T1532: Archive Collected Data
Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Both compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm.
Analyst context for executives and security teams
Archive Collected Data is a mobile ATT&CK technique where an adversary compresses and/or encrypts information already gathered from a device before trying to exfiltrate it. For leaders, the practical issue is not the archive itself; it is that stolen mobile data may be made smaller, harder to inspect, and less obvious in network traffic. This matters for organizations that rely on Android or iOS devices for executive communications, banking, field operations, regulated data access, or incident communications.
Executive priority
Treat this as a mobile data-loss and incident-response readiness concern. ATT&CK maps the behavior to Android and iOS, and relationship context links it to multiple Android malware and spyware families, plus a documented mobile campaign. Security leaders should ask whether mobile telemetry, MDM/MAM controls, app vetting, and network monitoring can show when sensitive device data is being staged and prepared for exfiltration. The priority is strongest where mobile devices access regulated data, financial workflows, executive communications, or operational systems.
Technical view
SOC and IR teams should validate visibility for suspicious compression, encryption, or archive creation by mobile apps before outbound transfer. ATT&CK does not provide official detection text for T1532, but a related detection strategy, DET0670, is listed. Since tactics are not specified in the supplied object, detection should be anchored to the observable behavior: collected files or records being bundled, encrypted, and then followed by network activity. Relationship context is heavily Android-focused, with one related software entry also covering iOS, so Android telemetry may be richer while iOS validation should account for platform visibility limits.
Likely telemetry
- Mobile device management or mobile application management inventory, compliance, and app installation events
- Mobile threat defense or mobile EDR alerts for suspicious app behavior
- Android application, file-system, sandbox, or storage-access events where available
- iOS device, app, and network telemetry where enterprise controls permit collection
- Evidence of archive, compressed, or encrypted file creation in app-accessible storage
Detection direction
- Validate whether DET0670 or local analytics look for compression/encryption staging followed by outbound transfer, rather than only known malware names.
- Correlate archive-like file creation or encryption behavior with apps that have sensitive permissions or unusual access to collected data.
- Tune for false positives from legitimate backup, messaging, productivity, VPN, and enterprise sync applications that compress or encrypt data normally.
- Use relationship context to prioritize testing against Android scenarios, while separately confirming what is realistically observable on iOS.
- Look for behavioral chains: data collection, local bundling or encryption, then network communication to uncommon or newly observed destinations.
Mitigation priorities
- Prioritize mobile app governance: approved app stores, app vetting, removal of unauthorized apps, and controls for sideloading where applicable.
- Use MDM/MAM policy to limit risky permissions, separate work data from personal apps, and enforce compliance for devices accessing enterprise resources.
- Reduce mobile data exposure by limiting what sensitive data is stored locally or made available to unmanaged apps.
- Apply mobile threat defense or equivalent monitoring where business risk justifies it, especially for high-risk users and regulated workflows.
- Control and monitor mobile egress through managed VPN, DNS, proxy, or secure web gateway paths where feasible.
Analyst notes and limits
The supplied ATT&CK object is a mobile technique for Android and iOS. Official detection guidance is not provided, and tactics are not specified. Relationships show use by campaign C0033 and multiple software entries including Exodus, GolfSpy, Anubis, Triada, Desert Scorpion, Golden Cup, Asacub, FrozenCell, BOULDSPY, Sunbird, BRATA, LightSpy, and DCHSpy. Most related software entries are Android-focused; LightSpy includes Android and iOS among other platforms.
This take is limited to the supplied ATT&CK fields, external reference, and relationship context. It does not establish active exploitation, attribution against any organization, or guaranteed detection coverage. Local device management, mobile OS restrictions, privacy rules, network architecture, and logging configuration determine what can actually be observed.
Archive Collected Data
Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Both compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S0505: Desert Scorpion
Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.[1]
There are multiple close variants of Desert Scorpion, such as VAMP[2], GnatSpy[3], FrozenCell and SpyC23, which add some additional functionality but are not significantly different from the original malware.
S0405: Exodus
S1079: BOULDSPY
S0422: Anubis
S1185: LightSpy
First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.[1]
S1094: BRATA
BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.[1][2][3]
S0424: Triada
S0535: Golden Cup
Golden Cup is Android spyware that has been used to target World Cup fans.[1]
S1082: Sunbird
S1243: DCHSpy
DCHSpy is an Android spyware likely used by MuddyWater. DCHSpy uses political decoys and masquerades as legitimate applications, such as VPNs and banking applications, to trick victims into downloading the malware. Once downloaded, DCHSpy collects information from the device and exfiltrates the data to the command and control (C2) server.[1]
S0577: FrozenCell
FrozenCell is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and Micropsia.[1]
There are multiple close variants of FrozenCell, such as VAMP[2], GnatSpy[3], Desert Scorpion and SpyC23, which add some additional functionality but are not significantly different from the original malware.
S0540: Asacub
C0033: C0033
C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | fb77a4bcebed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1532Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.