1. Home
  2. Techniques
  3. Mobile
  4. Archive Collected Data

Archive Collected Data

Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

Both compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm.

ID: T1532
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Collection
Platforms: Android, iOS
Version: 2.0
Created: 10 October 2019
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0422 Anubis

Anubis exfiltrates data encrypted (with RC4) by its ransomware module.[1]
S0540 Asacub

Asacub has encrypted C2 communications using Base64-encoded RC4.[2]
S1079 BOULDSPY

BOULDSPY can encrypt its data before exfiltration.[3]
S1094 BRATA

BRATA has compressed data with the zlib library before exfiltration.[4]
C0033 C0033

During C0033, PROMETHIUM used StrongPity to exfiltrate encrypted data to the C2 server.[5]

S1243 DCHSpy

DCHSpy has compressed and encrypted collected data with a password from the C2 server.[6]

S0505 Desert Scorpion

Desert Scorpion can encrypt exfiltrated data.[7]
S0405 Exodus

Exodus One encrypts data using XOR prior to exfiltration.[8]

S0577 FrozenCell

FrozenCell has compressed and encrypted data before exfiltration using password protected .7z archives.[9]
S0535 Golden Cup

Golden Cup has encrypted exfiltrated data using AES in ECB mode.[10]
S0421 GolfSpy

GolfSpy encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.[11]
S1185 LightSpy

LightSpy collects and compresses data to be exfiltrated using SSZipArchive.[12][13]
S1082 Sunbird

Sunbird can exfiltrate collected data as a ZIP file.[14]
S0424 Triada

Triada encrypts data prior to exfiltration.[15]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0670 Detection of Archive Collected Data AN1767

The defender correlates recent access to locally collected or protected data with subsequent compression, packaging, or encryption behavior inside the same app context, followed by creation of archive-like or high-entropy output and optional near-term network transmission. The analytic prioritizes Android runtime and storage effects: application data access or sensor-derived collection, compression/encryption framework use, archive/blob creation in app-accessible storage, and background or device-locked execution inconsistent with the app’s declared function.
AN1768

The defender correlates managed-app data access and lifecycle context with indirect evidence of packaging or encryption prior to outbound transfer. Because direct archive/compression visibility is generally weaker on iOS, the analytic anchors on app lifecycle state, file/output effects observable by mobile EDR where available, managed app role via MDM, and downstream network uploads that closely follow creation of new large or high-entropy local artifacts. Confidence is lower when only network effects are available.

References

  1. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.
  2. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.
  3. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.
  4. Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.
  5. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.
  6. Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.
  7. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
  8. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.
  1. Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.
  2. R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.
  3. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  4. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.
  5. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.
  6. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.
  7. Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.