't match known compression magic bytes, as this may indicate emerging format adoption.

Found this useful? Sharing is caring!

Ready to decode?

See KlaroSkope transform obfuscated scripts into actionable intelligence.

Try It Free