Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

7-Zip

7-Zip is a legitimate archive utility that threat actors have used during post-compromise collection and exfiltration. In the provided reporting, it was observed in UNC2447 intrusions as part of recon and exfiltration activity, and in a China-linked UAT-8837 campaign exploiting Sitecore CVE-2025-53690, where attackers compressed sensitive files prior to exfiltration. Specifically, the content states that files such as web.config and Windows registry hives were compressed with 7-Zip before being transferred to attacker-controlled infrastructure. The activity is mapped to MITRE ATT&CK T1560.001 (Archive via Utility). The content does not describe 7-Zip itself as malware, but as a dual-use utility leveraged by threat actors including UNC2447 and UAT-8837.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC2447

...UNC2447 has been observed using the following tools: ... 7ZIP.

via mandiant threat intelligencecloud.google.com
MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

2 techniques
T1027.015CompressionEvidence2
TacticStealth

“7-zip… compress data to evade detection [T1027.015].”

T1140Deobfuscate/Decode Files or InformationEvidence1
TacticStealth

During the SolarWinds Compromise, APT29 used 7-Zip to decode their Raindrop malware.

Collection

5 techniques
T1005Data from Local SystemEvidence1
TacticCollection

MAZE Group 1 mapping includes “T1005: Data from Local System,” and narrative describes collecting directory listings and archiving data prior to exfiltration.

T1039Data from Network Shared DriveEvidence1
TacticCollection

MAZE Group 2/3 mappings include “T1039: Data from Network Shared Drive,” and narrative describes archiving data from corporate file shares.

T1074Data StagedEvidence2
TacticCollection

MAZE Group 2/3 mappings include “T1074: Data Staged,” and narrative describes archiving with 7zip (ad.7z) prior to exfiltration.

T1560Archive Collected DataEvidence12
TacticCollection

Archiving — compressing and encrypting the staged files into a single archive using tools like 7-Zip or PowerShell’s Compress-Archive.

T1560.001Archive via UtilityEvidence17
TacticCollection

Since ms.tmp is an archive, the threat actors would need to use the previously downloaded 7za.exe (7zip) to extract file contents via the password “123”.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence4
TacticCommand and Control

7z.exe from AppData\Temp — not from Program Files (attacker-dropped tool) ... curl.exe from AppData\Temp — not a standard user workstation binary

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.