The Seismic Shift from YML Secrets to Stealing RARs and ZIPs
The Bot Evolution: Focus Shifts to Archives📦
In the second half of 2025, OpenCanary Experience devices noticed a surprising change in bot traffic patterns. Instead of targeting secrets or API keys 🔑, the majority of bots began aggressively searching for RAR and ZIP archives 🗄️
Synthetic Defenses at Work🛡️
To counter this pivot, The OpenCanary Experience adapted quickly: rather than serving up real data, systems now provide synthetic archive files, cleverly mimicking the structure of attractive backup targets.
- 78% of recent bot traffic seeking sensitive data now hunts for ZIP and RAR files specifically.
- Popular filenames include
website.rar,archive.zip,backup.zip, andpublic_html.zip—all favorites among threat actors seeking troves of information. - These files often contain much more than simple content. Inside, attackers expect to find configurations ⚙️, secrets 🕵️, and more.
What This Means For Site Owners🌐
The search for archives by bots is likely a response to successful campaigns. When threat actors collect backup archives, they usually find far more than anticipated: configuration files, credential dumps, and sometimes access keys.
- Campaign success means attackers are learning and adapting—expect future attacks to expand beyond secrets, focusing on sites with poorly secured backups.
- Weakly protected sites are especially vulnerable, as attackers increasingly automate their search for archives with rich internal data.
Take Action🔓
Now is the time for all site administrators to:
- Regularly audit file storage and server directories for exposed archives or secrets.
- Replace real configuration and backup files with synthetic traps where appropriate.
- Monitor shifts in bot traffic, as attack strategies will continue to change.
OpenCanary’s proactive approach is an excellent example of meeting the evolving threat landscape head-on—turning bots’ own curiosity against them.
