Skip to content

T1027.015 Compression

Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., Fileless Storage).4

In order to further evade detection, adversaries may combine multiple ZIP files into one archive. This process of concatenation creates an archive that appears to be a single archive but in fact contains the central directories of the embedded archives. Some ZIP readers, such as 7zip, may not be able to identify concatenated ZIP files and miss the presence of the malicious payload.1

File archives may be sent as one Spearphishing Attachment through email. Adversaries have sent malicious payloads as archived files to encourage the user to interact with and extract the malicious payload onto their system (i.e., Malicious File).2 However, some file compression tools, such as 7zip, can be used to produce self-extracting archives. Adversaries may send self-extracting archives to hide the functionality of their payload and launch it without requiring multiple actions from the user.3

Compression may be used in combination with Encrypted/Encoded File where compressed files are encrypted and password-protected.

Item Value
ID T1027.015
Sub-techniques T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011, T1027.012, T1027.013, T1027.014, T1027.015, T1027.016, T1027.017
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.0
Created 04 March 2025
Last Modified 15 April 2025

Procedure Examples

ID Name Description
S1081 BADHATCH BADHATCH can be compressed with the ApLib algorithm.23
S0673 DarkWatchman DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims.8
S0695 Donut Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.6
G0047 Gamaredon Group Gamaredon Group has delivered malicious payloads within compressed archives and zip files. 38
S0666 Gelsemium Gelsemium has the ability to compress its components.31
S0499 Hancitor Hancitor has delivered compressed payloads in ZIP files to victims.9
S0697 HermeticWiper HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.252624
G0126 Higaisa Higaisa used Base64 encoded compressed payloads.3940
S0585 Kerrdown Kerrdown can encrypt, encode, and compress multiple layers of shellcode.29
G0065 Leviathan Leviathan has obfuscated code using gzip compression.42
S1188 Line Runner Line Runner uses a ZIP payload that is automatically extracted with its contents, a LUA script, executed for initial execution via CVE-2024-20359.12
G0103 Mofang Mofang has compressed the ShimRat executable within malicious email attachments.27
G0021 Molerats Molerats has delivered compressed executables within ZIP files to victims.34
S1100 Ninja Ninja has compressed its data with the LZSS algorithm.2030
S0664 Pandora Pandora has the ability to compress stings with QuickLZ.22
S1050 PcShare PcShare has been compressed with LZW algorithm.5
S0517 Pillowmint Pillowmint has been compressed and stored within a registry key.4
S0453 Pony Pony attachments have been delivered via compressed archive files.7
S1228 PUBLOAD PUBLOAD has been delivered as compressed files within ZIP files to victims.1314
S0662 RCSession RCSession can compress and obfuscate its strings to evade detection on a compromised host.28
S0148 RTM RTM has been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.1110
S1099 Samurai Samurai can deliver its final payload as a compressed, encrypted and base64-encoded blob.20
S0444 ShimRat ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.27
S1124 SocGholish The SocGholish JavaScript payload has been delivered within a compressed ZIP archive.3233
S1183 StrelaStealer StrelaStealer has been delivered via JScript files in a ZIP archive.1617
S0559 SUNBURST SUNBURST strings were compressed and encoded in Base64.18
G1018 TA2541 TA2541 has used compressed and char-encoded scripts in operations.41
G0027 Threat Group-3390 Threat Group-3390 malware is compressed with LZNT1 compression.373635
S0665 ThreatNeedle ThreatNeedle has been compressed and obfuscated.19
S0466 WindTail WindTail can be delivered as a compressed, encrypted, and encoded payload.15
S0141 Winnti for Windows Winnti for Windows has the ability to encrypt and compress its payload.21

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware Anti-virus can be used to automatically detect and quarantine suspicious files. Consider anti-virus products capable of unpacking and inspecting compressed files recursively, as well as analyzing SFX archives.

References

  1. Arthur Vaiselbuh, Peleg Cabra. (2024, November 7). Evasive ZIP Concatenation: Trojan Targets Windows Users. Retrieved March 3, 2025. 

  2. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. 

  3. Ravie Lakshmanan. (2023, April 5). Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks. Retrieved March 3, 2025. 

  4. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. 

  5. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  6. TheWover. (2019, May 9). donut. Retrieved March 25, 2022. 

  7. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. 

  8. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  9. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020. 

  10. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. 

  11. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  12. Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025. 

  13. Dex. (n.d.). New Mustang Panda’s campaing against Australia. Retrieved August 4, 2025. 

  14. Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025. 

  15. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 2). Retrieved October 3, 2019. 

  16. Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya & Vishwa Thothathri, Palo Alto Networks. (2024, March 22). Large-Scale StrelaStealer Campaign in Early 2024. Retrieved December 31, 2024. 

  17. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024. 

  18. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. 

  19. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  20. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. 

  21. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  22. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  23. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021. 

  24. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022. 

  25. Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022. 

  26. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. 

  27. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  28. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  29. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021. 

  30. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. 

  31. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  32. Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024. 

  33. Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024. 

  34. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  35. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. 

  36. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. 

  37. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018. 

  38. Venere, G. (2025, March 28). Gamaredon campaign abuses LNK files to distribute Remcos backdoor. Retrieved July 23, 2025. 

  39. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  40. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. 

  41. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023. 

  42. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.