Talk With an Expert

The Mimic Octopus: Weaponizing File Corruption and Recoverability to Bypass Antivirus and Email Filtering

The Mimic Octopus: Weaponizing File Corruption and Recoverability to Bypass Antivirus and Email Filtering (PDF, 8.51MB)Published: 03 Sep, 2025
Created by:
Justin Gazick

This paper investigates a novel tactic in phishing operations where threat actors intentionally corrupt document and archive files, such as DOCX, DOCM, PDF, and ZIP , to evade antivirus (AV) and email filtering systems. These files, though malformed, are recoverable by native tools like Microsoft Word, Adobe Reader, and WinRAR. As a result, malicious payloads can still execute after delivery. Building on prior findings by Any.Run (Any.Run, 2024), this study expands the corruption methodology to include multiple structural modifications and evaluates their impact on AV detection via VirusTotal and behavior in the Any.Run sandbox. A custom corruption suite and detection tool were developed to automate corruption detection and analyze results across formats.