rule InflationMonstrous meta: description = "Detects Inflation-monstrous-WINDOWS.zip structure" strings: $eocd_marker = 50 4B 05 06 $fake_comment = /FakeBlock[0-9]10,/ condition: uint32(0) == 0x04034B50 and $eocd_marker and #fake_comment > 100

By crafting overlapping filenames that point to the same compression stream, the archive can be built to confuse Windows’ file system filter. When Windows Explorer attempts to generate thumbnails or file properties, it enters an infinite loop. Combined with inflation, this triggers a in explorer.exe .