|AppleSeed can zip and encrypt data collected on a target system.
|APT1 has used RAR to compress files before moving them outside of the victim network.
|APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.
|APT3 has used tools to compress data before exfilling it.
|APT33 has used WinRAR to compress data prior to exfil.
|APT39 has used WinRAR and 7-Zip to compress an archive stolen data.
|APT41 created a RAR archive of targeted files for exfiltration.
|Aquatic Panda has used WinRAR to compress memory dumps prior to exfiltration.
|BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.
|Calisto uses the
zip -r command to compress the data collected on the local system.
|ccf32 has used
xcopy \\<target_host>\c$\users\public\path.7z c:\users\public\bin\<target_host>.7z /H /Y to archive collected files.
|certutil may be used to Base64 encode collected data.
|Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.
|CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.
|CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated.
|Crutch has used the WinRAR utility to compress and encrypt stolen files.
|Daserf hides collected data in password-protected .rar archives.
|DustySky can compress files via RAR while staging data to be exfiltrated.
|Earth Lusca has used WinRAR to compress stolen files into an archive prior to exfiltration.
|FIN8 has used RAR to compress collected data before exfiltration.
|Fox Kitten has used 7-Zip to archive data.
|During FunnyDream, the threat actors used 7zr.exe to add collected files to an archive.
|GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.
|Gallmaker has used WinZip, likely to archive data prior to exfiltration.
|HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.
|IceApple can encrypt and compress files using Gzip prior to exfiltration.
|iKitten will zip up the /Library/Keychains directory before exfiltrating it.
|InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.
|Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.
|Kimsuky has used QuickZip to archive stolen files before exfiltration.
|Magic Hound has used gzip to archive dumped LSASS process memory and RAR to stage and compress local folders.
|menuPass has compressed files before exfiltration using TAR and RAR.
|Micropsia creates a RAR archive based on collected files on the victim’s machine.
|MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.
|Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.
|Octopus has compressed data before exfiltrating it using a tool called Abbrevia.
|Okrum was seen using a RAR archiver tool to compress/decompress data.
|OopsIE compresses collected files with GZipStream before sending them to its C2 server.
|During Operation CuckooBees, the threat actors used the Makecab utility to compress and a version of WinRAR to create password-protected archives of stolen data prior to exfiltration.
|Operation Dream Job
|During Operation Dream Job, Lazarus Group archived victim’s data into a RAR file.
|During Operation Honeybee, the threat actors uses zip to pack collected files before exfiltration.
|During Operation Wocao, threat actors archived collected files with WinRAR, prior to exfiltration.
|PoetRAT has the ability to compress files with zip.
|PoshC2 contains a module for compressing data using ZIP.
|PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.
|PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.
|Pupy can compress data with Zip before sending it over C2.
|Ramsay can compress and archive collected files using WinRAR.
|Rclone can compress files using
gzip prior to exfiltration.
|During the SolarWinds Compromise, APT29 used 7-Zip to compress stolen emails into password-protected archives prior to exfltration; APT29 also compressed text files into zipped archives.
|Sowbug extracted documents and bundled them into a RAR archive.
|Turian can use WinRAR to create a password-protected archive for files of interest.
|Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.
|WindTail has the ability to use the macOS built-in zip utility to archive files.