Description
Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., Fileless Storage).(Citation: Trustwave Pillowmint June 2020)
In order to further evade detection, adversaries may combine multiple ZIP files into one archive. This process of concatenation creates an archive that appears to be a single archive but in fact contains the central directories of the embedded archives. Some ZIP readers, such as 7zip, may not be able to identify concatenated ZIP files and miss the presence of the malicious payload.(Citation: Perception Point)
File archives may be sent as one Spearphishing Attachment through email. Adversaries have sent malicious payloads as archived files to encourage the user to interact with and extract the malicious payload onto their system (i.e., Malicious File).(Citation: NTT Security Flagpro new December 2021) However, some file compression tools, such as 7zip, can be used to produce self-extracting archives. Adversaries may send self-extracting archives to hide the functionality of their payload and launch it without requiring multiple actions from the user.(Citation: The Hacker News)
Compression may be used in combination with Encrypted/Encoded File where compressed files are encrypted and password-protected.
Platforms
Mitigations (1)
Antivirus/AntimalwareM1049
Anti-virus can be used to automatically detect and quarantine suspicious files. Consider anti-virus products capable of unpacking and inspecting compressed files recursively, as well as analyzing SFX archives.
Threat Groups (10)
| ID | Group | Context |
|---|---|---|
| G0021 | Molerats | [Molerats](https://attack.mitre.org/groups/G0021) has delivered compressed executables within ZIP files to victims.(Citation: Kaspersky MoleRATs April... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) malware is compressed with LZNT1 compression.(Citation: Nccgroup Emissary Panda May 2018)(C... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has compressed their payloads by leveraging zip files.(Citation: FBI IC3 Flash VOID MANTICORE ... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered malicious payloads within compressed archives and zip files. (Citation: VenereC... |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) used Base64 encoded compressed payloads.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higai... |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has used compressed and char-encoded scripts in operations.(Citation: Cisco Operation Layover Septembe... |
| G0103 | Mofang | [Mofang](https://attack.mitre.org/groups/G0103) has compressed the [ShimRat](https://attack.mitre.org/software/S0444) executable within malicious emai... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has delivered malicious payloads within Zip archives.(Citation: Gen Digital Kimsuky HTTPTroy October ... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has compressed malicious files within RAR and ZIP archives for obfuscation. (Citation: Check Point Wir... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has obfuscated code using gzip compression.(Citation: Proofpoint Leviathan Oct 2017) |
Associated Software (25)
| ID | Name | Type | Context |
|---|---|---|---|
| S0453 | Pony | Malware | [Pony](https://attack.mitre.org/software/S0453) attachments have been delivered via compressed archive files.(Citation: Malwarebytes Pony April 2016) |
| S0673 | DarkWatchman | Malware | [DarkWatchman](https://attack.mitre.org/software/S0673) has been delivered as compressed RAR payloads in ZIP files to victims.(Citation: Prevailion Da... |
| S0499 | Hancitor | Malware | [Hancitor](https://attack.mitre.org/software/S0499) has delivered compressed payloads in ZIP files to victims.(Citation: FireEye Hancitor) |
| S0148 | RTM | Malware | [RTM](https://attack.mitre.org/software/S0148) has been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.(Citation: ESET R... |
| S1188 | Line Runner | Malware | [Line Runner](https://attack.mitre.org/software/S1188) uses a ZIP payload that is automatically extracted with its contents, a LUA script, executed fo... |
| S1050 | PcShare | Tool | [PcShare](https://attack.mitre.org/software/S1050) has been compressed with LZW algorithm.(Citation: Bitdefender FunnyDream Campaign November 2020) |
| S1228 | PUBLOAD | Malware | [PUBLOAD](https://attack.mitre.org/software/S1228) has been delivered as compressed files within ZIP files to victims.(Citation: Lab52 MUSTANG PANDA P... |
| S0517 | Pillowmint | Malware | [Pillowmint](https://attack.mitre.org/software/S0517) has been compressed and stored within a registry key.(Citation: Trustwave Pillowmint June 2020) |
| S0466 | WindTail | Malware | [WindTail](https://attack.mitre.org/software/S0466) can be delivered as a compressed, encrypted, and encoded payload.(Citation: objective-see windtail... |
| S9020 | LODEINFO | Malware | [LODEINFO](https://attack.mitre.org/software/S9020) components have been compressed with zip for delivery.(Citation: Kaspersky LODEINFO OCT 2022) |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) has been delivered via JScript files in a ZIP archive.(Citation: PaloAlto StrelaStealer 2024)... |
| S0559 | SUNBURST | Malware | [SUNBURST](https://attack.mitre.org/software/S0559) strings were compressed and encoded in Base64.(Citation: Microsoft Analyzing Solorigate Dec 2020) |
| S0665 | ThreatNeedle | Malware | [ThreatNeedle](https://attack.mitre.org/software/S0665) has been compressed and obfuscated.(Citation: Kaspersky ThreatNeedle Feb 2021) |
| S1099 | Samurai | Malware | [Samurai](https://attack.mitre.org/software/S1099) can deliver its final payload as a compressed, encrypted and base64-encoded blob.(Citation: Kaspers... |
| S0141 | Winnti for Windows | Malware | [Winnti for Windows](https://attack.mitre.org/software/S0141) has the ability to encrypt and compress its payload.(Citation: Novetta Winnti April 2015... |
| S0664 | Pandora | Malware | [Pandora](https://attack.mitre.org/software/S0664) has the ability to compress stings with QuickLZ.(Citation: Trend Micro Iron Tiger April 2021) |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can be compressed with the ApLib algorithm.(Citation: BitDefender BADHATCH Mar 2021) |
| S0697 | HermeticWiper | Malware | [HermeticWiper](https://attack.mitre.org/software/S0697) can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.(Citation: Symantec... |
| S0444 | ShimRat | Malware | [ShimRat](https://attack.mitre.org/software/S0444) has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat f... |
| S0662 | RCSession | Malware | [RCSession](https://attack.mitre.org/software/S0662) can compress and obfuscate its strings to evade detection on a compromised host.(Citation: Trend ... |
References
- Arthur Vaiselbuh, Peleg Cabra. (2024, November 7). Evasive ZIP Concatenation: Trojan Targets Windows Users. Retrieved March 3, 2025.
- Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
- Ravie Lakshmanan. (2023, April 5). Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks. Retrieved March 3, 2025.
- Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
Frequently Asked Questions
What is T1027.015 (Compression)?
T1027.015 is a MITRE ATT&CK technique named 'Compression'. It belongs to the Stealth tactic(s). Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and fast...
How can T1027.015 be detected?
Detection of T1027.015 (Compression) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.015?
There are 1 documented mitigations for T1027.015. Key mitigations include: Antivirus/Antimalware.
Which threat groups use T1027.015?
Known threat groups using T1027.015 include: Molerats, Threat Group-3390, VOID MANTICORE, Gamaredon Group, Higaisa, TA2541, Mofang, Kimsuky.