Ingress Tool Transfer, Technique T1105 - Enterprise (original) (raw)
2015 Ukraine Electric Power Attack
During the 2015 Ukraine Electric Power Attack, Sandworm Team pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data. [6]
During the 2025 Poland Wiper Attacks, the adversaries downloaded malicious payloads to the victim server.[7]
ABK has the ability to download files from C2.[8]
Action RAT has the ability to download additional payloads onto an infected machine.[9]
Agent Tesla can download additional files for execution on the victim’s machine.[10][11]
Agent.btz attempts to download an encrypted binary from a specified domain.[12]
Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.[13]
Amadey can download and execute files to further infect a host machine with additional malware.[14]
Anchor can download additional payloads.[15][16]
Andariel has downloaded additional tools and malware onto compromised hosts.[17]
ANDROMEDA can download additional payloads from C2.[18]
APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.[19]
APT18 can upload a file to the victim’s machine.[20]
APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.[21][22][23][24][25]
APT29 has downloaded additional tools and malware onto compromised networks.[26][27][28][29]
APT3 has a tool that can copy files to remote machines.[30]
APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.[31]
APT33 has downloaded additional files and programs from its C2 server.[32][33]
APT37 has downloaded second stage malware from compromised websites.[34][35][36][37]
APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.[38] Additionally, APT38 has downloaded other payloads onto a victim’s machine.[39]
APT39 has downloaded tools to compromised hosts.[40][41]
APT41 used certutil to download additional files.[42][43][44] APT41 downloaded post-exploitation tools such as Cobalt Strike via command shell following initial access.[45] APT41 has uploaded Procdump and NATBypass to a staging directory and has used these tools in follow-on activities.[46]
APT41 DUST involved execution of certutil.exe via web shell to download the DUSTPAN dropper.[47]
Aquatic Panda has downloaded additional malware onto compromised hosts.[48]
Aria-body has the ability to download additional payloads from C2.[49]
The AshTag stager component can retrieve and execute the main payload.[50]
Astaroth uses certutil and BITSAdmin to download additional malware. [51][52][53]
AsyncRAT has the ability to download files including over SFTP.[54][55]
Attor can download additional plugins, updates and other files. [56]
AuditCred can download files and additional malware.[57]
Avenger has the ability to download files from C2 to a compromised host.[8]
Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.[58][59]
BabyShark has downloaded additional files from the C2.[60][61]
BackConfig can download and execute additional payloads on a compromised host.[62]
Backdoor.Oldrea can download additional modules from C2.[63]
BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.[64]
BADFLICK has download files from its C2 server.[65]
BADHATCH has the ability to load a second stage malicious DLL file onto a compromised machine.[66]
BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.[67][68][69]
BadPatch can download and execute or update malware.[70]
Bandook can download files to the system.[71]
Bankshot uploads files and secondary payloads to the victim's machine.[72]
Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike.[73][74][75][76]
BBK has the ability to download files from C2 to the infected host.[8]
BeaverTail has been used to download a malicious payload to include Python based malware InvisibleFerret.[77][78][79][80][81][82]
BendyBear is designed to download an implant from a C2 server.[83]
BISCUIT has a command to download a file from the C2 server.[84]
Bisonal has the capability to download files to execute on the victim’s machine.[85][86][87]
BITSAdmin can be used to create BITS Jobs to upload and/or download files.[88]
BITTER has downloaded additional malware and tools onto a compromised host.[89][90]
BlackByte has transferred tools such as Cobalt Strike to victim environments from file sharing and hosting websites.[91]
BlackMould has the ability to download files to the victim's machine.[92]
BLINDINGCAN has downloaded files to a victim machine.[93]
BLUELIGHT can download additional files onto the host.[36]
Bonadan can download additional modules from the C2 server.[94]
BONDUPDATER can download or upload files from its C2 server.[95]
BoomBox has the ability to download next stage malware components to a compromised system.[96]
BoxCaon can download files.[97]
Briba downloads files onto infected hosts.[98]
BRICKSTORM has the ability to download files from the Adversaries C2 server to the compromised system.[99][100][101][102]
BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).[103]
Brute Ratel C4 can download files to compromised hosts.[104][105]
build_downer has the ability to download files from C2 to the infected host.[8]
Bumblebee can download and execute additional payloads including through the use of a Dex command.[106][107][108]
Bundlore can download and execute new versions of itself.[109]
BUSHWALK can write malicious payloads sent through a web request’s command parameter.[110][111]
During C0010, UNC3890 actors downloaded tools and malware onto a compromised host.[112]
During C0015, the threat actors downloaded additional tools and files onto a compromised network.[113]
During C0017, APT41 downloaded malicious payloads onto compromised systems.[114]
During C0018, the threat actors downloaded additional tools, such as Mimikatz and Sliver, as well as Cobalt Strike and AvosLocker ransomware onto the victim network.[115][116]
During C0021, the threat actors downloaded additional tools and files onto victim machines.[117][118]
During C0026, the threat actors downloaded malicious payloads onto select compromised hosts.[18]
During C0027, Scattered Spider downloaded tools using victim organization systems.[119]
Calisto has the capability to upload and download files to the victim's machine.[120]
CallMe has the capability to download a file to the victim from the C2 server.[121]
Caminho has the ability to download files onto compromised hosts.[122]
Cannon can download a payload for execution.[123]
Carberp can download and execute new plugins from the C2 server. [124][125]
Cardinal RAT can download and execute additional payloads.[126]
CARROTBALL has the ability to download and install a remote payload.[127]
CARROTBAT has the ability to download and execute a remote file via certutil.[128]
CASTLETAP can transfer files to compromised network devices.[129]
Caterpillar WebShell has a module to download and upload files to the system.[130]
certutil can be used to download files from a given URL.[131][132]
Chaes can download additional files onto an infected machine.[133]
CharmPower has the ability to download additional modules to a compromised host.[134]
ChChes is capable of downloading files, including additional modules.[135][136][137]
Chimera has remotely copied tools and malware onto targeted systems.[138]
CHIMNEYSWEEP can download additional files from C2.[139]
China Chopper's server component can download remote files.[140][141][142][143][144]
CHOPSTICK is capable of performing remote file transmission.[145]
Chrommme can download its code from C2.[146]
Cinnamon Tempest has downloaded files, including Cobalt Strike, to compromised hosts.[147]
CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.[28]
cmd can be used to copy files to/from a remotely connected external system.[148]
Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.[149][4] The group's JavaScript backdoor is also capable of downloading files.[150]
Cobalt Strike can deliver additional payloads to victim machines.[151][152]
CoinTicker executes a Python script to download its second stage.[153]
Conficker downloads an HTTP server to the infected machine.[154]
Confucius has downloaded additional files and payloads onto a compromised host following initial access.[155][156]
CookieMiner can download additional scripts from a web server.[157]
CORESHELL downloads another dropper from its C2 server.[158]
CostaBricks has been used to load SombRAT onto a compromised host.[159]
During CostaRicto, the threat actors downloaded malware and tools onto a compromised host.[159]
CreepyDrive can download files to the compromised host.[160]
Crimson contains a command to retrieve files from its C2 server.[161][162][163]
Cryptoistic has the ability to send and receive files.[164]
CSPY Downloader can download additional tools to a compromised host.[165]
Cuba can download files from its C2 server.[166]
During Cutting Edge, threat actors leveraged exploits to download remote files to Ivanti Connect Secure VPNs.[167]
Cyclops Blink has the ability to download files to target systems.[168][169]
Dacls can download its payload from a C2 server.[164][170]
Daggerfly has used PowerShell and BITSAdmin to retrieve follow-on payloads from external locations for execution on victim machines.[171]
DanBot can download additional files to a targeted system.[172]
DarkComet can load any files onto the infected machine to execute.[173][174]
DarkGate retrieves cryptocurrency mining payloads and commands in encrypted traffic from its command and control server.[175] DarkGate uses Windows Batch scripts executing the curl command to retrieve follow-on payloads.[176] DarkGate has stolen sitemanager.xml and recentservers.xml from %APPDATA%\FileZilla\ if present.[177]
Darkhotel has used first-stage payloads that download additional malware from C2 servers.[178]
DarkTortilla can download additional packages for keylogging, cryptocurrency mining, and other capabilities; it can also retrieve malicious payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[179]
Daserf can download remote files.[180][103]
DDKONG downloads and uploads files on the victim’s machine.[181]
DEATHRANSOM can download files to a compromised host.[182]
Denis deploys additional backdoors and hacking tools to the system.[183]
Diavol can receive configuration updates and additional payloads including wscpy.exe from C2.[184]
Dipsind can download remote files.[185]
Disco can download files to targeted systems via SMB.[186]
DnsSystem can download files to compromised systems after receiving a command with the string downloaddd.[187]
DOGCALL can download and execute additional payloads.[188]
Doki has downloaded scripts from C2.[189]
Donut can download and execute previously staged shellcode payloads.[190]
down_new has the ability to download files to the compromised host.[8]
After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.[191]
DOWNIISSA can download files to the compromised host.[192]
Dragonfly has copied and installed tools for operations once in the victim environment.[193]
DRATzarus can deploy additional tools onto an infected machine.[194]
DropBook can download and execute additional files.[195][196]
Drovorub can download files to a compromised host.[197]
Dtrack’s can download and upload a file to the victim’s computer.[198][199]
DUSTTRAP can retrieve and load additional payloads.[47]
Dyre has a command to download and executes additional files.[200]
Ecipekac can download additional payloads to a compromised host.[201]
Egregor has the ability to download files from its C2 server.[202][203]
The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.[204]
Elise can download additional files from the C2 server for execution.[205]
Emissary has the capability to download files from the C2 server.[206]
Emotet can download follow-on payloads and items via malicious url parameters in obfuscated PowerShell code.[207]
Empire can upload and download to and from a victim machine.[208]
esentutl can be used to copy files from a given URL.[209]
EvilBunny has downloaded additional Lua scripts from the C2.[210]
EVILNUM can download and upload files to the victim's computer.[211][212]
Evilnum can deploy additional components or tools as needed.[211]
Exaramel for Linux has a command to download a file from and to a remote C2 server.[213][214]
Explosive has a function to download a file to the infected system.[215]
Felismus can download files from remote servers.[216]
FELIXROOT downloads and uploads files to and from the victim’s machine.[217][218]
FIN13 has downloaded additional tools and malware to compromised systems.[219][220]
FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[221][222][223][224]
FIN8 has used remote code execution to download subsequent payloads.[225][226]
Flagpro can download additional malware from the C2 server.[227]
FlawedAmmyy can transfer files from C2.[228]
FoggyWeb can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server.[229]
Fox Kitten has downloaded additional tools including PsExec directly to endpoints.[230]
During Frankenstein, the threat actors downloaded files and tools onto a victim machine.[231]
ftp may be abused by adversaries to transfer tools or files from an external system into a compromised environment.[232][233]
FunnyDream can download additional files onto a compromised host.[234]
During FunnyDream, the threat actors downloaded additional droppers and backdoors onto a compromised system.[234]
FYAnti can download additional payloads to a compromised host.[201]
GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.[235][92]
Gamaredon Group has downloaded additional malware and tools onto a compromised host.[236][237][238][239][240][241] For example, Gamaredon Group uses a backdoor script to retrieve and decode additional payloads once in victim environments.[242]
Gazer can execute a task to download a file.[243][244]
Gelsemium can download additional plug-ins to a compromised host.[146]
gh0st RAT can download files to the victim’s machine.[245][246]
GlassWorm has downloaded additional payloads from C2.[247][248][249][250]
Gold Dragon can download additional components from the C2 server.[251]
GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.[252]
GoldMax can download and execute additional files.[253][254]
Gootloader can fetch second stage code from hardcoded web domains.[255][256]
Gorgon Group malware can download additional files from C2 servers.[257]
Grandoreiro can download its second stage from a hardcoded URL within the loader's code.[258][259]
GreyEnergy can download additional modules and payloads.[218]
GrimAgent has the ability to download and execute additional payloads.[260]
GuLoader can download further malware for execution on the victim's machine.[261]
H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.[262]
HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.[263][143]
Hancitor has the ability to download additional files from C2.[264]
Hannotog can download additional files to the victim machine.[265]
can download and execute a second-stage payload.[34]
Havoc has the ability to upload files to infected systems.[266][267]
Helminth can download additional files.[268]
HEXANE has downloaded additional payloads and malicious scripts onto a compromised host.[269]
HexEval Loader has been used to download a malicious payload to include BeaverTail.[270][78][79]
Hi-Zor has the ability to upload and download files from its C2 server.[271]
HiddenFace can download files from the C2 to victim systems.[272][273]
HiddenWasp downloads a tar compressed archive from a download server to the system.[274]
Hikit has the ability to download files to a compromised host.[275]
Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners.[276]
During HomeLand Justice, threat actors used web shells to download files to compromised infrastructure.[277]
HOPLIGHT has the ability to connect to a remote host in order to upload and download files.[278]
HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.[279]
HTTPBrowser is capable of writing a file to the compromised system from the C2 server.[280]
HTTPTroy has the ability to download files from C2 using the down <FILENAME> command.[281]
Hydraq creates a backdoor through which remote attackers can download files and additional malware components.[282][283]
HyperBro has the ability to download additional files.[284]
IcedID has the ability to download additional modules and a configuration file from C2.[285][286][287][288]
IMAPLoader is a loader used to retrieve follow-on payload encoded in email messages for execution on victim systems.[289]
INC Ransom has downloaded tools to compromised servers including Advanced IP Scanner. [290][291]
IndigoZebra has downloaded additional files and tools from its C2 server.[97]
Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.[292][293][294]
Industroyer downloads a shellcode payload from a remote C2 server and loads it into memory.[295]
InvisibleFerret has downloaded "AnyDesk.exe" into the user’s home directory from the C2 server when checks for the service fail to identify its presence in the victim environment.[80] InvisibleFerret has also been configured to download additional payloads using a command which calls to the /bow URI.[296][81]
InvisiMole can upload files to the victim's machine for operations.[297][298]
Ixeshe can download and execute additional files.[299]
Javali can download payloads from remote C2 servers.[53]
JHUHUGIT can retrieve an additional payload from its C2 server.[300][301] JHUHUGIT has a command to download files to the victim’s machine.[302]
JPIN can download files and upgrade itself.[185]
jRAT can download and execute files.[303][304][305]
JSS Loader has the ability to download malicious executables to a compromised host.[306]
KARAE can upload and download files, including second-stage malware.[34]
Kasidet has the ability to download and execute additional files.[307]
Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.[308]
Ke3chang has used tools to download files to compromised machines.[309]
Kerrdown can download specific payloads to a compromised host based on OS architecture.[310]
Kessel can download additional modules from the C2 server.[94]
Kevin can download files to the compromised host.[269]
KeyBoy has a download and upload functionality.[311][312]
KEYMARBLE can upload files to the victim’s machine and can download additional payloads.[313]
KGH_SPY has the ability to download and execute code from remote servers.[165]
Kimsuky has downloaded additional scripts, tools, and malware onto victim systems.[314][43][315][316]
Kinsing has downloaded additional lateral movement scripts from C2.[317]
Kivars has the ability to download and execute files.[318]
Koadic can download additional files and tools.[319][320]
KOCTOPUS has executed a PowerShell command to download a file to the system.[320]
KONNI can download files and execute them on the victim’s machine.[321][322]
KV Botnet Activity included the use of scripts to download additional payloads when compromising network nodes.[323]
Kwampirs downloads additional files from C2 servers.[324]
Latrodectus can download and execute PEs, DLLs, and shellcode from C2.[288][325][326]
Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host.[327][328][329][164][170][330][331][332][333][334]
LazyScripter had downloaded additional tools to a compromised host.[320]
Leviathan has downloaded additional scripts and files from adversary-controlled servers.[335][140]
LightNeuron has the ability to download and execute additional files.[336]
On macOS, LightSpy downloads a .json file from the C2 server. The .json file contains metadata about the plugins to be downloaded, including their URL, name, version, and MD5 hash. LightSpy retrieves the plugins specified in the .json file, which are compiled .dylib files. These .dylib files provide task and platform specific functionality. LightSpy also imports open-source libraries to manage socket connections.[337]
Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.[338]
LiteDuke has the ability to download files.[339]
LitePower has the ability to download payloads containing system commands to a compromised host.[340]
Lizar can download additional plugins, files, and tools.[341][342][343]
LODEINFO has the ability to download additional files from the C2.[344][345][346]
Lokibot downloaded several staged items onto the victim's machine.[347]
LoudMiner used SCP to update the miner from the C2.[348]
LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.[349]
Lucifer can download and execute a replica of itself using certutil.[350]
LuminousMoth has downloaded additional malware and tools onto a compromised host.[351][352]
Machete can download additional files for execution on the victim’s machine.[353]
MacMa has downloaded additional files, including an exploit for used privilege escalation.[354][355]
macOS.OSAMiner has used curl to download a Stripped Payloads from a public facing adversary-controlled webpage.
Mafalda can download additional files onto the compromised host.[356]
Magic Hound has downloaded additional code and files from servers onto victims.[357][358][359][360]
MagicRAT can import and execute additional payloads.[361]
MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin.[362]
MCMD can upload additional files to a compromised host.[363]
MechaFlounder has the ability to upload and download files to and from a compromised host.[364]
Medusa Group has leveraged certutil, PowerShell, and Windows Command to download additional tools to include RMM services.[365] Medusa Group has also engaged in "Bring Your Own Vulnerable Driver" (BYOVD) and downloaded vulnerable or signed drivers to the victim environment to disable security tools.[365][366]
Melcoz has the ability to download additional files to a compromised host.[53]
menuPass has installed updates and new malware on victims.[367][368]
Metador has downloaded tools and malware onto a compromised system.[369]
metaMain can download files onto compromised systems.[369][356]
Metamorfo has used MSI files to download additional files to execute.[370][371][372][373]
Meteor has the ability to download additional files for execution on the victim's machine.[374]
Micropsia can download and execute an executable from the C2 server.[375][376]
Milan has received files from C2 and stored them in log folders beginning with the character sequence a9850d2f.[377]
MiniDuke can download additional encrypted backdoors onto the victim via GIF files.[378][339]
Mis-Type has downloaded additional malware and files onto a compromised host.[379]
Misdat is capable of downloading files from the C2.[379]
Mivast has the capability to download and execute .exe files.[380]
MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.[121]
MoleNet can download additional payloads from the C2.[195]
Molerats used executables to download malicious files from different sources.[381][382]
Mongall can download files to targeted systems.[383]
Moonstone Sleet retrieved a final stage payload from command and control infrastructure during initial installation on victim systems.[384]
More_eggs can download and launch additional payloads.[385][386]
Moses Staff has downloaded and installed web shells to following path C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx.[387]
Mosquito can upload and download files to the victim.[388]
MuddyViper has the ability to download files from the C2 server. Additionally, MuddyViper has the ability to download a file in chunks with sleep time between each chunk.[389]
MuddyWater has used malware that can upload additional files to the victim’s machine.[390][391][392][393] MuddyWater has used PowerShell commands to install remote management and monitoring (RMM) software on the victim’s machine to conduct espionage and to exfiltrate data.[394]
Mustang Panda has downloaded additional executables following the initial infection stage.[395][396][397][398] Mustang Panda has also leveraged Visual Studio Code code.exe and Dev Tunnels using DevTunnel.exe to propagate additional tools and payloads.[399]
Mustard Tempest has deployed secondary payloads and third stage implants to compromised hosts.[400]
NanHaiShu can download additional files from URLs.[335]
NanoCore has the capability to download and activate additional modules for execution.[401][402]
NavRAT can download files remotely.[403]
NDiskMonitor can download and execute a file from given URL.[69]
Nebulae can download files from C2.[404]
Neo-reGeorg has the ability to download files to targeted systems.[405]
Neoichor can download additional files onto a compromised host.[309]
Nerex creates a backdoor through which remote attackers can download files onto a compromised host.[204]
Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.[406]
NETWIRE can downloaded payloads from C2 to the compromised host.[407][408]
NICECURL has the ability to download additional content onto an infected machine, e.g. by using curl.[409]
Nidiran can download and execute files.[410]
During Night Dragon, threat actors used administrative utilities to deliver Trojan components to remote systems.[411]
NightClub can load multiple additional plugins on an infected host.[186]
njRAT can download files to the victim’s machine.[412][413] APT-C-36 has used modified versions of njRAT to enable the download of .NET assemblies.[414]
NOKKI has downloaded a remote module for execution.[415]
Nomadic Octopus has used malicious macros to download additional files to the victim's machine.[416]
Octopus can download additional files and tools onto the victim’s machine.[417][418][416]
ODAgent has the ability to download and execute files on compromised systems.[419]
OilBooster can download and execute files from an actor-controlled OneDrive account.[419]
OilCheck can download staged payloads from an actor-controlled infrastructure.[419]
OilRig had downloaded remote files onto victim infrastructure.[420][421]
Okrum has built-in commands for uploading, downloading, and executing files to the system.[422]
OopsIE can download files from its C2 server to the victim's machine.[423][424]
During Operation Dream Job, Lazarus Group downloaded multistage malware and tools onto a compromised host.[194][425][426]
During Operation Honeybee, the threat actors downloaded additional malware and malicious scripts onto a compromised host.[427]
During Operation MidnightEclipse, threat actors downloaded additional payloads on compromised devices.[428][429]
During Operation Sharpshooter, additional payloads were downloaded after a target was infected with a first-stage downloader.[430]
During Operation Wocao, threat actors downloaded additional files to the infected system.[431]
Orz can download files onto the victim.[335]
OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the curl -fsL "$url" >$tmp_path command to download malicious payloads into a temporary directory.[432][433][434][435]
OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[436][437]
During Outer Space, OilRig downloaded additional tools to comrpomised infrastructure.[438]
OutSteel can download files from its C2 server.[439]
P.A.S. Webshell can upload and download files to and from compromised hosts.[214]
P8RAT can download additional payloads to a target system.[201]
Pandora can load additional drivers and files onto a victim machine.[440]
Pasam creates a backdoor through which remote attackers can upload files.[441]
Patchwork payloads download additional files from the C2 server.[442][69]
Penquin can execute the command code do_download to retrieve remote files from C2.[443]
Peppy can download and execute remote files.[161]
PHASEJAM has the ability to upload files onto the compromised appliance.[444]
PHPsert has the ability to retrieve remote payloads.[445]
PipeMon can install additional modules via C2 commands.[446]
Pisloader has a command to upload a file to the victim machine.[447]
PLAINTEE has downloaded and executed additional plugins.[181]
PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.[448]
Play has used Cobalt Strike to download files to compromised machines.[449]
PLEAD has the ability to upload and download files to and from an infected host.[450]
PlugX has a module to download and execute files on the compromised machine.[451][452][453][454]
PoetRAT has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.[455][456]
PoisonIvy creates a backdoor through which remote attackers can upload files.[457]
PolyglotDuke can retrieve payloads from the C2 server.[339]
Pony can download additional files onto the infected system.[458]
POSHSPY downloads and executes additional PowerShell code and Windows binaries.[459]
PowerDuke has a command to download a file.[460]
PowerExchange can decode Base64-encoded files and call WriteAllBytes to write the files to compromised hosts.[461]
PowerLess can download additional payloads to a compromised host.[462]
PowerPunch can download payloads from adversary infrastructure.[239]
POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.[463]
POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.[464]
POWRUNER can download or upload files from its C2 server.[420]
CostaBricks can download additional payloads onto a compromised host.[159]
Psylo has a command to download a file to the system from its C2 server.[121]
Pteranodon can download and execute additional files.[236][465][466]
PUBLOAD has acted as a stager that can download the next-stage payload from its C2 server.[467][468][469][470][471] PUBLOAD has also delivered FDMTP as a secondary control tool and PTSOCKET for exfiltration to some infected systems.[472]
PUNCHBUGGY can download additional files and payloads to compromised hosts.[473][474]
Pupy can upload and download to/from a victim machine.[475]
PureCrypter can download additional payloads for execution on the compromised host.[476][477]
QakBot has the ability to download additional components and malware.[478][479][480][481][482][483]
Quad7 Activity has downloaded additional binaries from a remote File Transfer Protocol (FTP) server to compromised devices.[484]
QuasarRAT can download files to the victim’s machine and execute them.[485][486]
QuietSieve can download and execute payloads on a target host.[239]
Raccoon Stealer downloads various library files enabling interaction with various data stores and structures to facilitate follow-on information theft.[487][488]
RainyDay can download files to a compromised host.[404]
Rancor has downloaded additional malware, including by using certutil.[181]
RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.[489]
Raspberry Robin retrieves its second stage payload in a variety of ways such as through msiexec.exe abuse, or running the curl command to download the payload to the victim's %AppData% folder.[490][491]
RATANKBA uploads and downloads information.[492][493]
RCSession has the ability to drop additional files to an infected machine.[494]
RDAT can download files via DNS.[495]
RedLeaves is capable of downloading a file from a specified URL.[496]
RedLine Stealer has the ability download additional payloads.[497][498]
During RedPenguin, UNC3886 used backdoor malware capable of downloading files to compromised infrastructure.[499]
RegDuke can download files from C2.[339]
reGeorg has the ability to download files to targeted systems.[405]
Remcos can upload and download files to and from the victim’s machine.[500][501]
RemoteCMD copies a file over to the remote system before execution.[502]
RemoteUtilities can upload and download files to and from a target machine.[393]
Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.[503][504]
Revenge RAT has the ability to upload and download files.[505]
REvil can download a copy of itself from an attacker controlled IP address to the victim machine.[506][507][508]
RGDoor uploads and downloads files to and from the victim’s machine.[509]
RIFLESPINE can download and execute files.[510]
Rocke used malware to download additional malicious files to the target system.[511]
RogueRobin can save a new file to the system from the C2 server.[512][513]
ROKRAT can retrieve additional malicious payloads from its C2 server.[514][515][37][516]
RTM can download additional files.[517][518]
S-Type can download additional files onto a compromised host.[379]
Saint Bot can download additional files onto a compromised host.[439]
Sakula has the capability to download files.[519]
SampleCheck5000 can download additional payloads to compromised hosts.[438][419]
Samurai has been used to deploy other malware including Ninja.[144]
Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.[520][521]
Sardonic has the ability to upload additional malicious files to a compromised machine.[522]
Scattered Spider has downloaded the Teleport remote access tool to compromised VMware vCenter Servers.[523]
SDBbot has the ability to download a DLL from C2 to a compromised host.[524]
SeaDuke is capable of uploading and downloading files.[525]
Seasalt has a command to download additional files.[84][84]
SEASHARPEE can download remote files onto victims.[526]
ServHelper may download additional files to execute.[527][528]
Seth-Locker has the ability to download and execute files on a compromised host.[529]
ShadowPad has downloaded code from a C2 server.[530]
During ShadowRay, threat actors downloaded and executed the XMRig miner on targeted hosts.[531]
Shai-Hulud has downloaded packages from code repositories.[532][533][534][535] Shai-Hulud has also downloaded and executed the secrets-discovery tool TruffleHog to gather sensitive data.[536][533][537][534][535]
Shamoon can download an executable to run on the victim.[538]
SharePoint ToolShell Exploitation
During SharePoint ToolShell Exploitation, threat actors used a loader to download and execute ransomware.[539]
Shark can download additional files from its C2 via HTTP or DNS.[377][540]
SharpDisco has been used to download a Python interpreter to C:\Users\Public\WinTN\WinTN.exe as well as other plugins from external sources.[186]
SharpStage has the ability to download and execute additional payloads via a DropBox API.[195][196]
SHARPSTATS has the ability to upload and download files.[541]
ShimRat can download additional files.[542]
ShimRatReporter had the ability to download additional payloads.[542]
SHUTTERSPEED can download and execute an arbitary executable.[34]
Sibot can download and execute a payload onto a compromised system.[253]
SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.[9]
SideTwist has the ability to download additional files.[543]
Sidewinder has used LNK files to download remote files to the victim's network.[544][545]
Silence has downloaded additional modules and malware to victim’s machines.[546]
SILENTTRINITY can load additional files and tools, including Mimikatz.[547]
Skidmap has the ability to download files on an infected host.[548]
RAPIDPULSE can transfer files to and from compromised hosts.[549]
Sliver can download additional content and files from the Sliver server to the client residing on the victim machine using the upload command.[550][551]
SLOTHFULMEDIA has downloaded files onto a victim machine.[552]
SLOWDRIFT downloads additional payloads.[34]
Small Sieve has the ability to download files.[553]
Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.[554]
SMOKEDHAM has used Powershell to download UltraVNC and ngrok from third-party file sharing sites.[555]
Snip3 can download additional payloads to compromised systems.[556][557]
SocGholish can download additional malware to infected hosts.[558][559]
SodaMaster has the ability to download additional payloads from C2 to the targeted system.[201]
Solar has the ability to download and execute files.[438]
During the SolarWinds Compromise, APT29 downloaded additional malware, such as TEARDROP and Cobalt Strike, onto a compromised host following initial access.[560]
SombRAT has the ability to download and execute additional payloads.[159][182][561]
SoreFang can download additional payloads from C2.[562][563]
SpeakUp downloads and executes additional files from a remote server. [564]
Spica can upload and download files to and from compromised hosts.[565]
SpicyOmelette can download malicious files from threat actor controlled AWS URL's.[566]
SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.[567]
Squirrelwaffle has downloaded and executed additional encoded payloads.[568][569]
STEADYPULSE can add lines to a Perl script on a targeted server to import additional Perl modules.[570]
StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.[571]
Storm-1811 has used scripted cURL commands, BITSAdmin, and other mechanisms to retrieve follow-on batch scripts and tools for execution on victim devices.[572][573][574]
StrelaStealer installers have used obfuscated PowerShell scripts to retrieve follow-on payloads from WebDAV servers.[575]
StrifeWater can download updates and auxiliary modules.[576]
StrongPity can download files to specified targets.[577]
SUNBURST delivered different payloads, including TEARDROP in at least one instance.[560]
SVCReady has the ability to download additional tools such as the RedLine Stealer to an infected host.[578]
SystemBC has downloaded additional files for execution on the victim’s machine.[579][580] The server component of SystemBC has the ability to send additional files to victim machines.[580]
SysUpdate has the ability to download files to a compromised host.[440][581]
TA2541 has used malicious scripts and macros with the ability to download additional payloads.[582]
TA505 has downloaded additional malware to execute on victim systems.[583][528][584]
TA551 has retrieved DLLs and installer binaries for malware execution from C2.[585]
Taidoor has downloaded additional files onto a compromised host.[586]
TAINTEDSCRIBE can download additional modules from its C2 server.[587]
TAMECAT has used wget and curl to download additional content.[409]
TDTESS has a command to download and execute an additional file.[588]
TeamTNT has the curl and wget commands as well as batch scripts to download new tools.[589][590]
ThiefQuest can download and execute payloads in-memory or from disk.[591]
Threat Group-3390 has downloaded additional malware and tools, including through the use of certutil, onto a compromised host .[280][592]
ThreatNeedle can download additional tools to enable lateral movement.[330]
TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware.[593]
Tomiris can download files and execute them on a victim's system.[594]
TONESHELL has the ability to download additional files to the victim device.[595]
Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.[596]
TrickBot downloads several additional files and saves them to the victim's machine.[597][598]
Trojan.Karagany can upload, download, and execute files on the victim.[599][600]
Tropic Trooper has used a delivered trojan to download additional files.[601]
TSCookie has the ability to upload and download files to and from the infected host.[602]
Tsundere Botnet’s loader component has downloaded the zip file node-v18.17.0-win-x64.zip from the official Node.js website, as well as pm2, a Node.js process management tool.[603]
Turian can download additional files and tools from its C2.[64]
Turla has used shellcode to download Meterpreter after compromising a victim.[604]
TURNEDUP is capable of downloading additional files.[605]
TYPEFRAME can upload and download files to the victim’s machine.[606]
UBoatRAT can upload and download files to the victim’s machine.[607]
Unknown Logger is capable of downloading remote files.[67]
UPPERCUT can download and upload files to and from the victim’s machine.[608][609][610]
Uroburos can use a Put command to write files to an infected machine.[611]
Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.[612][613]
Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware.[614][615]
VaporRage has the ability to download malicious shellcode to compromised systems.[96]
Vasport can download files.[616]
VBShower has the ability to download VBS files to the target computer.[617]
VERMIN can download and upload files to the victim's machine.[618]
VIRTUALPITA has the ability to upload and download files.[619]
VOID MANTICORE has deployed additional payloads from dedicated C2 servers.[620][621][622] VOID MANTICORE has also downloaded legitimate tools and software from publicly available services.[620] VOID MANTICORE had utilized VeraCrypt a legitimate disk encrypting utility that was downloaded directly from the website.[620]
Volatile Cedar can deploy additional tools.[130]
Volgmer can download remote files and additional payloads to the victim's machine.[623][624][625]
Volt Typhoon has downloaded an outdated version of comsvcs.dll to a compromised domain controller in a non-standard folder.[626]
WarzoneRAT can download and execute additional files.[627]
Water Curupira Pikabot Distribution
Water Curupira Pikabot Distribution used Curl.exe to download the Pikabot payload from an external server, saving the file to the victim machine's temporary directory.[628]
Waterbear can receive and load executables from remote C2 servers.[629]
WEBC2 can download and execute a file.[630]
WellMail can receive data and executable scripts from C2.[631]
WellMess can write files to a compromised host.[27][632]
WhisperGate can download additional stages of malware from a Discord CDN channel.[633][634][635][636]
Whitefly has the ability to download additional tools from the C2.[637]
Wiarp creates a backdoor through which remote attackers can download files.[638]
Windshift has used tools to deploy additional payloads to compromised hosts.[639]
Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. [640]
The Winnti for Windows dropper can place malicious payloads on targeted systems.[641]
Winnti Group has downloaded an auxiliary program named ff.exe to infected machines.[642]
Winter Vivern executed PowerShell scripts to create scheduled tasks to retrieve remotely-hosted payloads.[643]
WIREFIRE has the ability to download files to compromised devices.[644]
WIRTE has downloaded PowerShell code from the C2 server to be executed.[645]
Wizard Spider can transfer malicious payloads such as ransomware to compromised machines.[646]
Woody RAT can download files from its C2 server, including the .NET DLLs, WoodySharpExecutor and WoodyPowerSession.[647]
Xbash can download additional malicious files from its C2 server.[648]
xCaon has a command to download files to the victim's machine.[97]
XCSSET downloads browser specific AppleScript modules using a constructed URL with the curl command, https://" & domain & "/agent/scripts/" & moduleName & ".applescript.[649]
XORIndex Loader has been used to download a malicious payload to include BeaverTail.[78]
YAHOYAH uses HTTP GET requests to download other files that are executed in memory.[650]
Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.[651][123][652][23]
ZeroT can download additional payloads onto the victim.[653]
Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine.[654]
ZIPLINE can download files to be saved on the compromised system.[644][110]
ZIRCONIUM has used tools to download malicious files to compromised hosts.[655]
ZLib has the ability to download files.[379]
Zox can download files to a compromised machine.[275]
ZxShell has a command to transfer files from a remote host.[656]