1. Home
  2. Techniques
  3. Enterprise
  4. Acquire Infrastructure
  5. Web Services

Acquire Infrastructure: Web Services

ID Name
T1583.001 Domains
T1583.002 DNS Server
T1583.003 Virtual Private Server
T1583.004 Server
T1583.005 Botnet
T1583.006 Web Services
T1583.007 Serverless
T1583.008 Malvertising

Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services, such as those offered by Google, GitHub, or Twitter, makes it easier for adversaries to hide in expected noise.[1][2] By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.

ID: T1583.006
Sub-technique of:  T1583
Tactic: Resource Development
Platforms: PRE
Contributors: Dor Edry, Microsoft; Dvir Sasson, Reco
Version: 1.3
Created: 01 October 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0025 APT17

APT17 has created profile pages in Microsoft TechNet that were used as C2 infrastructure.[3]
G0007 APT28

APT28 has used newly-created Blogspot pages for credential harvesting operations.[4]
G0016 APT29

APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS. APT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations.[1][5]
G0050 APT32

APT32 has set up Dropbox, Amazon S3, and Google Drive to host malicious downloads.[6]
C0046 ArcaneDoor

ArcaneDoor included the use of OpenConnect VPN Server instances for conducting actions on victim devices.[7]
G0142 Confucius

Confucius has obtained cloud storage service accounts to host stolen data.[8]
G1052 Contagious Interview

Contagious Interview has used web services such as Dropbox to receive stolen data and Google Drive, Firebase, GitHub, and Telegram to disseminate files.[9][10] Contagious Interview has also used a cloud platform such as Vercel for C2 operations leveraging malicious web applications and static pages.[11][12][13] Contagious Interview has also used Slack to coordinate their activities.[14]
G1006 Earth Lusca

Earth Lusca has established GitHub accounts to host their malware.[15]
G0046 FIN7

FIN7 has set up Amazon S3 buckets to host trojanized digital products.[16]
G0047 Gamaredon Group

Gamaredon Group has used Cloudflare’s TryClouldflare service to obtain C2 nodes.[17]

G0125 HAFNIUM

HAFNIUM has acquired web services for use in C2 and exfiltration.[18]
G0136 IndigoZebra

IndigoZebra created Dropbox accounts for their operations.[19][20]
G0094 Kimsuky

Kimsuky has hosted content used for targeting efforts via web services such as Blogspot.[21] Kimsuky has also leveraged Dropbox for hosting payloads and uploading victim system information. [22]
G0032 Lazarus Group

Lazarus Group has hosted malicious downloads on Github.[23]
G0140 LazyScripter

LazyScripter has established GitHub accounts to host its toolsets.[24]
G0059 Magic Hound

Magic Hound has acquired Amazon S3 buckets to use in C2.[25]
G1051 Medusa Group

Medusa Group has utilized a file hosting service named filemail[.]com to host a zip file that contained malicious payloads that facilitated follow-on actions.[26]
G0069 MuddyWater

MuddyWater has used file sharing services including OneHub, Sync, and TeraBox to distribute tools.[27][28][29]
G0129 Mustang Panda

Mustang Panda has set up Dropbox and Google Drive to host malicious downloads.[30]
C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group used file hosting services like DropBox and OneDrive.[31]
C0013 Operation Sharpshooter

For Operation Sharpshooter, the threat actors used Dropbox to host lure documents and their first-stage downloader.[32]
G1005 POLONIUM

POLONIUM has created and used legitimate Microsoft OneDrive accounts for their operations.[33]
G1031 Saint Bear

Saint Bear has leveraged the Discord content delivery network to host malicious content for retrieval during initial access operations.[34]
G1018 TA2541

TA2541 has hosted malicious files on various platforms including Google Drive, OneDrive, Discord, PasteText, ShareText, and GitHub.[35]
G1038 TA578

TA578 has used Google Firebase to host malicious scripts.[36]
G0010 Turla

Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.[37]
G0128 ZIRCONIUM

ZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails.[38][39]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0896 Detection of Web Services AN2028

Once adversaries leverage the web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.[40] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service.

References

  1. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024.
  2. Dvir Sasson. (2024, May 13). GitHub Abuse Flaw Shows Why We Can't Shrug Off Abuse Vulnerabilities in Security. Retrieved March 31, 2025.
  3. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved November 17, 2024.
  4. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.
  5. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
  6. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  7. Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
  8. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.
  9. Amaury G., Coline Chavane, Felix Aimé and Sekoia TDR. (2025, March 31). From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic. Retrieved April 1, 2025.
  10. Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025.
  11. Kirill Boychenko. (2025, April 4). Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads. Retrieved October 20, 2025.
  12. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025.
  13. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025.
  14. Aleksandar Milenkoski, Sreekar Madabushi, Kenneth Kinion. (2025, September 4). Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms. Retrieved October 20, 2025.
  15. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  16. Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
  17. Threat Hunter Team, Symantec and Carbon Black. (2025, April 10). Shuckworm Targets Foreign Military Mission Based in Ukraine. Retrieved July 23, 2025.
  18. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  19. Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021.
  20. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  1. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  2. Den Iuzvyk, Tim Peck. (2025, February 13). Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks. Retrieved August 19, 2025.
  3. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  4. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  5. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  6. Anthony Galiette, Doel Santos. (2024, January 11). Medusa Ransomware Turning Your Files into Stone. Retrieved October 15, 2025.
  7. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  8. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  9. Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.
  10. Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025.
  11. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  12. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  13. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  14. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  15. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  16. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  17. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  18. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.
  19. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  20. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.