Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 3 actors

WinRAR

WinRAR is a legitimate file archiving utility that appears in the provided reporting primarily as a dual-use tool abused by threat actors for collection and staging of data prior to exfiltration. Across multiple incident reports, attackers installed or brought WinRAR into victim environments and used it to collect targeted files into RAR archives, including password-protected archives. In Akira ransomware intrusions, WinRAR was used to stage data for exfiltration, including use of the -hp flag to create password-protected archives such as data.rar through data6.rar from targeted document types on the D: drive. Field Effect also documented WinRAR as part of Akira activity targeting SonicWall SSL VPN environments and mapped its use to ATT&CK T1560.001 (Archive via Utility). Huntress likewise observed an intrusion likely tied to compromised SonicWall VPN access in which the threat actor staged data for exfiltration using WinRAR before later deploying a VMware ESXi exploit toolkit. NCC Group reported WinRAR being installed on a file server during an Everest ransomware incident to archive data for exfiltration, consistent with double-extortion activity. The FBI-led advisory on DPRK Andariel also lists WinRAR among open-source or dual-use tools used by the group. The content additionally references malicious WinRAR self-extracting archives (SFX) as a delivery mechanism in social-engineering activity, and one report claims Bitter APT attacks targeting China and Pakistan leveraged a WinRAR zero-day together with an Office macro and a new C# backdoor. High-confidence behavior directly supported by the content is that WinRAR is commonly used by threat actors to archive and password-protect stolen data in preparation for exfiltration.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Bitter

Bitter APT Attacks China/Pakistan with WinRAR Zero-Day and New C# Backdoor via Office Macro

via security online infosecurityonline.info
Andariel

...collect the relevant files into RAR archives, sometimes using a version of WinRAR brought into the victim’s environment...

via cisa alertscisa.gov
Ke3chang

Additional tools were recovered during the incident, including ... the archiving tool WinRAR ...

via ncc group researchnccgroup.com
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

3 techniques
T1036MasqueradingEvidence2

APT28 has renamed the WinRAR utility to avoid detection.

T1070Indicator RemovalEvidence1

They also removed tools after execution such as WinRAR.

T1140Deobfuscate/Decode Files or InformationEvidence1

An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.

Collection

3 techniques
T1074Data StagedEvidence3

Data Discovery and Staging → with AV blinded and lateral movement achieved, attackers enumerate datastores, databases, and file servers. Common techniques include native tools (Robocopy, PowerShell, xcopy), compressing to encrypted 7-Zip or WinRAR archives on staging hosts... The SFTP server compromise likely served as a staging or exfiltration relay here.

T1560Archive Collected DataEvidence24

WinRAR – An archive manager that can be used to archive or zip files - for example, prior to exfiltration.

T1560.001Archive via UtilityEvidence14

Using WinRAR, the adversary compressed local data from compromised endpoints ... (T1560.001 Archive Collected Data: Archive via Utility).

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

the threat actors downloaded and installed WinRAR... In one case, the actors installed both WinRAR and Google Chrome via explorer.exe

Exfiltration

3 techniques
T1041Exfiltration Over C2 ChannelEvidence1

The Akira ransomware operators implement a double extortion model by exfiltrating victims’ data before encrypting it... Threat actors use FileZilla, WinRAR, WinSCP, and RClone for data exfiltration.

T1048Exfiltration Over Alternative ProtocolEvidence1

Step 7 - Exfiltration T1048, T1560.001, T1567 | Operator Data staging with WinRAR ... Exfiltration via Rclone, WinSCP, FileZilla, or MegaSync to attacker-controlled cloud storage.

T1567.002Exfiltration to Cloud StorageEvidence2

Once the attackers collected data utilizing WinRAR, they exfiltrated the .rar files to easyupload.io via an Incognito tab in Google Chrome.

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
uri●●●●●●●●●●●●View more in app7 years ago
ip.v4●●●●●●●●●●●●View more in app7 years ago
ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
shroudcloudNews
Apr 14, 2026
Three Akira Intrusions Compared - ShroudCloud

WinRAR was used to stage and password-protect stolen data prior to exfiltration in an Akira-affiliated intrusion.

Read more
talos intelligence blogNews
Jan 22, 2026
I scan, you scan, we all scan for... knowledge?

Legitimate archiving/SFX tool referenced as being abused to deliver a malicious payload in a social-engineering campaign.

Read more
security online infoNews
Oct 22, 2025
Bitter APT Attacks China/Pakistan with WinRAR Zero-Day and New C# Backdoor via Office Macro

Legitimate file archiver referenced in the context of a zero-day vulnerability being used in attacks.

Read more
fieldeffect blogNews
Aug 5, 2025
Update: Akira ransomware group targets SonicWall VPN appliances

Legitimate archiver used to compress/stage collected data prior to exfiltration in the observed ransomware intrusion chain.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.