MalwareUsed by 1 actor

7-Zip

7-Zip is a legitimate archive utility that threat actors have used during post-compromise collection and exfiltration. In the provided reporting, it was observed in UNC2447 intrusions as part of recon and exfiltration activity, and in a China-linked UAT-8837 campaign exploiting Sitecore CVE-2025-53690, where attackers compressed sensitive files prior to exfiltration. Specifically, the content states that files such as web.config and Windows registry hives were compressed with 7-Zip before being transferred to attacker-controlled infrastructure. The activity is mapped to MITRE ATT&CK T1560.001 (Archive via Utility). The content does not describe 7-Zip itself as malware, but as a dual-use utility leveraged by threat actors including UNC2447 and UAT-8837.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UNC2447

...UNC2447 has been observed using the following tools: ... 7ZIP.

via mandiant threat intelligencecloud.google.com

MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

2 techniques

T1027.015CompressionEvidence2

“7-zip… compress data to evade detection [T1027.015].”

T1140Deobfuscate/Decode Files or InformationEvidence1

During the SolarWinds Compromise, APT29 used 7-Zip to decode their Raindrop malware.

Collection

5 techniques

T1005Data from Local SystemEvidence1

MAZE Group 1 mapping includes “T1005: Data from Local System,” and narrative describes collecting directory listings and archiving data prior to exfiltration.

T1039Data from Network Shared DriveEvidence1

MAZE Group 2/3 mappings include “T1039: Data from Network Shared Drive,” and narrative describes archiving data from corporate file shares.

T1074Data StagedEvidence3

Data Discovery and Staging → with AV blinded and lateral movement achieved, attackers enumerate datastores, databases, and file servers. Common techniques include native tools (Robocopy, PowerShell, xcopy), compressing to encrypted 7-Zip or WinRAR archives on staging hosts... The SFTP server compromise likely served as a staging or exfiltration relay here.

T1560Archive Collected DataEvidence16

INC ransomware actors compress and password-protect the staged data with 7-Zip...

T1560.001Archive via UtilityEvidence18

Stolen data is compressed with 7-Zip before being uploaded to attacker-controlled storage via rclone.

Command and Control

1 technique

T1105Ingress Tool TransferEvidence5

The initial Firefox activity included searches for the Tor browser, a download of 7-Zip, a ScreenConnect installer, and an archive named rer.zip.

Exfiltration

3 techniques

T1020Automated ExfiltrationEvidence1

Victims who refuse to pay face not only locked systems but also the exposure of sensitive corporate records on INC’s data leak site.

T1567Exfiltration Over Web ServiceEvidence1

INC ransomware actors compress and password-protect the staged data with 7-Zip, then upload the archives to attacker-controlled cloud storage using rclone.

T1567.002Exfiltration to Cloud StorageEvidence1

Stolen data is compressed with 7-Zip before being uploaded to attacker-controlled storage via rclone.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

secpod blogNews

Jan 19, 2026

Unmasking UAT-8837: The Zero-Day Exploit That Could Ruin Your Year - SecPod Blog

Legitimate compression utility abused to stage data for exfiltration (e.g., compressing web.config and registry hives such as SAM/SYSTEM).

arctic wolf blogNews

Oct 24, 2024

Arctic Wolf Labs Observes Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN - Arctic Wolf

Archiving utility used to compress/stage data prior to exfiltration.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.