1. Home
  2. Techniques
  3. Enterprise
  4. Stage Capabilities
  5. Upload Malware

Stage Capabilities: Upload Malware

ID Name
T1608.001 Upload Malware
T1608.002 Upload Tool
T1608.003 Install Digital Certificate
T1608.004 Drive-by Target
T1608.005 Link Target
T1608.006 SEO Poisoning

Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.

Malware may be placed on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Malware can also be staged on web services, such as GitHub or Pastebin; hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult; or saved on the blockchain as smart contracts, which are resilient against takedowns that would affect traditional infrastructure.[1][2][3][4]

Adversaries may upload backdoored files, such as software packages, application binaries, virtual machine images, or container images, to third-party software stores, package libraries, extension marketplaces, or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub, PyPi, NPM).[5] By chance encounter, victims may directly download/install these backdoored files via User Execution. Masquerading, including typo-squatting legitimate software, may increase the chance of users mistakenly executing these files.

ID: T1608.001
Sub-technique of:  T1608
Tactic: Resource Development
Platforms: PRE
Contributors: Adam Hunt; Kobi Haimovich, CardinalOps; Menachem Goldstein; Ray Jasinski
Version: 1.3
Created: 17 March 2021
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0050 APT32

APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting.[1]
G1044 APT42

APT42 has used its infrastructure for C2 and for staging the VINETHORN payload, which masqueraded as a VPN application.[6]

G1002 BITTER

BITTER has registered domains to stage payloads.[7]
G1043 BlackByte

BlackByte has staged tools such as Cobalt Strike at public file sharing and hosting sites.[8]
C0010 C0010

For C0010, UNC3890 actors staged malware on their infrastructure for direct download onto a compromised system.[9]

C0011 C0011

For C0011, Transparent Tribe hosted malicious documents on domains registered by the group.[10]

C0021 C0021

For C0021, the threat actors uploaded malware to websites under their control.[11][12]
G1052 Contagious Interview

Contagious Interview has hosted malicious payloads on code repositories used as lures for victims to download.[13][14][15][16][17][18][19][20][21][22][23][24]
G1006 Earth Lusca

Earth Lusca has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.[25]
G1011 EXOTIC LILY

EXOTIC LILY has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.[26]
G0046 FIN7

FIN7 has staged legitimate software, that was trojanized to contain an Atera agent installer, on Amazon S3.[27] FIN7 has also used an open directory web server as a staging server for payloads and other tools, such as OpenSSH and 7zip.[28]

G0047 Gamaredon Group

Gamaredon Group has registered domains to stage payloads.[29][30]
G1001 HEXANE

HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations.[31]
G0094 Kimsuky

Kimsuky has used compromised and acquired infrastructure to host and deliver malware including Blogspot to host beacons, file exfiltrators, and implants.[32][33][34] Kimsuky has also hosted malicious payloads on Dropbox.[35]
G0140 LazyScripter

LazyScripter has hosted open-source remote access Trojans used in its operations in GitHub.[36]
G1014 LuminousMoth

LuminousMoth has hosted malicious payloads on Dropbox.[37]
G1036 Moonstone Sleet

Moonstone Sleet staged malicious capabilities online for follow-on download by victims or malware.[38]
G0129 Mustang Panda

Mustang Panda has hosted malicious payloads on DropBox including PlugX.[39]
G1020 Mustard Tempest

Mustard Tempest has hosted payloads on acquired second-stage servers for periods of either days, weeks, or months.[40]
C0002 Night Dragon

During Night Dragon, threat actors uploaded commonly available hacker tools to compromised web servers.[41]
G0049 OilRig

OilRig has hosted malware on fake websites designed to target specific audiences.[42]
C0022 Operation Dream Job

For Operation Dream Job, Lazarus Group used compromised servers to host malware.[43][44][45][46]
C0013 Operation Sharpshooter

For Operation Sharpshooter, the threat actors staged malicious files on Dropbox and other websites.[47]
C0005 Operation Spalax

For Operation Spalax, the threat actors staged malware and malicious files in legitimate hosting services such as OneDrive or MediaFire.[48]
C0047 RedDelta Modified PlugX Infection Chain Operations

Mustang Panda staged malware on adversary-controlled domains and cloud storage instances during RedDelta Modified PlugX Infection Chain Operations.[49]
G1031 Saint Bear

Saint Bear has used the Discord content delivery network for hosting malicious content referenced in links and emails.[50]
G0034 Sandworm Team

Sandworm Team staged compromised versions of legitimate software installers in forums to enable initial access to executing user.[51]
G1008 SideCopy

SideCopy has used compromised domains to host its malicious payloads.[52]
G1033 Star Blizzard

Star Blizzard has uploaded malicious payloads to cloud storage sites.[53]
G1018 TA2541

TA2541 has uploaded malware to various platforms including Google Drive, Pastetext, Sharetext, and GitHub.[54][55]
G0092 TA505

TA505 has staged malware on actor-controlled domains.[56]
G0139 TeamTNT

TeamTNT has uploaded backdoored Docker images to Docker Hub.[57]
G0027 Threat Group-3390

Threat Group-3390 has hosted malicious payloads on Dropbox.[58]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0824 Detection of Upload Malware AN1956

If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.
Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle, such as User Execution or Ingress Tool Transfer .

References

  1. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  2. Edmund Brumaghin. (2022, November 9). Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns. Retrieved March 8, 2023.
  3. Nati Tal and Oleg Zaytsev. (2023, October 13). “EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts. Retrieved May 22, 2025.
  4. Bill Toulas. (2023, October 13). Hackers use Binance Smart Chain contracts to store malicious scripts. Retrieved May 22, 2025.
  5. Sebastian Obregoso and Christophe Tafani-Dereeper. (2024, May 23). Malicious PyPI packages targeting highly specific MacOS machines. Retrieved May 22, 2025.
  6. Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.
  7. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
  8. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  9. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  10. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
  11. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  12. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
  13. Aleksandar Milenkoski, Sreekar Madabushi, Kenneth Kinion. (2025, September 4). Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms. Retrieved October 20, 2025.
  14. Efstratios Lontzetidis. (2025, January 16). Lazarus APT: Techniques for Hunting Contagious Interview. Retrieved October 20, 2025.
  15. eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025.
  16. Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025.
  17. Kirill Boychenko. (2025, April 4). Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads. Retrieved October 20, 2025.
  18. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025.
  19. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025.
  20. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
  21. Ryan Sherstobitoff. (2024, October 29). Inside a North Korean Phishing Operation Targeting DevOps Employees. Retrieved October 20, 2025.
  22. Securonix Threat Research, D.Iuzvyk, T. Peck, O.Kolesnikov. (2024, April 24). Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors. Retrieved October 20, 2025.
  23. Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025.
  24. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025.
  25. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  26. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
  27. Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
  28. Cocomazzi, Antonio. (2024, July 17). FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks. Retrieved September 24, 2025.
  29. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  1. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  2. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  3. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  4. Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
  5. Mandiant. (n.d.). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved October 14, 2024.
  6. Den Iuzvyk, Tim Peck. (2025, February 13). Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks. Retrieved August 19, 2025.
  7. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  8. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  9. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
  10. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  11. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.
  12. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  13. ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
  14. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  15. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  16. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  17. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  18. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  19. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  20. Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025.
  21. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  22. Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.
  23. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  24. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
  25. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  26. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  27. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  28. Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 16, 2024.
  29. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.