funzip

funzip is a macOS utility that extracts a ZIP or gzip file directly to output from archives or other piped input. The malicious binaries use funzip to extract the malicious binary with a password and using head or tail commands.

Author: Pratik Jeware Created: 2026-01-21

Execution bash zsh

Paths

/usr/bin/funzip

Example Use Cases

extracts a ZIP or gzip file directly to output from archives or other piped input

funzip is a macOS utility used to extract ZIP or gzip files directly to output. Malicious binaries misuse funzip, along with head or tail, to extract and reconstruct password-protected malicious payloads.

tail -c <> $0 | funzip  -<password>

Execution bash zsh

Detections

No detections at time of publishing

Resources

MacOS: Bashed Apples of Shlayer and Bundlore
funzip man page