1. Home
  2. Techniques
  3. Enterprise
  4. Archive Collected Data
  5. Archive via Utility

Archive Collected Data: Archive via Utility

ID Name
T1560.001 Archive via Utility
T1560.002 Archive via Library
T1560.003 Archive via Custom Method

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems.

On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. Remote Data Staging).[1] xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration.

Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.[2][3][4]

ID: T1560.001
Sub-technique of:  T1560
Tactic: Collection
Platforms: Linux, Windows, macOS
Contributors: Mark Wee; Mayan Arora aka Mayan Mohan
Version: 1.3
Created: 20 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G1030 Agrius

Agrius used 7zip to archive extracted data in preparation for exfiltration.[5]
G1024 Akira

Akira uses utilities such as WinRAR to archive data prior to exfiltration.[6]
S0622 AppleSeed

AppleSeed can zip and encrypt data collected on a target system.[7]
G0006 APT1

APT1 has used RAR to compress files before moving them outside of the victim network.[8]
G0007 APT28

APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.[9]
C0051 APT28 Nearest Neighbor Campaign

During APT28 Nearest Neighbor Campaign, APT28 used built-in PowerShell capabilities (Compress-Archive cmdlet) to compress collected data.[10]

G0022 APT3

APT3 has used tools to compress data before exfilling it.[11]
G0064 APT33

APT33 has used WinRAR to compress data prior to exfil.[12]

G0087 APT39

APT39 has used WinRAR and 7-Zip to compress an archive stolen data.[13]
G0096 APT41

APT41 created a RAR archive of targeted files for exfiltration.[14] Additionally, APT41 used the makecab.exe utility to both download tools, such as NATBypass, to the victim network and to archive a file for exfiltration.[15]
C0040 APT41 DUST

APT41 DUST used rar to compress data downloaded from internal Oracle databases prior to exfiltration.[16]
G1023 APT5

APT5 has used the JAR/ZIP file format for exfiltrated files.[17]
G0143 Aquatic Panda

Aquatic Panda has used several publicly available tools, including WinRAR and 7zip, to compress collected files and memory dumps prior to exfiltration.[18][19]
S1246 BeaverTail

BeaverTail has collected and archived sensitive data in a zip file.[20]
G0060 BRONZE BUTLER

BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.[21][22]
C0026 C0026

During C0026, the threat actors used WinRAR to collect documents on targeted systems. The threat actors appeared to only exfiltrate files created after January 1, 2021.[23]
S0274 Calisto

Calisto uses the zip -r command to compress the data collected on the local system.[24][25]
S1043 ccf32

ccf32 has used xcopy \\<target_host>\c$\users\public\path.7z c:\users\public\bin\<target_host>.7z /H /Y to archive collected files.[26]
S0160 certutil

certutil may be used to Base64 encode collected data.[27][28]
G0114 Chimera

Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.[29][30]
G0052 CopyKittens

CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.[31]
S0212 CORALDECK

CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated.[32]
S0538 Crutch

Crutch has used the WinRAR utility to compress and encrypt stolen files.[33]
C0029 Cutting Edge

During Cutting Edge, threat actors saved collected data to a tar archive.[34]
S0187 Daserf

Daserf hides collected data in password-protected .rar archives.[35]
S0062 DustySky

DustySky can compress files via RAR while staging data to be exfiltrated.[36]
G1006 Earth Lusca

Earth Lusca has used WinRAR to compress stolen files into an archive prior to exfiltration.[37]
G1016 FIN13

FIN13 has compressed the dump output of compromised credentials with a 7zip binary.[38]
G0061 FIN8

FIN8 has used RAR to compress collected data before exfiltration.[39]
G0117 Fox Kitten

Fox Kitten has used 7-Zip to archive data.[40]
C0007 FunnyDream

During FunnyDream, the threat actors used 7zr.exe to add collected files to an archive.[26]
G0093 GALLIUM

GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.[41][42]
G0084 Gallmaker

Gallmaker has used WinZip, likely to archive data prior to exfiltration.[43]
G0125 HAFNIUM

HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.[44][45]
S1022 IceApple

IceApple can encrypt and compress files using Gzip prior to exfiltration.[46]
S0278 iKitten

iKitten will zip up the /Library/Keychains directory before exfiltrating it.[47]
G1032 INC Ransom

INC Ransom has used 7-Zip and WinRAR to archive collected data prior to exfiltration.[48][49][50][51]
S1245 InvisibleFerret

InvisibleFerret has used 7zip, RAR and zip files to archive collected data for exfiltration.[52][53]
S0260 InvisiMole

InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.[54]
G0004 Ke3chang

Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.[55][56]
G0094 Kimsuky

Kimsuky has used QuickZip to archive stolen files before exfiltration.[57]
G0030 Lotus Blossom

Lotus Blossom has used WinRAR for compressing data in RAR format.[58][59]
S1141 LunarWeb

LunarWeb can create a ZIP archive with specified files and directories.[60]
G0059 Magic Hound

Magic Hound has used gzip to archive dumped LSASS process memory and RAR to stage and compress local folders.[61][62][63]
G0045 menuPass

menuPass has compressed files before exfiltration using TAR and RAR.[64][65][66]
S0339 Micropsia

Micropsia creates a RAR archive based on collected files on the victim's machine.[67]
G0069 MuddyWater

MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.[68]
G0129 Mustang Panda

Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.[69][70] Mustang Panda has used WinRAR "Rar.exe" to archive stolen files before exfiltration.[71] Mustang Panda has also used TONESHELL and post-exploitation tools such as RemCom and Impacket to execute WinRAR rar.exe to archive files for exfiltration.[72]
S0340 Octopus

Octopus has compressed data before exfiltrating it using a tool called Abbrevia.[73]

S0439 Okrum

Okrum was seen using a RAR archiver tool to compress/decompress data.[74]
S0264 OopsIE

OopsIE compresses collected files with GZipStream before sending them to its C2 server.[75]
C0012 Operation CuckooBees

During Operation CuckooBees, the threat actors used the Makecab utility to compress and a version of WinRAR to create password-protected archives of stolen data prior to exfiltration.[76]
C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group archived victim's data into a RAR file.[77]
C0006 Operation Honeybee

During Operation Honeybee, the threat actors uses zip to pack collected files before exfiltration.[78]
C0014 Operation Wocao

During Operation Wocao, threat actors archived collected files with WinRAR, prior to exfiltration.[79]
G1040 Play

Play has used WinRAR to compress files prior to exfiltration.[80][81]
S0428 PoetRAT

PoetRAT has the ability to compress files with zip.[82]
S0378 PoshC2

PoshC2 contains a module for compressing data using ZIP.[83]
S0441 PowerShower

PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.[84]
S1228 PUBLOAD

PUBLOAD has used utilities such as WinRAR to archive data prior to exfiltration.[85]
S0196 PUNCHBUGGY

PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.[86]

S0192 Pupy

Pupy can compress data with Zip before sending it over C2.[87]
S0458 Ramsay

Ramsay can compress and archive collected files using WinRAR.[88][89]
S1040 Rclone

Rclone can compress files using gzip prior to exfiltration.[90]
G1039 RedCurl

RedCurl has downloaded 7-Zip to decompress password protected archives.[91]

S1210 Sagerunex

Sagerunex has archived collected materials in RAR format.[58]
S1168 SampleCheck5000

SampleCheck5000 can gzip compress files uploaded to a shared mailbox used for C2 and exfiltration.[92]
G1041 Sea Turtle

Sea Turtle used the tar utility to create a local archive of email data on a victim system.[93]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used 7-Zip to compress stolen emails into password-protected archives prior to exfltration; APT29 also compressed text files into zipped archives.[94][95][96]
G0054 Sowbug

Sowbug extracted documents and bundled them into a RAR archive.[97]
G1022 ToddyCat

ToddyCat has leveraged xcopy, 7zip, and RAR to stage and compress collected documents prior to exfiltration.[98]
S1239 TONESHELL

TONESHELL used WinRAR rar.exe to archive files for exfiltration.[72][71] TONESHELL has also utilized a unique 13-character password consisting of upper lower case and digits to protect RAR archives.[71]
S0647 Turian

Turian can use WinRAR to create a password-protected archive for files of interest.[99]
G0010 Turla

Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.[100]
G1048 UNC3886

UNC3886 has used Gzip and the Windows command makecab to compress files and stolen credentials from victim systems.[101][102]
G1017 Volt Typhoon

Volt Typhoon has archived the ntds.dit database as a multi-volume password-protected archive with 7-Zip.[103][104]
S0466 WindTail

WindTail has the ability to use the macOS built-in zip utility to archive files.[105]
G0102 Wizard Spider

Wizard Spider has archived data into ZIP files on compromised machines.[106]

Mitigations

ID Mitigation Description
M1047 Audit

System scans can be performed to identify unauthorized archival utilities.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0298 Detect Archiving via Utility (T1560.001) AN0831

Detects adversarial archiving using built-in or third-party utilities (makecab, diantz, xcopy, certutil, 7z, WinRAR, WinZip). Correlates suspicious process creation events with command-line arguments for compression/encoding, followed by creation of archive files (.cab, .zip, .7z, .rar). Identifies anomalous loading of crypt32.dll for encryption operations or execution of diantz.exe to compress remotely staged files.
AN0832

Detects execution of archiving utilities (tar, gzip, bzip2, xz, zip, openssl) followed by suspicious archive file creation. Correlates archive creation in temporary or staging directories with execution of commands involving compression or encryption options.
AN0833

Detects invocation of macOS-native archiving utilities (zip, ditto, hdiutil) or openssl used for encryption. Correlates execution with archive or encrypted file creation (.zip, .dmg, .tar.gz) in user or temporary directories. Identifies anomalous use of archiving commands by Office applications or daemons.

References

  1. Living Off The Land Binaries, Scripts and Libraries (LOLBAS). (n.d.). Diantz.exe. Retrieved October 25, 2021.
  2. I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.
  3. A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.
  4. Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.
  5. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  6. Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024.
  7. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  8. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  9. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  10. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
  11. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  12. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  13. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  14. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  15. DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024.
  16. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  17. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  18. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  19. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  20. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025.
  21. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  22. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  23. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  24. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  25. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  26. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  27. Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
  28. LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019.
  29. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
  30. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  31. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  32. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
  33. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  34. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  35. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  36. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  37. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  38. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  39. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  40. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  41. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  42. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  43. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
  44. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  45. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  46. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  47. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  48. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
  49. Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
  50. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
  51. Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024.
  52. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
  53. Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025.
  1. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  2. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  3. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  4. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  5. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  6. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
  7. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  8. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024.
  9. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  10. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  11. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  12. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  13. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  14. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  15. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  16. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  17. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  18. Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025.
  19. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025.
  20. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  21. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  22. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  23. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  24. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  25. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  26. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  27. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
  28. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  29. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  30. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  31. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  32. Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025.
  33. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  34. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  35. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  36. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  37. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.
  38. Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024.
  39. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
  40. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024.
  41. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  42. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  43. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  44. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  45. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  46. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  47. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  48. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.
  49. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.
  50. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  51. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  52. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  53. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.