T1560: Archive Collected Data

T1560 falls under the Collection tactic (TA0009). The technique covers any scenario in which an adversary compresses, encrypts, or otherwise packages collected data prior to exfiltration. This pre-exfiltration processing serves multiple purposes: reducing the volume of data that must be transferred (critical when exfiltrating gigabytes through bandwidth-limited C2 channels), obfuscating file contents to bypass data loss prevention (DLP) systems and network inspection tools, and consolidating scattered files into a single portable package. The technique spans Windows, Linux, and macOS platforms.

MITRE ATT&CK v18 documents over 80 threat groups and malware families using T1560, making it one of the most widely adopted Collection techniques. The MITRE detection strategy DET0526 (published October 2025) specifically targets T1560 by correlating execution of compression utilities with subsequent creation of large compressed or encrypted files in staging directories.

The Three Sub-Techniques

T1560.001 — Archive via Utility

Adversaries use third-party or built-in utilities to compress and encrypt collected data. This is by far the most common sub-technique. On Windows, the dominant tools are WinRAR (rar.exe or WinRAR.exe), 7-Zip (7z.exe or 7zG.exe), and WinZip. Built-in Windows utilities include makecab.exe (also known as diantz.exe) for creating cabinet files, tar.exe (available since Windows 10), compact.exe for NTFS compression, and certutil.exe for Base64 encoding. PowerShell provides Compress-Archive for creating ZIP files natively. On Linux and macOS, tar, gzip, bzip2, zip, and openssl are commonly used. macOS adds ditto and hdiutil for disk image creation.

Ransomware operators typically download portable versions of WinRAR or 7-Zip to compromised systems specifically for data staging. Huntress documented a 7-Zip command used in a ransomware incident: 7zG.exe a -i#7zMap... -ad -saa -- "\\[target]\Data\Data", followed by exfiltration to GoFile cloud storage. In another incident, WinRAR was used with an extensive list of target folders, followed immediately by WinSCP for exfiltration. Volt Typhoon stages collected data with 7-Zip and WinRAR as part of its living-off-the-land methodology targeting US critical infrastructure. Threat actors commonly use WinRAR's -hp flag (which encrypts both contents and filenames) and -m5 (maximum compression) to create password-protected archives that resist inspection.

T1560.002 — Archive via Library

Adversaries use programming libraries to compress or encrypt data directly within their malware, avoiding the need to spawn external processes. Common libraries include Python's zipfile, rarfile, and tarfile modules; C/C++ libraries like libzip and zlib; and .NET's System.IO.Compression namespace. The advantage of library-based archiving is stealth: no child process is spawned (avoiding process creation monitoring), no third-party utility needs to be downloaded (avoiding tool transfer detection), and the compression happens entirely within the malware's own process space.

APT41's DUSTTRAP framework uses embedded compression within its plugin architecture, with AES-128-CFB encryption keyed to the victim machine's GUID. Turla's Epic implant uses library-based compression to package collected data before exfiltration. The NOBELIUM/APT29 FoggyWeb backdoor compresses stolen Active Directory token-signing certificates and configuration data using .NET compression libraries before exfiltration. InvisiMole, active since 2013 and linked to the Gamaredon Group, uses library-based compression for its data collection modules. The key detection challenge is that library-based archiving produces file write events but no process creation events, requiring file monitoring rather than process monitoring for detection.

T1560.003 — Archive via Custom Method

Adversaries use custom compression or encryption algorithms implemented directly in their malware code, without relying on external utilities or standard libraries. Common approaches include XOR encryption with rotating keys, custom stream ciphers, bespoke implementations of standard compression algorithms, and multi-layer encoding (compression plus Base64 plus XOR). The FSB's Snake malware and the Sednit/APT28 group's Zebrocy implant both used custom archival methods for their collected data. The Agent.BTZ worm (predecessor to Snake) used custom compression to package stolen data from air-gapped US military networks in 2008.

Custom methods are harder to detect because they produce files with non-standard formats that may not match known archive signatures. However, they also represent a potential weakness: custom implementations often contain cryptographic flaws (hardcoded keys, weak XOR schemes, predictable key generation) that can be exploited by analysts who obtain the malware sample. The FLEXIROOT backdoor uses AES encryption and Base64 encoding to transfer collected data to its C2 server, representing a hybrid approach that combines standard algorithms with custom implementation.

How Adversaries Stage and Archive Data

The Ransomware Exfiltration Pipeline

Double-extortion ransomware groups follow a remarkably consistent data staging workflow. First, the attacker identifies valuable files through keyword searches targeting terms related to financial documents, accounting records, NDAs, confidential information, credentials, and intellectual property. Mandiant has documented this pattern across hundreds of ransomware incidents. Second, the identified files are collected into a staging directory — commonly C:\ProgramData, C:\Temp, C:\Users\Public, or a created directory on a network share. Third, the staged files are compressed and often password-protected using WinRAR or 7-Zip. Fourth, the archived data is exfiltrated using Rclone (to Mega, Amazon S3, or Google Cloud), MEGAsync, FileZilla, WinSCP, or cloud storage services like GoFile.

Cynet's 2025 ECHO report documented an Akira ransomware attack against a real estate company where the group deployed WinRAR for data staging but never deployed encryption at all — the data theft was the entire attack. This shift toward exfiltration-only extortion (without encryption) makes T1560 detection even more critical, because archiving may be the last detectable step before data leaves the network. The INC ransomware group followed a similar pattern, using Restic backup utility to push staged data to cloud storage before deploying encryption. Attackers commonly rename exfiltration tools to evade detection — disguising Rclone as svchost.exe, for example — but the archiving step typically uses standard tool names because the archiver itself is legitimate software.

Espionage Data Collection

Nation-state actors use T1560 for sustained, low-volume data collection rather than the bulk exfiltration of ransomware. Volt Typhoon stages data with 7-Zip and WinRAR using common user-level commands, maintaining its living-off-the-land profile by using tools that administrators also use. The group is careful to clean up after itself, removing event logs, application log files, and downloaded tools after staging. APT41 has used WinRAR for data collection across its campaigns against governments, shipping, logistics, and technology sectors. Operation Cloud Hopper (APT10) used WinRAR to archive collected data from managed service providers before exfiltrating it through the MSP's own infrastructure to reach downstream victims.

The Billbug (Lotus Blossom) group, documented targeting certificate authorities and government agencies across Asia, uses rar.exe with password protection to archive collected intelligence before exfiltration. Turla's toolset includes both utility-based and custom archiving capabilities across its various malware families (Carbon, Gazer, Kazuar). The Kimsuky group (North Korea) deployed the Troll Stealer with data archiving capabilities, signed with a valid Korean company certificate to evade detection. North Korean IT workers embedded in Western companies have used archiving tools to stage and exfiltrate proprietary source code and internal documentation.

Built-In Windows Tools for Living-Off-the-Land Archiving

Adversaries who want to avoid downloading third-party tools can use Windows built-in capabilities. makecab.exe (or diantz.exe) creates cabinet (.cab) files and can also download and compress files from remote locations, making it useful for both data staging and remote data collection. PowerShell's Compress-Archive cmdlet creates ZIP files without requiring any external tools. certutil.exe -encode performs Base64 encoding of files, making binary data safe for exfiltration through text-based channels. The native Windows tar.exe (available since Windows 10 version 1803) supports gzip compression. These living-off-the-land approaches are harder to detect because the tools are legitimate system binaries that may be used by administrators for normal operations.

Why Data Archiving Matters

DLP systems are defeated by password-protected archives. Data loss prevention tools that inspect file contents for sensitive patterns (credit card numbers, Social Security numbers, classified markings) cannot read the contents of password-protected RAR or 7-Zip archives. The -hp flag in WinRAR encrypts filenames as well as contents, meaning even the names of the files being exfiltrated are invisible to inspection. This effectively blinds content-based DLP to the exfiltration.

Compression reduces exfiltration time and visibility. Compressing data before exfiltration reduces the volume of outbound data transfer, which may help the exfiltration fall below volumetric anomaly detection thresholds. A 10 GB collection of documents might compress to 2-3 GB, moving the exfiltration from an obviously anomalous data transfer to something that blends more easily with normal outbound traffic patterns.

Archiving consolidates scattered data. Sensitive data is rarely stored in a single location. An adversary targeting financial records might need to collect files from multiple network shares, user directories, database exports, and email archives. Archiving consolidates these scattered sources into a single portable file that can be exfiltrated in one operation rather than requiring hundreds or thousands of individual file transfers that would generate more detection opportunities.

Exfiltration-only attacks make T1560 the critical detection point. Cynet's 2025 reporting documents a trend toward ransomware groups performing data theft without deploying encryption. In these attacks, there is no ransomware binary to detect, no mass file encryption event to trigger alerts, and no ransom note. The archiving and exfiltration are the entire attack. Organizations that cannot detect T1560 activity will have no warning before their data appears on a leak site.

Real-World Case Studies

Case 1: Akira Ransomware — Exfiltration-Only Attack (2025)

Cynet's CyOps team investigated an Akira ransomware incident targeting a real estate development company where the attackers used WinRAR to package and compress data for exfiltration but never deployed any encryption payload. The threat actor gained access via RDP, deployed WinRAR, staged data into compressed archives, and exfiltrated the data — completing the entire extortion operation without triggering traditional ransomware detection mechanisms. This represents the evolution of ransomware toward pure data theft: the leverage is identical (pay us or your data goes public), but the attack bypasses every encryption-focused detection. Akira has accumulated approximately $244 million in ransomware proceeds through September 2025, with data exfiltration occurring in the majority of their operations.

Case 2: Volt Typhoon — Living-Off-the-Land Data Staging

The Chinese state-sponsored group Volt Typhoon (Bronze Silhouette) uses 7-Zip and WinRAR to stage collected data from US critical infrastructure networks including energy, water, transportation, and communications sectors. The group's approach is distinctive for its living-off-the-land methodology: data is collected using common user-level commands, staged with standard archiving tools, and exfiltrated through existing network pathways. After staging, Volt Typhoon carefully removes Windows Event Logs, application logs, and the archiving tools themselves. The group has maintained persistent access to compromised infrastructure for over five years, with CISA, NSA, and FBI issuing joint advisories warning that the group is pre-positioning for potential disruption of critical services during a geopolitical crisis.

Case 3: INC Ransomware — Restic Cloud Staging (2026)

In February 2026, Huntress SOC analysts responded to an INC ransomware deployment where the threat actor used the Restic backup utility to stage and exfiltrate data to cloud storage before deploying encryption. Restic, designed as a legitimate open-source backup tool, supports Amazon S3, Microsoft Azure, Google Cloud Storage, and SFTP backends — making it an ideal exfiltration tool. The attacker first disabled security tooling using HRSword (targeting Acronis services specifically), then staged data with Restic, and finally deployed INC ransomware. This case illustrates the trend toward using legitimate backup utilities for data staging, which may not trigger the same alerts as known archiving tools like WinRAR.

Case 4: Qilin Ransomware — s5cmd Cloud Exfiltration (2025)

Huntress documented a Qilin ransomware attack where the threat actor used s5cmd, an open-source high-performance tool designed for interacting with S3-compatible object storage, to exfiltrate data after staging it with standard archiving tools. The use of s5cmd demonstrates that threat actors continuously adopt new freely available tools for data staging and exfiltration. Combined with WinRAR for initial data archiving, the s5cmd tool provided high-speed parallel transfer capabilities that could move large datasets to attacker-controlled cloud storage rapidly. Qilin emerged as the most active ransomware group in 2025 with up to 1,034 attributed victims, including the attack on NHS blood testing provider Synnovis.

Case 5: APT41 — Multi-Tool Data Collection (2024)

APT41 (Brass Typhoon) has been documented using WinRAR across its espionage campaigns targeting governments, global shipping and logistics, media, entertainment, technology, and automotive sectors. In the DUSTTRAP campaign documented by Google/Mandiant in July 2024, APT41 used a multi-stage plugin framework with embedded compression capabilities — the DUSTTRAP loader AES-128-CFB encrypted payloads keyed to the victim machine's GUID, and the framework's data collection plugins used library-based compression to package stolen data. This represents the sophisticated end of T1560: custom archiving embedded within a modular espionage platform, where data collection, compression, encryption, and exfiltration are all handled within the malware's own code without spawning external processes.

Detection Strategies

Data Source	Component	Detection Focus
Command	Command Execution	Command-line arguments containing compression flags (-a, -hp, -p, -m5, Compress-Archive) or targeting sensitive directories
File	File Creation	Creation of .rar, .7z, .zip, .cab, .tar.gz files in staging directories (C:\ProgramData, C:\Temp, C:\Users\Public)
Process	Process Creation	Execution of rar.exe, 7z.exe, WinRAR.exe, makecab.exe, or Compress-Archive by non-administrative users or unusual parent processes
File	File Modification	Rapid creation of large archive files (>100MB) especially during non-business hours
Script	Script Execution	PowerShell Compress-Archive, System.IO.Compression calls, or Python zipfile/tarfile usage in suspicious contexts
Network Traffic	Network Connection Creation	Archive creation followed by outbound connections to cloud storage (Mega, GoFile, S3) or Rclone/FileZilla execution

Splunk / SIEM Detection Queries

Archive Utility Execution with Suspicious Arguments — Detect WinRAR, 7-Zip, and makecab being used with password protection or targeting sensitive directories:

index=sysmon EventCode=1
| where match(Image, "(?i)(rar|winrar|7z|7zG|makecab|diantz)\.exe$")
  OR (match(Image, "(?i)powershell\.exe$")
      AND match(CommandLine, "(?i)compress-archive"))
| eval is_suspicious=if(match(CommandLine, "(?i)(-hp|-p\s|password|-m5|-dh|
  -scul|ProgramData|\\\\|Users\\\\Public|Temp\\\\)"), "yes", "no")
| where is_suspicious="yes"
| stats count values(CommandLine) as commands values(User) as users
  by ComputerName Image
| sort - count

Large Archive File Creation in Staging Directories — Identify creation of archive files over 100MB in common staging locations:

index=sysmon EventCode=11
| where match(TargetFilename, "(?i)\.(rar|7z|zip|cab|tar|gz|bz2)$")
  AND match(TargetFilename, "(?i)(ProgramData|\\\\Temp\\\\|Users\\\\Public|
  AppData\\\\Local\\\\Temp)")
| stats count values(TargetFilename) as files values(Image) as creating_process
  by ComputerName
| where count > 2
| sort - count

Archive Creation Followed by Exfiltration Tool Execution — Correlate data staging with subsequent exfiltration activity within a time window:

index=sysmon EventCode=1
| where match(Image, "(?i)(rar|winrar|7z|7zG|makecab)\.exe$")
  OR match(Image, "(?i)(rclone|megasync|filezilla|winscp|fzsftp|
  restic|s5cmd|curl)\.exe$")
| eval activity_type=case(
    match(Image, "(?i)(rar|winrar|7z|7zG|makecab)\.exe$"), "archive",
    true(), "exfiltration")
| bin _time span=2h
| stats dc(activity_type) as distinct_activities values(Image) as tools
  values(activity_type) as types by ComputerName _time
| where distinct_activities=2
| sort - _time

Linux/macOS Archive Staging Detection — Identify compression utilities running in non-administrative contexts targeting sensitive paths:

index=linux sourcetype=syslog
| where match(process, "(?i)(tar|gzip|bzip2|zip|openssl|ditto|hdiutil)")
  AND match(cmdline, "(?i)(/etc/|/home/|/var/|/opt/|/srv/|\.pem|\.key|
  \.conf|\.sql|\.csv)")
  AND NOT match(user, "(root|backup|cron)")
| stats count values(cmdline) as commands by host user process
| where count > 3
| sort - count

Known Threat Actors

Nation-State Espionage Groups

Threat Actor	Archiving Method	Notable Detail
Volt Typhoon	7-Zip, WinRAR	Living-off-the-land staging from US critical infrastructure; cleans up after archiving
APT41 / Brass Typhoon	WinRAR + DUSTTRAP embedded compression	Multi-tool approach: utility-based for bulk, library-based in plugin framework
APT29 / Cozy Bear	WinRAR, .NET compression (FoggyWeb)	Archived AD token-signing certificates; StellarParticle campaign data staging
APT28 / Sednit	Custom compression (Zebrocy), RAR	Custom archival in Zebrocy implant; utility-based in broader operations
Turla / FSB	Custom (Snake, Epic), WinRAR	Custom fragmented archiving in Snake; library-based in Carbon and Gazer
APT10 / Cloud Hopper	WinRAR with password protection	Archived collected data from MSP environments before exfiltration through MSP infrastructure
Kimsuky	RAR, custom (Troll Stealer)	Valid Korean company certificate used to sign archiving malware
Billbug / Lotus Blossom	rar.exe with password flag	Targeted certificate authorities and government agencies across Asia
Lazarus Group	RAR, custom methods	Operation In(ter)ception, Contagious Interview campaign data staging

Ransomware and Cybercrime

Threat Actor	Archiving Method	Notable Detail
Akira	WinRAR	Exfiltration-only attacks without encryption; ~$244M proceeds (Sept 2025)
Qilin	WinRAR + s5cmd	Most active group in 2025 (1,034 victims); NHS Synnovis attack
INC Ransomware	Restic backup utility	Legitimate backup tool for cloud-based data staging (Feb 2026)
BlackCat / ALPHV	WinRAR, 7-Zip, Restic	Change Healthcare breach; 100M individuals affected; exit scam after $22M payment
Black Basta	WinRAR, 7-Zip	Keyword searches for financial docs, NDAs, and credentials before archiving
LockBit	WinRAR + Rclone	Cobalt Strike C2 with Rclone bulk exfiltration of archived data
Clop	Custom staging	MOVEit campaign: ~2,000 orgs, 17M individuals; data-only extortion without encryption
FIN6	Custom (FrameworkPOS)	Custom point-of-sale data compression and encryption before exfiltration

Defensive Recommendations

1. Monitor Archive Utility Execution

Implement Sysmon or EDR monitoring for process creation events involving rar.exe, WinRAR.exe, 7z.exe, 7zG.exe, makecab.exe, diantz.exe, and PowerShell Compress-Archive cmdlet. Alert on executions by non-administrative users, from unusual parent processes (e.g., cmd.exe spawned by wmiprvse.exe), or with command-line arguments containing password flags (-hp, -p), maximum compression (-m5), or targeting network shares and sensitive directories.

2. Detect Large Archive File Creation

Monitor file creation events (Sysmon Event ID 11) for archive file extensions (.rar, .7z, .zip, .cab, .tar.gz) being created in common staging directories: C:\ProgramData, C:\Temp, C:\Users\Public, %APPDATA%\Local\Temp, and user Downloads folders. Alert on archives exceeding a size threshold (100MB or organization-specific baseline) or on rapid sequential creation of multiple archives.

3. Correlate Archiving with Exfiltration

Build SIEM correlation rules that link archive creation events with subsequent outbound data transfers. Specifically, alert when archive utility execution is followed within a configurable time window (1-4 hours) by execution of known exfiltration tools (Rclone, MEGAsync, FileZilla, WinSCP, restic, s5cmd, curl) or by anomalous outbound data volumes to cloud storage endpoints.

4. Restrict Archive Tool Installation

Use application control policies (WDAC, AppLocker) to restrict installation and execution of portable versions of WinRAR and 7-Zip. While these tools may be needed by administrators, their execution from non-standard paths (C:\Users\Downloads, C:\Temp) or by non-privileged accounts should be treated as suspicious. Consider deploying enterprise-managed versions with centralized logging rather than allowing portable executables.

5. Monitor Living-Off-the-Land Archiving

Track execution of built-in Windows archiving capabilities: makecab.exe, tar.exe, certutil.exe -encode, and PowerShell Compress-Archive. These are harder to block (they are legitimate system tools) but should generate alerts when used in suspicious contexts — targeting network shares, creating archives in staging directories, or executed by processes associated with remote access (RDP sessions, PsExec, WMI).

6. Implement File Integrity Monitoring on Staging Directories

Deploy file integrity monitoring (FIM) on common staging directories. Alert on the creation of new archive files, especially during non-business hours. Monitor for rapid accumulation of data in these directories, which may indicate an adversary collecting and staging files before the archiving step.

7. DLP with Archive Inspection

Deploy DLP solutions capable of inspecting archive contents (not just file names) and blocking the transfer of password-protected archives through monitored channels. While this cannot prevent exfiltration through encrypted C2 channels, it can detect staging attempts through email, web uploads, and cloud storage synchronization. Consider policies that flag or block the creation of password-protected archives by non-privileged users.

8. Endpoint Behavioral Analytics

Deploy behavioral analytics that detect the pattern of data collection followed by archiving. This includes monitoring for bulk file access across multiple directories (file discovery and collection), followed by archive creation, followed by outbound network connections. Each step individually may be benign; the sequence within a short time window is the indicator of compromise.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1560
Name	Archive Collected Data
Tactic	Collection (TA0009)
Sub-Techniques	T1560.001 Archive via Utility, T1560.002 Archive via Library, T1560.003 Archive via Custom Method
Platforms	Linux, Windows, macOS
Version	1.0 (Last Modified October 2025)
Detection Strategy	DET0526 (Published October 2025)
Data Sources	Command Execution, File Creation, File Modification, Process Creation, Script Execution
Related Techniques	T1567 Exfiltration Over Web Service, T1041 Exfiltration Over C2 Channel, T1074 Data Staged, T1005 Data from Local System, T1039 Data from Network Shared Drive

Sources and References

• Huntress — Exposing Data Exfiltration: Detecting LOLBins, TTPs, and Ransomware Tactics (August 2025): huntress.com
• Huntress — Data Exfiltration and Threat Actor Infrastructure Exposed (March 2026): huntress.com
• Cynet — ECHO Findings: Data Exfiltration and the Quiet Evolution of Ransomware (2025): cynet.com
• Mandiant/Google — Ransomware Rebounds: Extortion Threat Surges in 2023 (June 2024): cloud.google.com
• Google Threat Intelligence — APT41 Has Arisen From the DUST (July 2024): cloud.google.com
• Picus Security — Blue Report 2025: Prevention and Detection Effectiveness: picussecurity.com
• Vectra AI — Double Extortion Ransomware: Detect It Before Data Is Lost (2026): vectra.ai
• Morphisec — Ransomware Evolution and Data Exfiltration (August 2025): morphisec.com
• Symantec/Broadcom — Data Exfiltration: Increasing Number of Tools Leveraged by Ransomware Attackers: security.com
• Critical Start — Volt Typhoon: Hiding in Plain Sight: criticalstart.com
• MITRE ATT&CK — T1560 Archive Collected Data and DET0526 Detection Strategy (v18, October 2025): attack.mitre.org
• Rapid7 — Ransomware Trends 2025: Tactics, Data, and Key Threat Insights: rapid7.com