T1560.001: T1560.001

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 20/02/2020 22:01 · Modified 15/04/2026 13:26

Essential information

MITRE technique ID: T1560.001
Confidence: 100/100
Revoked: No
Published: 20/02/2020 22:01
Modified: 15/04/2026 13:26
Author / Source: The MITRE Corporation

Aliases

Archive via Utility

Platforms

windows macos linux

Description

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems. On Windows, `diantz` or ` makecab` may be used to package collected files into a cabinet (.cab) file. `diantz` may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) `xcopy` on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

WinZip Homepage
7zip Homepage
WinRAR Homepage
mitre-attack (T1560.001)
Wikipedia File Header Signatures
diantz.exe_lolbas

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (54)

play uses

The MITRE Corporation Confidence 100

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC1151 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sea Turtle uses Teal KurmaCosmic Wolf

The MITRE Corporation Confidence 100

[Sea Turtle](https://attack.mitre.org/groups/G1041) is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. [Sea…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silent Lynx uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-1567 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INC Ransom uses GOLD IONIC

The MITRE Corporation Confidence 100

[INC Ransom](https://attack.mitre.org/groups/G1032) is a ransomware and data extortion threat group associated with the deployment of [INC Ransomware](https://attack.mitre.org/software/S1139) that has been active since at least July 2023. [INC Ransom](https://attack.mitre.org/groups/G1032)…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT3 uses Gothic PandaPirpi

The MITRE Corporation Confidence 100

[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible…

First seen 01/01/1970 · Last seen 16/11/5138 ·
menuPass uses CicadaPOTASSIUM

The MITRE Corporation Confidence 100

[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT33 uses HOLMIUMElfin

The MITRE Corporation Confidence 100

[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MirrorFace uses

AlienVault Confidence 100

[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN8 uses Syssphinx

The MITRE Corporation Confidence 100

[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SHADOW-EARTH-053 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 54

AppleSeed uses

Family The MITRE Corporation Confidence 100

[AppleSeed](https://attack.mitre.org/software/S0622) is a backdoor that has been used by [Kimsuky](https://attack.mitre.org/groups/G0094) to target South Korean government, academic, and commercial targets since at least 2021.(Citation: Malwarebytes Kimsuky June 2021)

First seen 01/01/1970 · Last seen 16/11/5138 ·
InvisiMole uses
HazyBeacon uses

Family
PureClipper uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
POISONPLUG.SHADOW uses

Family
AMOS uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MICROBACKDOOR uses
IcedID - S0483 uses

Family
PureCrypter uses

Family
d3f@ckloader uses

Family
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FoggyWeb - S0661 uses

Family

← Previous

Page / 5

1–12 of 60

STOCKSTAY Another Day: The Latest Addition to Turla’s … related

AlienVault Confidence 100 2 CVEs 19 MITREs 8 Malwares 57 IOCs 6 Observables 1 APT
CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure related

AlienVault Confidence 100 19 MITREs 3 Malwares 6 IOCs 1 APT
PHISH ALERT: From a Simple Phishing Email to … related

AlienVault Confidence 100 20 MITREs 6 IOCs 3 Observables
Akira, LimeWire, and the Sour Taste of Data … related

AlienVault Confidence 100 1 CVE 18 MITREs 1 Malware 1 IOC 1 Observable 1 APT
Targets Education Sector with Oracle PeopleSoft Exploit related

AlienVault Confidence 100 1 CVE 20 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
Nimbus RAT: How Threat Actors Are Abusing Microsoft … related

30 MITREs 1 Malware 3 Observables
Reloaded in a modern Remcos RAT Infection related

16 MITREs 2 Malwares 4 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Popular node-ipc npm Package Infected with Credential Stealer related

AlienVault Confidence 100 20 MITREs 1 Malware 10 IOCs 10 Observables
macOS Stealer Spoofs Apple, Google, and Microsoft in … related

AlienVault Confidence 100 19 MITREs 4 Malwares 8 IOCs 8 Observables
Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government … related

5 CVEs 19 MITREs 7 Malwares 44 Observables 1 APT
LofyStealer: Malware targeting Minecraft players. related

AlienVault Confidence 100 20 MITREs 3 Malwares 3 IOCs 3 Observables 1 APT

← Previous

Page / 3

1–12 of 34

Vulnerabilities (CVE) (17)

CVE-2022-1388 KEV targets

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …

Published: 10/05/2022
Modified: 20/12/2025

CVE-2020-12812 KEV targets

Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2018-13379 KEV targets

Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files …

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 2

13–17 of 17

T1560 subtechnique-of

Archive Collected Data MITRE

Tool (3)

Rclone uses

The MITRE Corporation Confidence 100

[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a…
PoshC2 uses

The MITRE Corporation Confidence 100

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
certutil uses

The MITRE Corporation Confidence 100

[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)

Campaign (6)

FunnyDream uses
Operation Honeybee uses
Operation Dream Job uses
C0026 uses
Operation CuckooBees uses
APT28 Nearest Neighbor Campaign uses

Course Of Action (1)

Audit mitigates

Contact About Legal notice Privacy policy Terms of use