XCropImage
xcropimage.io
Back to Blog

Creating a Polyglot File: How to Hide a ZIP Archive Inside a PNG

xcropimage.io Team

Learn how to create a polyglot file by hiding a ZIP archive inside a PNG image across Windows, macOS, and Linux.

Introduction

A polyglot file is a file that is valid in more than one format at the same time.

In this guide, you'll learn how to hide a ZIP archive (containing a video or any file) inside a PNG image. The resulting file will:

  • Open normally as an image
  • Be detected as an archive by tools like WinRAR
  • Contain extractable hidden files

This works because PNG allows trailing data, and ZIP archives can be detected by signature scanning.

How It Works

PNG Flexibility

PNG viewers read only the image portion and ignore extra data appended at the end of the file.

ZIP Detection

ZIP files contain a PK signature. Archive tools scan the entire file and detect this signature even if it appears after PNG data.

When you append a ZIP archive to a PNG, the result becomes a polyglot file.

Step 1: Prepare Files

You need:

  • image.png
  • video.mp4 (or any file)

Create the ZIP archive first:

Windows / macOS / Linux

zip video.zip video.mp4

If you're on Windows without zip, right-click → Send to → Compressed (zipped) folder.

Step 2: Merge PNG and ZIP

🪟 Windows (CMD)

copy /b image.png + video.zip output.png

🪟 Windows (PowerShell)

Get-Content image.png -Encoding Byte | Set-Content output.png -Encoding Byte Get-Content video.zip -Encoding Byte | Add-Content output.png -Encoding Byte

🍎 macOS

cat image.png video.zip > output.png

🐧 Linux

cat image.png video.zip > output.png

What Happens Next?

  • output.png opens normally in image viewers.
  • WinRAR or similar archive tools detect a ZIP archive inside it.
  • You can extract the hidden video from the archive.

Security Warning

Polyglot files can also be used maliciously.

Always:

  • Avoid opening unknown archives
  • Scan extracted files
  • Be cautious with files from untrusted sources

Conclusion

By appending a ZIP archive to a PNG file using system-native terminal commands, you can create a dual-format polyglot file.

This demonstrates how flexible file formats can be — and why understanding them is important for developers and security researchers.