The invention provides a malicious code detection method and device based on HTTP (Hyper Text Transfer Protocol) static compressed data stream. The method comprises the steps of: according to a target binary string corresponding to a malicious mode string, inquiring gzip compressed data stream, acquiring a first appearance position of the target binary string, and carrying out Huffman decoding on the gzip compressed data stream behind the position to obtain first compressed data stream; and triggering sliding of a multimode matching window to push sliding of an LZ77 decompression sliding window on the first compressed data stream, wherein aiming at a long pointer in the first compressed data stream, only boundary matching is carried out, whether an index position positioned in a reference character string to which the pointer points is stored in a temporary stack is judged, and if yes, the index position in a target position where the pointer is positioned is determined and stored in the temporary stack so as to achieve an effect of carrying out jumping multimode matching detection while carrying out LZ77 decomposition, shorten invasion or malicious code detection time and improve an internet surfing experience speed of a user.