AppleSeed can zip and encrypt data collected on a target system.[4]
APT1 has used RAR to compress files before moving them outside of the victim network.[5]
APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.[6]
APT29 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration.[7][8]
APT3 has used tools to compress data before exfilling it.[9]
APT39 has used WinRAR and 7-Zip to compress an archive stolen data.[11]
APT41 created a RAR archive of targeted files for exfiltration.[12]
BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.[13][14]
Calisto uses the zip -r command to compress the data collected on the local system.[15][16]
Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.[17][18]
CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.[19]
CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated.[20]
Crutch has used the WinRAR utility to compress and encrypt stolen files.[21]
Daserf hides collected data in password-protected .rar archives.[22]
DustySky can compress files via RAR while staging data to be exfiltrated.[23]
FIN8 has used RAR to compress collected data before exfiltration.[24]
Fox Kitten has used 7-Zip to archive data.[25]
GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.[26][27]
Gallmaker has used WinZip, likely to archive data prior to exfiltration.[28]
HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.[29][30]
iKitten will zip up the /Library/Keychains directory before exfiltrating it.[31]
InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.[32]
Ke3chang is known to use RAR with passwords to encrypt data prior to exfiltration.[33]
Magic Hound has used RAR to stage and compress local folders.[34]
menuPass has compressed files before exfiltration using TAR and RAR.[35][36][37]
Micropsia creates a RAR archive based on collected files on the victim's machine.[38]
MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.[39]
Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.[40][41]
Octopus has compressed data before exfiltrating it using a tool called Abbrevia.[42]
Okrum was seen using a RAR archiver tool to compress/decompress data.[43]
OopsIE compresses collected files with GZipStream before sending them to its C2 server.[44]
Operation Wocao has archived collected files with WinRAR, prior to exfiltration.[45]
PoshC2 contains a module for compressing data using ZIP.[47]
PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.[48]
PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.[49]
Pupy can compress data with Zip before sending it over C2.[50]
Ramsay can compress and archive collected files using WinRAR.[51][52]
Sowbug extracted documents and bundled them into a RAR archive.[53]
Turian can use WinRAR to create a password-protected archive for files of interest.[54]
Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.[55]
WindTail has the ability to use the macOS built-in zip utility to archive files.[56]