T1560.001: T1560.001

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 20/02/2020 22:01 · Modified 15/04/2026 13:26

Essential information

MITRE technique ID: T1560.001
Confidence: 100/100
Revoked: No
Published: 20/02/2020 22:01
Modified: 15/04/2026 13:26
Author / Source: The MITRE Corporation

Aliases

Archive via Utility

Platforms

windows macos linux

Description

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems. On Windows, `diantz` or ` makecab` may be used to package collected files into a cabinet (.cab) file. `diantz` may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) `xcopy` on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

WinZip Homepage
7zip Homepage
WinRAR Homepage
mitre-attack (T1560.001)
Wikipedia File Header Signatures
diantz.exe_lolbas

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (54)

Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Agrius uses Pink SandstormAMERICIUM

The MITRE Corporation Confidence 100

[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Manticore uses COBALT MYSTIQUEHandala Hack

AlienVault Confidence 100

[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sowbug uses

The MITRE Corporation Confidence 100

[Sowbug](https://attack.mitre.org/groups/G0054) is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-STA-1062 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lunar Spider uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BRONZE BUTLER uses REDBALDKNIGHTTick

The MITRE Corporation Confidence 100

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mercenary Akula uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda

The MITRE Corporation Confidence 100

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ToddyCat uses

The MITRE Corporation Confidence 100

[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla, UNC4210 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Contagious Interview uses Gwisin GangTAG-121

The MITRE Corporation Confidence 100

[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 54

AppleSeed uses

Family The MITRE Corporation Confidence 100

[AppleSeed](https://attack.mitre.org/software/S0622) is a backdoor that has been used by [Kimsuky](https://attack.mitre.org/groups/G0094) to target South Korean government, academic, and commercial targets since at least 2021.(Citation: Malwarebytes Kimsuky June 2021)

First seen 01/01/1970 · Last seen 16/11/5138 ·
InvisiMole uses
HazyBeacon uses

Family
PureClipper uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
POISONPLUG.SHADOW uses

Family
AMOS uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MICROBACKDOOR uses
IcedID - S0483 uses

Family
PureCrypter uses

Family
d3f@ckloader uses

Family
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FoggyWeb - S0661 uses

Family

← Previous

Page / 5

1–12 of 60

AMOS Stealer delivered via Cursor AI agent session related

AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
macOS ClickFix Campaign: AppleScript Stealers & New Terminal … related

20 MITREs 6 Observables
Mercenary Akula Hits Ukraine-Supporting Financial... related

9 MITREs 3 Malwares 10 Observables 1 APT
Cat's Got Your Files: Lynx Ransomware related

17 MITREs 7 Observables
A Vietnamese threat actor's shift from PXA Stealer … related

14 MITREs 7 Malwares 4 Observables 1 APT
From a Single Click: How Lunar Spider Enabled … related

25 MITREs 4 Malwares 1 APT
Fake Zoom Ends in BlackSuit Ransomware related

32 MITREs 6 Malwares
Weaver Ant, the Web Shell Whisperer: Tracking a … related

26 MITREs 2 Malwares 1 Observable 1 APT
Chinese APT Target Royal Thai Police in Malware … related

8 MITREs 1 Malware 1 APT
Inside the Scam: North Korea's IT Worker Threat related

15 MITREs 3 Malwares 43 Observables 1 APT
Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan … related

16 MITREs 1 Malware 12 Observables 1 APT
Hidden in Plain Sight: New Attack Chain Delivers … related

17 MITREs 2 Malwares 1 APT

← Previous

Page / 3

13–24 of 34

Vulnerabilities (CVE) (17)

CVE-2022-1388 KEV targets

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …

Published: 10/05/2022
Modified: 20/12/2025

CVE-2020-12812 KEV targets

Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2018-13379 KEV targets

Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files …

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 2

13–17 of 17

T1560 subtechnique-of

Archive Collected Data MITRE

Tool (3)

Rclone uses

The MITRE Corporation Confidence 100

[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a…
PoshC2 uses

The MITRE Corporation Confidence 100

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
certutil uses

The MITRE Corporation Confidence 100

[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)

Campaign (6)

FunnyDream uses
Operation Honeybee uses
Operation Dream Job uses
C0026 uses
Operation CuckooBees uses
APT28 Nearest Neighbor Campaign uses

Course Of Action (1)

Audit mitigates

Contact About Legal notice Privacy policy Terms of use