T1560.001: T1560.001

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:37 · Modified 15/04/2026 13:26

Essential information

MITRE technique ID: T1560.001
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:37
Modified: 15/04/2026 13:26
Author / Source: The MITRE Corporation

Aliases

Archive via Utility

Platforms

windows macos linux

Description

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems. On Windows, `diantz` or ` makecab` may be used to package collected files into a cabinet (.cab) file. `diantz` may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) `xcopy` on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

WinZip Homepage
7zip Homepage
WinRAR Homepage
mitre-attack (T1560.001)
Wikipedia File Header Signatures
diantz.exe_lolbas

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (62)

Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Agrius uses Pink SandstormAMERICIUM

The MITRE Corporation Confidence 100

[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Manticore uses COBALT MYSTIQUEHandala Hack

AlienVault Confidence 100

[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sowbug uses

The MITRE Corporation Confidence 100

[Sowbug](https://attack.mitre.org/groups/G0054) is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lunar Spider uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BRONZE BUTLER uses REDBALDKNIGHTTick

The MITRE Corporation Confidence 100

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mercenary Akula uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda

The MITRE Corporation Confidence 100

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ToddyCat uses

The MITRE Corporation Confidence 100

[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla, UNC4210 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Contagious Interview uses Gwisin GangTAG-121

The MITRE Corporation Confidence 100

[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
play uses

The MITRE Corporation Confidence 100

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 62

AppleSeed uses
InvisiMole uses
HazyBeacon uses

Family
PureClipper uses

Family
POISONPLUG.SHADOW uses

Family
AMOS uses

Family
MICROBACKDOOR uses
IcedID - S0483 uses

Family
PureCrypter uses

Family
d3f@ckloader uses

Family
LockBit uses

Family
FoggyWeb - S0661 uses

Family

← Previous

Page / 9

1–12 of 107

PHISH ALERT: From a Simple Phishing Email to … related

AlienVault Confidence 100 20 MITREs 6 IOCs 3 Observables
Akira, LimeWire, and the Sour Taste of Data … related

AlienVault Confidence 100 1 CVE 18 MITREs 1 Malware 1 IOC 1 Observable 1 APT
Targets Education Sector with Oracle PeopleSoft Exploit related

AlienVault Confidence 100 1 CVE 20 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
Nimbus RAT: How Threat Actors Are Abusing Microsoft … related

30 MITREs 1 Malware 3 Observables
Reloaded in a modern Remcos RAT Infection related

16 MITREs 2 Malwares 4 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Popular node-ipc npm Package Infected with Credential Stealer related

AlienVault Confidence 100 20 MITREs 1 Malware 10 IOCs 10 Observables
macOS Stealer Spoofs Apple, Google, and Microsoft in … related

AlienVault Confidence 100 19 MITREs 4 Malwares 8 IOCs 8 Observables
Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government … related

5 CVEs 19 MITREs 7 Malwares 44 Observables 1 APT
LofyStealer: Malware targeting Minecraft players. related

AlienVault Confidence 100 20 MITREs 3 Malwares 3 IOCs 3 Observables 1 APT
AMOS Stealer delivered via Cursor AI agent session related

AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
macOS ClickFix Campaign: AppleScript Stealers & New Terminal … related

20 MITREs 6 Observables

← Previous

Page / 3

1–12 of 32

Vulnerabilities (CVE) (15)

CVE-2021-26858 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2021-26855 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-27065 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2022-41082 KEV targets

8.0 High

Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …

Attack vector: Adjacent
Published: 30/09/2022
Modified: 20/12/2025

CVE-2024-40766 KEV targets

9.8 Critical

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in …

Attack vector: Network
Published: 09/09/2024
Modified: 21/12/2025

Analyzed

CVE-2026-35273 KEV targets

9.8 Critical

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and …

Attack vector: NETWORK
Complexity: LOW
Published: 11/06/2026
Modified: 12/06/2026

CWE-306 Analyzed

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2022-41040 KEV targets

8.8 High

Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.

Attack vector: Network
Published: 30/09/2022
Modified: 20/12/2025

CVE-2025-26399 KEV targets

9.8 Critical

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would …

Attack vector: Network
Published: 23/09/2025
Modified: 12/03/2026

Awaiting Analysis

CVE-2021-26857 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2024-57727 KEV targets

7.5 High

SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary …

Attack vector: Network
Published: 13/02/2025
Modified: 21/12/2025

Modified

CVE-2022-1388 KEV targets

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …

Published: 10/05/2022
Modified: 20/12/2025

← Previous

Page / 2

1–12 of 15

T1560 subtechnique-of

Archive Collected Data MITRE

Tool (5)

Rclone uses

The MITRE Corporation Confidence 100

[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a…
PoshC2 uses

The MITRE Corporation Confidence 100

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
certutil uses

The MITRE Corporation Confidence 100

[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)
Pupy uses

The MITRE Corporation Confidence 100

[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as…
Remcos uses

The MITRE Corporation Confidence 100

[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in…

Campaign (11)

FunnyDream uses
Operation Honeybee uses
Operation Dream Job uses
C0026 uses
Operation CuckooBees uses
APT28 Nearest Neighbor Campaign uses
SolarWinds Compromise uses
2025 Poland Wiper Attacks uses
APT41 DUST uses
Operation Wocao uses
Cutting Edge uses

Course Of Action (1)

Audit mitigates

Contact About Legal notice Privacy policy Terms of use