1. Home
  2. Techniques
  3. Enterprise
  4. Obfuscated Files or Information
  5. Compression

Obfuscated Files or Information: Compression

ID Name
T1027.001 Binary Padding
T1027.002 Software Packing
T1027.003 Steganography
T1027.004 Compile After Delivery
T1027.005 Indicator Removal from Tools
T1027.006 HTML Smuggling
T1027.007 Dynamic API Resolution
T1027.008 Stripped Payloads
T1027.009 Embedded Payloads
T1027.010 Command Obfuscation
T1027.011 Fileless Storage
T1027.012 LNK Icon Smuggling
T1027.013 Encrypted/Encoded File
T1027.014 Polymorphic Code
T1027.015 Compression
T1027.016 Junk Code Insertion
T1027.017 SVG Smuggling

Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., Fileless Storage).[1]

In order to further evade detection, adversaries may combine multiple ZIP files into one archive. This process of concatenation creates an archive that appears to be a single archive but in fact contains the central directories of the embedded archives. Some ZIP readers, such as 7zip, may not be able to identify concatenated ZIP files and miss the presence of the malicious payload.[2]

File archives may be sent as one Spearphishing Attachment through email. Adversaries have sent malicious payloads as archived files to encourage the user to interact with and extract the malicious payload onto their system (i.e., Malicious File).[3] However, some file compression tools, such as 7zip, can be used to produce self-extracting archives. Adversaries may send self-extracting archives to hide the functionality of their payload and launch it without requiring multiple actions from the user.[4]

Compression may be used in combination with Encrypted/Encoded File where compressed files are encrypted and password-protected.

ID: T1027.015
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Fernando Bacchin
Version: 1.0
Created: 04 March 2025
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
S1081 BADHATCH

BADHATCH can be compressed with the ApLib algorithm.[5]
S0673 DarkWatchman

DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims.[6]
S0695 Donut

Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.[7]
G0047 Gamaredon Group

Gamaredon Group has delivered malicious payloads within compressed archives and zip files. [8]
S0666 Gelsemium

Gelsemium has the ability to compress its components.[9]
S0499 Hancitor

Hancitor has delivered compressed payloads in ZIP files to victims.[10]
S0697 HermeticWiper

HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.[11][12][13]
G0126 Higaisa

Higaisa used Base64 encoded compressed payloads.[14][15]
S0585 Kerrdown

Kerrdown can encrypt, encode, and compress multiple layers of shellcode.[16]
G0065 Leviathan

Leviathan has obfuscated code using gzip compression.[17]
S1188 Line Runner

Line Runner uses a ZIP payload that is automatically extracted with its contents, a LUA script, executed for initial execution via CVE-2024-20359.[18]
G0103 Mofang

Mofang has compressed the ShimRat executable within malicious email attachments.[19]
G0021 Molerats

Molerats has delivered compressed executables within ZIP files to victims.[20]
S1100 Ninja

Ninja has compressed its data with the LZSS algorithm.[21][22]
S0664 Pandora

Pandora has the ability to compress stings with QuickLZ.[23]
S1050 PcShare

PcShare has been compressed with LZW algorithm.[24]
S0517 Pillowmint

Pillowmint has been compressed and stored within a registry key.[1]

S0453 Pony

Pony attachments have been delivered via compressed archive files.[25]
S1228 PUBLOAD

PUBLOAD has been delivered as compressed files within ZIP files to victims.[26][27]
S0662 RCSession

RCSession can compress and obfuscate its strings to evade detection on a compromised host.[28]
S0148 RTM

RTM has been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.[29][30]
S1099 Samurai

Samurai can deliver its final payload as a compressed, encrypted and base64-encoded blob.[21]
S0444 ShimRat

ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.[19]
S1124 SocGholish

The SocGholish JavaScript payload has been delivered within a compressed ZIP archive.[31][32]

S1183 StrelaStealer

StrelaStealer has been delivered via JScript files in a ZIP archive.[33][34]

S0559 SUNBURST

SUNBURST strings were compressed and encoded in Base64.[35]
G1018 TA2541

TA2541 has used compressed and char-encoded scripts in operations.[36]
G0027 Threat Group-3390

Threat Group-3390 malware is compressed with LZNT1 compression.[37][38][39]
S0665 ThreatNeedle

ThreatNeedle has been compressed and obfuscated.[40]
S0466 WindTail

WindTail can be delivered as a compressed, encrypted, and encoded payload.[41]
S0141 Winnti for Windows

Winnti for Windows has the ability to encrypt and compress its payload.[42]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can be used to automatically detect and quarantine suspicious files. Consider anti-virus products capable of unpacking and inspecting compressed files recursively, as well as analyzing SFX archives.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0281 Detection Strategy for Compressed Payload Creation and Execution AN0782

Monitors for compression tool usage (e.g., 7zip, WinRAR, MakeCab) that follows or precedes file modification, suspicious file types (e.g., .exe, .dll) being compressed, or dropped from self-extracting archives followed by immediate execution.
AN0783

Detects sequential command-line compression utilities (e.g., gzip, tar, zip, 7z) followed by execution of unpacked files, especially in temp directories or under non-standard locations like /dev/shm or /tmp with ELF binaries.
AN0784

Identifies archive utilities (e.g., ditto, unzip, xar, pkgutil) used to extract payloads to non-standard paths, then correlates with execution or file permission changes (e.g., chmod +x) and process spawns from decompressed location.

References

  1. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  2. Arthur Vaiselbuh, Peleg Cabra. (2024, November 7). Evasive ZIP Concatenation: Trojan Targets Windows Users. Retrieved March 3, 2025.
  3. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  4. Ravie Lakshmanan. (2023, April 5). Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks. Retrieved March 3, 2025.
  5. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  6. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  7. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  8. Venere, G. (2025, March 28). Gamaredon campaign abuses LNK files to distribute Remcos backdoor. Retrieved July 23, 2025.
  9. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  10. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  11. Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022.
  12. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  13. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  14. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  15. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  16. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
  17. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  18. Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
  19. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  20. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  21. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  1. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  2. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  3. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  4. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  5. Dex. (n.d.). New Mustang Panda’s campaing against Australia. Retrieved August 4, 2025.
  6. Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025.
  7. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  8. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  9. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  10. Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.
  11. Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.
  12. Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya & Vishwa Thothathri, Palo Alto Networks. (2024, March 22). Large-Scale StrelaStealer Campaign in Early 2024. Retrieved December 31, 2024.
  13. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
  14. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  15. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  16. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  17. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  18. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  19. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  20. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  21. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.