Передача инструментов из внешней сети

TrickBot downloads several additional files and saves them to the victim's machine.(Citation: Trend Micro Totbrick Oct 2016)(Citation: Bitdefender Trickbot VNC module Whitepaper 2021)

PowerDuke has a command to download a file.(Citation: Volexity PowerDuke November 2016)

BLINDINGCAN has downloaded files to a victim machine.(Citation: US-CERT BLINDINGCAN Aug 2020)

Wiarp creates a backdoor through which remote attackers can download files.(Citation: Symantec Wiarp May 2012)

RCSession has the ability to drop additional files to an infected machine.(Citation: Profero APT27 December 2020)

RemoteUtilities can upload and download files to and from a target machine.(Citation: Trend Micro Muddy Water March 2021)

QuietSieve can download and execute payloads on a target host.(Citation: Microsoft Actinium February 2022)

Bumblebee can download and execute additional payloads including through the use of a `Dex` command.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)

Amadey can download and execute files to further infect a host machine with additional malware.(Citation: BlackBerry Amadey 2020)

NICECURL has the ability to download additional content onto an infected machine, e.g. by using `curl`.(Citation: Mandiant APT42-untangling)

Orz can download files onto the victim.(Citation: Proofpoint Leviathan Oct 2017)

NOKKI has downloaded a remote module for execution.(Citation: Unit 42 NOKKI Sept 2018)

Backdoor.Oldrea can download additional modules from C2.(Citation: Gigamon Berserk Bear October 2021)

DOGCALL can download and execute additional payloads.(Citation: Unit 42 Nokki Oct 2018)

After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.(Citation: ESET Sednit Part 3)

SEASHARPEE can download remote files onto victims.(Citation: FireEye APT34 Webinar Dec 2017)

POWRUNER can download or upload files from its C2 server.(Citation: FireEye APT34 Dec 2017)

certutil can be used to download files from a given URL.(Citation: TechNet Certutil)(Citation: LOLBAS Certutil)

TDTESS has a command to download and execute an additional file.(Citation: ClearSky Wilted Tulip July 2017)

SharpStage has the ability to download and execute additional payloads via a DropBox API.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)

Sardonic has the ability to upload additional malicious files to a compromised machine.(Citation: Bitdefender Sardonic Aug 2021)

Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.(Citation: Malwarebytes SmokeLoader 2016)

Misdat is capable of downloading files from the C2.(Citation: Cylance Dust Storm)

reGeorg has the ability to download files to targeted systems.(Citation: GitHub Neo-reGeorg 2019)

Emissary has the capability to download files from the C2 server.(Citation: Lotus Blossom Dec 2015)

Exaramel for Linux has a command to download a file from and to a remote C2 server.(Citation: ESET TeleBots Oct 2018)(Citation: ANSSI Sandworm January 2021)

ShimRatReporter had the ability to download additional payloads.(Citation: FOX-IT May 2016 Mofang)

KEYMARBLE can upload files to the victim’s machine and can download additional payloads.(Citation: US-CERT KEYMARBLE Aug 2018)

Sliver can download additional content and files from the Sliver server to the client residing on the victim machine using the upload command.(Citation: GitHub Sliver Upload)(Citation: Cybereason Sliver Undated)

SILENTTRINITY can load additional files and tools, including Mimikatz.(Citation: GitHub SILENTTRINITY Modules July 2019)

TAMECAT has used `wget` and `curl` to download additional content.(Citation: Mandiant APT42-untangling)

CostaBricks can download additional payloads onto a compromised host.(Citation: BlackBerry CostaRicto November 2020)

Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.(Citation: TrendMicro PE_URSNIF.A2)(Citation: TrendMicro BKDR_URSNIF.SM)

ThreatNeedle can download additional tools to enable lateral movement.(Citation: Kaspersky ThreatNeedle Feb 2021)

ZLib has the ability to download files.(Citation: Cylance Dust Storm)

RedLeaves is capable of downloading a file from a specified URL.(Citation: PWC Cloud Hopper Technical Annex April 2017)

POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.(Citation: FireEye FIN7 March 2017)

Felismus can download files from remote servers.(Citation: Forcepoint Felismus Mar 2017)

Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine.(Citation: GDATA Zeus Panda June 2017)

CARROTBAT has the ability to download and execute a remote file via certutil.(Citation: Unit 42 CARROTBAT November 2018)

WEBC2 can download and execute a file.(Citation: Mandiant APT1)

Bankshot uploads files and secondary payloads to the victim's machine.(Citation: US-CERT Bankshot Dec 2017)

SharpDisco has been used to download a Python interpreter to `C:\Users\Public\WinTN\WinTN.exe` as well as other plugins from external sources.(Citation: MoustachedBouncer ESET August 2023)

StrongPity can download files to specified targets.(Citation: Bitdefender StrongPity June 2020)

can download and execute a second-stage payload.(Citation: FireEye APT37 Feb 2018)

xCaon has a command to download files to the victim's machine.(Citation: Checkpoint IndigoZebra July 2021)

PLAINTEE has downloaded and executed additional plugins.(Citation: Rancor Unit42 June 2018)

Pony can download additional files onto the infected system.(Citation: Malwarebytes Pony April 2016)

Nebulae can download files from C2.(Citation: Bitdefender Naikon April 2021)

AuditCred can download files and additional malware.(Citation: TrendMicro Lazarus Nov 2018)

Kasidet has the ability to download and execute additional files.(Citation: Zscaler Kasidet)

Hannotog can download additional files to the victim machine.(Citation: Symantec Bilbug 2022)

RainyDay can download files to a compromised host.(Citation: Bitdefender Naikon April 2021)

Ecipekac can download additional payloads to a compromised host.(Citation: Securelist APT10 March 2021)

BUSHWALK can write malicious payloads sent through a web request’s command parameter.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)

macOS.OSAMiner has used `curl` to download a Stripped Payloads from a public facing adversary-controlled webpage.

LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.(Citation: FireEye admin@338)

NETWIRE can downloaded payloads from C2 to the compromised host.(Citation: FireEye NETWIRE March 2019)(Citation: Proofpoint NETWIRE December 2020)

TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware.(Citation: Talos TinyTurla September 2021)

PowerExchange can decode Base64-encoded files and call `WriteAllBytes` to write the files to compromised hosts.(Citation: Symantec Crambus OCT 2023)

IMAPLoader is a loader used to retrieve follow-on payload encoded in email messages for execution on victim systems.(Citation: PWC Yellow Liderc 2023)

GreyEnergy can download additional modules and payloads.(Citation: ESET GreyEnergy Oct 2018)

Aria-body has the ability to download additional payloads from C2.(Citation: CheckPoint Naikon May 2020)

Emotet can download follow-on payloads and items via malicious `url` parameters in obfuscated PowerShell code.(Citation: Pincus Emotet 2020)

Crimson contains a command to retrieve files from its C2 server.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)

Tomiris can download files and execute them on a victim's system.(Citation: Kaspersky Tomiris Sep 2021)

DUSTTRAP can retrieve and load additional payloads.(Citation: Google Cloud APT41 2024)

Empire can upload and download to and from a victim machine.(Citation: Github PowerShell Empire)

Turian can download additional files and tools from its C2.(Citation: ESET BackdoorDiplomacy Jun 2021)

BADHATCH has the ability to load a second stage malicious DLL file onto a compromised machine.(Citation: Gigamon BADHATCH Jul 2019)

Machete can download additional files for execution on the victim’s machine.(Citation: ESET Machete July 2019)

PowerLess can download additional payloads to a compromised host.(Citation: Cybereason PowerLess February 2022)

Action RAT has the ability to download additional payloads onto an infected machine.(Citation: MalwareBytes SideCopy Dec 2021)

Avenger has the ability to download files from C2 to a compromised host.(Citation: Trend Micro Tick November 2019)

Gootloader can fetch second stage code from hardcoded web domains.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)

WellMess can write files to a compromised host.(Citation: PWC WellMess July 2020)(Citation: CISA WellMess July 2020)

Dacls can download its payload from a C2 server.(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)

DropBook can download and execute additional files.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)

Woody RAT can download files from its C2 server, including the .NET DLLs, `WoodySharpExecutor` and `WoodyPowerSession`.(Citation: MalwareBytes WoodyRAT Aug 2022)

Mafalda can download additional files onto the compromised host.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)

KARAE can upload and download files, including second-stage malware.(Citation: FireEye APT37 Feb 2018)

Squirrelwaffle has downloaded and executed additional encoded payloads.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)

PolyglotDuke can retrieve payloads from the C2 server.(Citation: ESET Dukes October 2019)

Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners.(Citation: Unit 42 Hildegard Malware)

Agent.btz attempts to download an encrypted binary from a specified domain.(Citation: ThreatExpert Agent.btz)

SLOWDRIFT downloads additional payloads.(Citation: FireEye APT37 Feb 2018)

SHUTTERSPEED can download and execute an arbitary executable.(Citation: FireEye APT37 Feb 2018)

SombRAT has the ability to download and execute additional payloads.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)

ODAgent has the ability to download and execute files on compromised systems.(Citation: ESET OilRig Downloaders DEC 2023)

FlawedAmmyy can transfer files from C2.(Citation: Korean FSI TA505 2020)

Snip3 can download additional payloads to compromised systems.(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)

FYAnti can download additional payloads to a compromised host.(Citation: Securelist APT10 March 2021)

HOPLIGHT has the ability to connect to a remote host in order to upload and download files.(Citation: US-CERT HOPLIGHT Apr 2019)

GuLoader can download further malware for execution on the victim's machine.(Citation: Medium Eli Salem GuLoader April 2021)

MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.(Citation: Scarlet Mimic Jan 2016)

RegDuke can download files from C2.(Citation: ESET Dukes October 2019)

InvisiMole can upload files to the victim's machine for operations.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

P.A.S. Webshell can upload and download files to and from compromised hosts.(Citation: ANSSI Sandworm January 2021)

Volgmer can download remote files and additional payloads to the victim's machine.(Citation: US-CERT Volgmer Nov 2017)(Citation: US-CERT Volgmer 2 Nov 2017)(Citation: Symantec Volgmer Aug 2014)

WhisperGate can download additional stages of malware from a Discord CDN channel.(Citation: Microsoft WhisperGate January 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)

ZeroT can download additional payloads onto the victim.(Citation: Proofpoint ZeroT Feb 2017)

RDAT can download files via DNS.(Citation: Unit42 RDAT July 2020)

Skidmap has the ability to download files on an infected host.(Citation: Trend Micro Skidmap)

Okrum has built-in commands for uploading, downloading, and executing files to the system.(Citation: ESET Okrum July 2019)

Bonadan can download additional modules from the C2 server.(Citation: ESET ForSSHe December 2018)

Neoichor can download additional files onto a compromised host.(Citation: Microsoft NICKEL December 2021)

Raspberry Robin retrieves its second stage payload in a variety of ways such as through msiexec.exe abuse, or running the curl command to download the payload to the victim's %AppData% folder.(Citation: HP RaspberryRobin 2024)(Citation: RedCanary RaspberryRobin 2022)

RemoteCMD copies a file over to the remote system before execution.(Citation: Symantec Buckeye)

Diavol can receive configuration updates and additional payloads including wscpy.exe from C2.(Citation: Fortinet Diavol July 2021)

Doki has downloaded scripts from C2.(Citation: Intezer Doki July 20)

IcedID has the ability to download additional modules and a configuration file from C2.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)(Citation: DFIR_Quantum_Ransomware)(Citation: Latrodectus APR 2024)

VERMIN can download and upload files to the victim's machine.(Citation: Unit 42 VERMIN Jan 2018)

UBoatRAT can upload and download files to the victim’s machine.(Citation: PaloAlto UBoatRAT Nov 2017)

CSPY Downloader can download additional tools to a compromised host.(Citation: Cybereason Kimsuky November 2020)

MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin.(Citation: Kaspersky Ferocious Kitten Jun 2021)

Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.(Citation: Unit 42 Kazuar May 2017)

NavRAT can download files remotely.(Citation: Talos NavRAT May 2018)

DarkComet can load any files onto the infected machine to execute.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)

CHIMNEYSWEEP can download additional files from C2.(Citation: Mandiant ROADSWEEP August 2022)

Lucifer can download and execute a replica of itself using certutil.(Citation: Unit 42 Lucifer June 2020)

DRATzarus can deploy additional tools onto an infected machine.(Citation: ClearSky Lazarus Aug 2020)

ShimRat can download additional files.(Citation: FOX-IT May 2016 Mofang)

Chrommme can download its code from C2.(Citation: ESET Gelsemium June 2021)

BADFLICK has download files from its C2 server.(Citation: Accenture MUDCARP March 2019)

Conficker downloads an HTTP server to the infected machine.(Citation: SANS Conficker)

SocGholish can download additional malware to infected hosts.(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile)

Flagpro can download additional malware from the C2 server.(Citation: NTT Security Flagpro new December 2021)

Hi-Zor has the ability to upload and download files from its C2 server.(Citation: Fidelis INOCNATION)

SpicyOmelette can download malicious files from threat actor controlled AWS URL's.(Citation: Secureworks GOLD KINGSWOOD September 2018)

China Chopper's server component can download remote files.(Citation: FireEye Periscope March 2018)(Citation: Lee 2013)(Citation: NCSC Joint Report Public Tools)(Citation: Rapid7 HAFNIUM Mar 2021)(Citation: Kaspersky ToddyCat June 2022)

On macOS, LightSpy downloads a `.json` file from the C2 server. The `.json` file contains metadata about the plugins to be downloaded, including their URL, name, version, and MD5 hash. LightSpy retrieves the plugins specified in the `.json` file, which are compiled `.dylib` files. These `.dylib` files provide task and platform specific functionality. LightSpy also imports open-source libraries to manage socket connections.(Citation: Huntress LightSpy macOS 2024)

PUNCHBUGGY can download additional files and payloads to compromised hosts.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Morphisec ShellTea June 2019)

GoldMax can download and execute additional files.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)

CostaBricks has been used to load SombRAT onto a compromised host.(Citation: BlackBerry CostaRicto November 2020)

KeyBoy has a download and upload functionality.(Citation: PWC KeyBoys Feb 2017)(Citation: Rapid7 KeyBoy Jun 2013)

POSHSPY downloads and executes additional PowerShell code and Windows binaries.(Citation: FireEye POSHSPY April 2017)

OilCheck can download staged payloads from an actor-controlled infrastructure.(Citation: ESET OilRig Downloaders DEC 2023)

MiniDuke can download additional encrypted backdoors onto the victim via GIF files.(Citation: Securelist MiniDuke Feb 2013)(Citation: ESET Dukes October 2019)

HyperBro has the ability to download additional files.(Citation: Unit42 Emissary Panda May 2019)

Anchor can download additional payloads.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)

Pteranodon can download and execute additional files.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: Symantec Shuckworm January 2022)(Citation: Unit 42 Gamaredon February 2022)

DarkTortilla can download additional packages for keylogging, cryptocurrency mining, and other capabilities; it can also retrieve malicious payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.(Citation: Secureworks DarkTortilla Aug 2022)

CARROTBALL has the ability to download and install a remote payload.(Citation: Unit 42 CARROTBAT January 2020)

ROKRAT can retrieve additional malicious payloads from its C2 server.(Citation: Talos ROKRAT)(Citation: NCCGroup RokRat Nov 2018)(Citation: Volexity InkySquid RokRAT August 2021)(Citation: Malwarebytes RokRAT VBA January 2021)

CORESHELL downloads another dropper from its C2 server.(Citation: FireEye APT28)

Dyre has a command to download and executes additional files.(Citation: Symantec Dyre June 2015)

BlackMould has the ability to download files to the victim's machine.(Citation: Microsoft GALLIUM December 2019)

Javali can download payloads from remote C2 servers.(Citation: Securelist Brazilian Banking Malware July 2020)

BITSAdmin can be used to create BITS Jobs to upload and/or download files.(Citation: Microsoft BITSAdmin)

PlugX has a module to download and execute files on the compromised machine.(Citation: CIRCL PlugX March 2013)(Citation: Proofpoint TA416 Europe March 2022)

Bisonal has the capability to download files to execute on the victim’s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

S-Type can download additional files onto a compromised host.(Citation: Cylance Dust Storm)

SeaDuke is capable of uploading and downloading files.(Citation: Unit 42 SeaDuke 2015)

Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Technical Analysis)

Explosive has a function to download a file to the infected system.(Citation: CheckPoint Volatile Cedar March 2015)

AsyncRAT has the ability to download files over SFTP.(Citation: AsyncRAT GitHub)

Xbash can download additional malicious files from its C2 server.(Citation: Unit42 Xbash Sept 2018)

LightNeuron has the ability to download and execute additional files.(Citation: ESET LightNeuron May 2019)

Peppy can download and execute remote files.(Citation: Proofpoint Operation Transparent Tribe March 2016)

Cuba can download files from its C2 server.(Citation: McAfee Cuba April 2021)

DEATHRANSOM can download files to a compromised host.(Citation: FireEye FiveHands April 2021)

Agent Tesla can download additional files for execution on the victim’s machine.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)

DarkGate retrieves cryptocurrency mining payloads and commands in encrypted traffic from its command and control server.(Citation: Ensilo Darkgate 2018) DarkGate uses Windows Batch scripts executing the curl command to retrieve follow-on payloads.(Citation: Trellix Darkgate 2023) DarkGate has stolen `sitemanager.xml` and `recentservers.xml` from `%APPDATA%\FileZilla\` if present.(Citation: Rapid7 BlackBasta 2024)

Mongall can download files to targeted systems.(Citation: SentinelOne Aoqin Dragon June 2022)

NanHaiShu can download additional files from URLs.(Citation: Proofpoint Leviathan Oct 2017)

SVCReady has the ability to download additional tools such as the RedLine Stealer to an infected host.(Citation: HP SVCReady Jun 2022)

ThiefQuest can download and execute payloads in-memory or from disk.(Citation: wardle evilquest partii)

FoggyWeb can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)

Hydraq creates a backdoor through which remote attackers can download files and additional malware components.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)

SHARPSTATS has the ability to upload and download files.(Citation: TrendMicro POWERSTATS V3 June 2019)

CreepyDrive can download files to the compromised host.(Citation: Microsoft POLONIUM June 2022)

Caterpillar WebShell has a module to download and upload files to the system.(Citation: ClearSky Lebanese Cedar Jan 2021)

Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.(Citation: Sophos Netwalker May 2020)

Elise can download additional files from the C2 server for execution.(Citation: Accenture Dragonfish Jan 2018)

Brute Ratel C4 can download files to compromised hosts.(Citation: Palo Alto Brute Ratel July 2022)(Citation: Rapid7 Fake W2 July 2024)

Gazer can execute a task to download a file.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)

TSCookie has the ability to upload and download files to and from the infected host.(Citation: JPCert TSCookie March 2018)

Latrodectus can download and execute PEs, DLLs, and shellcode from C2.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)

Saint Bot can download additional files onto a compromised host.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Chaes can download additional files onto an infected machine.(Citation: Cybereason Chaes Nov 2020)

Briba downloads files onto infected hosts.(Citation: Symantec Briba May 2012)

CharmPower has the ability to download additional modules to a compromised host.(Citation: Check Point APT35 CharmPower January 2022)

TYPEFRAME can upload and download files to the victim’s machine.(Citation: US-CERT TYPEFRAME June 2018)

Bundlore can download and execute new versions of itself.(Citation: MacKeeper Bundlore Apr 2019)

P8RAT can download additional payloads to a target system.(Citation: Securelist APT10 March 2021)

Remcos can upload and download files to and from the victim’s machine.(Citation: Riskiq Remcos Jan 2018)

EVILNUM can download and upload files to the victim's computer.(Citation: ESET EvilNum July 2020)(Citation: Prevailion EvilNum May 2020)

SMOKEDHAM has used Powershell to download UltraVNC and ngrok from third-party file sharing sites.(Citation: FireEye SMOKEDHAM June 2021)

TAINTEDSCRIBE can download additional modules from its C2 server.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)

BendyBear is designed to download an implant from a C2 server.(Citation: Unit42 BendyBear Feb 2021)

Uroburos can use a `Put` command to write files to an infected machine.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

Metamorfo has used MSI files to download additional files to execute.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019)

Spica can upload and download files to and from compromised hosts.(Citation: Google TAG COLDRIVER January 2024)

Trojan.Karagany can upload, download, and execute files on the victim.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)

Bandook can download files to the system.(Citation: CheckPoint Bandook Nov 2020)

PipeMon can install additional modules via C2 commands.(Citation: ESET PipeMon May 2020)

MagicRAT can import and execute additional payloads.(Citation: Cisco MagicRAT 2022)

KONNI can download files and execute them on the victim’s machine.(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021)

Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. (Citation: Chronicle Winnti for Linux May 2019)

gh0st RAT can download files to the victim’s machine.(Citation: Nccgroup Gh0st April 2018)(Citation: Gh0stRAT ATT March 2019)

Shamoon can download an executable to run on the victim.(Citation: Palo Alto Shamoon Nov 2016)

DnsSystem can download files to compromised systems after receiving a command with the string `downloaddd`.(Citation: Zscaler Lyceum DnsSystem June 2022)

MoleNet can download additional payloads from the C2.(Citation: Cybereason Molerats Dec 2020)

JHUHUGIT can retrieve an additional payload from its C2 server.(Citation: ESET Sednit Part 1)(Citation: Unit 42 Sofacy Feb 2018) JHUHUGIT has a command to download files to the victim’s machine.(Citation: Talos Seduploader Oct 2017)

BLUELIGHT can download additional files onto the host.(Citation: Volexity InkySquid BLUELIGHT August 2021)

KGH_SPY has the ability to download and execute code from remote servers.(Citation: Cybereason Kimsuky November 2020)

down_new has the ability to download files to the compromised host.(Citation: Trend Micro Tick November 2019)

Ixeshe can download and execute additional files.(Citation: Trend Micro IXESHE 2012)

Micropsia can download and execute an executable from the C2 server.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)

Kerrdown can download specific payloads to a compromised host based on OS architecture.(Citation: Unit 42 KerrDown February 2019)

RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.(Citation: Aquino RARSTONE)

VBShower has the ability to download VBS files to the target computer.(Citation: Kaspersky Cloud Atlas August 2019)

StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.(Citation: Kaspersky StoneDrill 2017)

OopsIE can download files from its C2 server to the victim's machine.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 OilRig Sept 2018)

RogueRobin can save a new file to the system from the C2 server.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)

Attor can download additional plugins, updates and other files. (Citation: ESET Attor Oct 2019)

SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.(Citation: Flashpoint FIN 7 March 2019)

LitePower has the ability to download payloads containing system commands to a compromised host.(Citation: Kaspersky WIRTE November 2021)

BoxCaon can download files.(Citation: Checkpoint IndigoZebra July 2021)

NightClub can load multiple additional plugins on an infected host.(Citation: MoustachedBouncer ESET August 2023)

SDBbot has the ability to download a DLL from C2 to a compromised host.(Citation: Proofpoint TA505 October 2019)

Mosquito can upload and download files to the victim.(Citation: ESET Turla Mosquito Jan 2018)

RTM can download additional files.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)

SodaMaster has the ability to download additional payloads from C2 to the targeted system.(Citation: Securelist APT10 March 2021)

Hikit has the ability to download files to a compromised host.(Citation: Novetta-Axiom)

StrelaStealer installers have used obfuscated PowerShell scripts to retrieve follow-on payloads from WebDAV servers.(Citation: IBM StrelaStealer 2024)

Grandoreiro can download its second stage from a hardcoded URL within the loader's code.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)

WellMail can receive data and executable scripts from C2.(Citation: CISA WellMail July 2020)

LiteDuke has the ability to download files.(Citation: ESET Dukes October 2019)

Sakula has the capability to download files.(Citation: Dell Sakula)

VaporRage has the ability to download malicious shellcode to compromised systems.(Citation: MSTIC Nobelium Toolset May 2021)

MCMD can upload additional files to a compromised host.(Citation: Secureworks MCMD July 2019)

Sibot can download and execute a payload onto a compromised system.(Citation: MSTIC NOBELIUM Mar 2021)

ZxxZ can download and execute additional files.(Citation: Cisco Talos Bitter Bangladesh May 2022)

Drovorub can download files to a compromised host.(Citation: NSA/FBI Drovorub August 2020)

Shark can download additional files from its C2 via HTTP or DNS.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)

Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020)

BadPatch can download and execute or update malware.(Citation: Unit 42 BadPatch Oct 2017)

RATANKBA uploads and downloads information.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)

Nidiran can download and execute files.(Citation: Symantec Backdoor.Nidiran)

Cryptoistic has the ability to send and receive files.(Citation: SentinelOne Lazarus macOS July 2020)

ABK has the ability to download files from C2.(Citation: Trend Micro Tick November 2019)

Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018)

Pandora can load additional drivers and files onto a victim machine.(Citation: Trend Micro Iron Tiger April 2021)

SpeakUp downloads and executes additional files from a remote server. (Citation: CheckPoint SpeakUp Feb 2019)

Cobalt Strike can deliver additional payloads to victim machines.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)

Donut can download and execute previously staged shellcode payloads.(Citation: Donut Github)

SampleCheck5000 can download additional payloads to compromised hosts.(Citation: ESET OilRig Campaigns Sep 2023)(Citation: ESET OilRig Downloaders DEC 2023)

SUNBURST delivered different payloads, including TEARDROP in at least one instance.(Citation: FireEye SUNBURST Backdoor December 2020)

EvilBunny has downloaded additional Lua scripts from the C2.(Citation: Cyphort EvilBunny Dec 2014)

HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.(Citation: Carbon Black HotCroissant April 2020)

ServHelper may download additional files to execute.(Citation: Proofpoint TA505 Jan 2019)(Citation: Deep Instinct TA505 Apr 2019)

Unknown Logger is capable of downloading remote files.(Citation: Forcepoint Monsoon)

REvil can download a copy of itself from an attacker controlled IP address to the victim machine.(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Picus Sodinokibi January 2020)

Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware.(Citation: Unit 42 Valak July 2020)(Citation: Cybereason Valak May 2020)

Samurai has been used to deploy other malware including Ninja.(Citation: Kaspersky ToddyCat June 2022)

Milan has received files from C2 and stored them in log folders beginning with the character sequence `a9850d2f`.(Citation: ClearSky Siamesekitten August 2021)

OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)

OilBooster can download and execute files from an actor-controlled OneDrive account.(Citation: ESET OilRig Downloaders DEC 2023)

Taidoor has downloaded additional files onto a compromised host.(Citation: TrendMicro Taidoor)

Kivars has the ability to download and execute files.(Citation: TrendMicro BlackTech June 2017)

Cyclops Blink has the ability to download files to target systems.(Citation: NCSC Cyclops Blink February 2022)(Citation: Trend Micro Cyclops Blink March 2022)

PoisonIvy creates a backdoor through which remote attackers can upload files.(Citation: Symantec Darkmoon Aug 2005)

Seasalt has a command to download additional files.(Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1 Appendix)

NanoCore has the capability to download and activate additional modules for execution.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCore Feb 2016)

Pasam creates a backdoor through which remote attackers can upload files.(Citation: Symantec Pasam May 2012)

PLEAD has the ability to upload and download files to and from an infected host.(Citation: JPCert PLEAD Downloader June 2018)

Raccoon Stealer downloads various library files enabling interaction with various data stores and structures to facilitate follow-on information theft.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon2 2022)

Daserf can download remote files.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)

Cardinal RAT can download and execute additional payloads.(Citation: PaloAlto CardinalRat Apr 2017)

DanBot can download additional files to a targeted system.(Citation: SecureWorks August 2019)

BISCUIT has a command to download a file from the C2 server.(Citation: Mandiant APT1 Appendix)

Calisto has the capability to upload and download files to the victim's machine.(Citation: Symantec Calisto July 2018)

Solar has the ability to download and execute files.(Citation: ESET OilRig Campaigns Sep 2023)

Pisloader has a command to upload a file to the victim machine.(Citation: Palo Alto DNS Requests)

GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.(Citation: Trustwave GoldenSpy June 2020)

Gold Dragon can download additional components from the C2 server.(Citation: McAfee Gold Dragon)

RGDoor uploads and downloads files to and from the victim’s machine.(Citation: Unit 42 RGDoor Jan 2018)

Neo-reGeorg has the ability to download files to targeted systems.(Citation: GitHub Neo-reGeorg 2019)

cmd can be used to copy files to/from a remotely connected external system.(Citation: TechNet Copy)

Carberp can download and execute new plugins from the C2 server. (Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010)

Revenge RAT has the ability to upload and download files.(Citation: Cylance Shaheen Nov 2018)

MacMa has downloaded additional files, including an exploit for used privilege escalation.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)

FunnyDream can download additional files onto a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)

More_eggs can download and launch additional payloads.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)

SysUpdate has the ability to download files to a compromised host.(Citation: Trend Micro Iron Tiger April 2021)(Citation: Lunghi Iron Tiger Linux)

OutSteel can download files from its C2 server.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

BackConfig can download and execute additional payloads on a compromised host.(Citation: Unit 42 BackConfig May 2020)

Kwampirs downloads additional files from C2 servers.(Citation: Symantec Security Center Trojan.Kwampirs)

Nerex creates a backdoor through which remote attackers can download files onto a compromised host.(Citation: Symantec Ristol May 2012)

esentutl can be used to copy files from a given URL.(Citation: LOLBAS Esentutl)

BoomBox has the ability to download next stage malware components to a compromised system.(Citation: MSTIC Nobelium Toolset May 2021)

Koadic can download additional files and tools.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)

WIREFIRE has the ability to download files to compromised devices.(Citation: Mandiant Cutting Edge January 2024)

Kessel can download additional modules from the C2 server.(Citation: ESET ForSSHe December 2018)

GrimAgent has the ability to download and execute additional payloads.(Citation: Group IB GrimAgent July 2021)

STEADYPULSE can add lines to a Perl script on a targeted server to import additional Perl modules.(Citation: Mandiant Pulse Secure Zero-Day April 2021)

YAHOYAH uses HTTP GET requests to download other files that are executed in memory.(Citation: TrendMicro TropicTrooper 2015)

Pupy can upload and download to/from a victim machine.(Citation: GitHub Pupy)

Lokibot downloaded several staged items onto the victim's machine.(Citation: Talos Lokibot Jan 2021)

CallMe has the capability to download a file to the victim from the C2 server.(Citation: Scarlet Mimic Jan 2016)

CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.(Citation: F-Secure The Dukes)

Egregor has the ability to download files from its C2 server.(Citation: Cybereason Egregor Nov 2020)(Citation: Intrinsec Egregor Nov 2020)

PoetRAT has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.(Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020)

CHOPSTICK is capable of performing remote file transmission.(Citation: Crowdstrike DNC June 2016)

ftp may be abused by adversaries to transfer tools or files from an external system into a compromised environment.(Citation: Microsoft FTP)(Citation: Linux FTP)

FELIXROOT downloads and uploads files to and from the victim’s machine.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)

ZxShell has a command to transfer files from a remote host.(Citation: Talos ZxShell Oct 2014)

RAPIDPULSE can transfer files to and from compromised hosts.(Citation: Mandiant Pulse Secure Update May 2021)

NDiskMonitor can download and execute a file from given URL.(Citation: TrendMicro Patchwork Dec 2017)

CoinTicker executes a Python script to download its second stage.(Citation: CoinTicker 2019)

DDKONG downloads and uploads files on the victim’s machine.(Citation: Rancor Unit42 June 2018)

Penquin can execute the command code do_download to retrieve remote files from C2.(Citation: Leonardo Turla Penquin May 2020)

BabyShark has downloaded additional files from the C2.(Citation: Unit42 BabyShark Apr 2019)(Citation: CISA AA20-301A Kimsuky)

Cannon can download a payload for execution.(Citation: Unit42 Cannon Nov 2018)

build_downer has the ability to download files from C2 to the infected host.(Citation: Trend Micro Tick November 2019)

Melcoz has the ability to download additional files to a compromised host.(Citation: Securelist Brazilian Banking Malware July 2020)

The Winnti for Windows dropper can place malicious payloads on targeted systems.(Citation: Novetta Winnti April 2015)

PowerPunch can download payloads from adversary infrastructure.(Citation: Microsoft Actinium February 2022)

BONDUPDATER can download or upload files from its C2 server.(Citation: Palo Alto OilRig Sep 2018)

Kinsing has downloaded additional lateral movement scripts from C2.(Citation: Aqua Kinsing April 2020)

Meteor has the ability to download additional files for execution on the victim's machine.(Citation: Check Point Meteor Aug 2021)

njRAT can download files to the victim’s machine.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)

ZIPLINE can download files to be saved on the compromised system.(Citation: Mandiant Cutting Edge January 2024)(Citation: Mandiant Cutting Edge Part 2 January 2024)

QuasarRAT can download files to the victim’s machine and execute them.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)

TURNEDUP is capable of downloading additional files.(Citation: FireEye APT33 Sept 2017)

ChChes is capable of downloading files, including additional modules.(Citation: Palo Alto menuPass Feb 2017)(Citation: JPCERT ChChes Feb 2017)(Citation: FireEye APT10 April 2017)

POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.(Citation: FireEye MuddyWater Mar 2018)

ANDROMEDA can download additional payloads from C2.(Citation: Mandiant Suspected Turla Campaign February 2023)

JPIN can download files and upgrade itself.(Citation: Microsoft PLATINUM April 2016)

metaMain can download files onto compromised systems.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)

SideTwist has the ability to download additional files.(Citation: Check Point APT34 April 2021)

KOCTOPUS has executed a PowerShell command to download a file to the system.(Citation: MalwareBytes LazyScripter Feb 2021)

MechaFlounder has the ability to upload and download files to and from a compromised host.(Citation: Unit 42 MechaFlounder March 2019)

Psylo has a command to download a file to the system from its C2 server.(Citation: Scarlet Mimic Jan 2016)

HTTPBrowser is capable of writing a file to the compromised system from the C2 server.(Citation: Dell TG-3390)

Mis-Type has downloaded additional malware and files onto a compromised host.(Citation: Cylance Dust Storm)

XCSSET downloads browser specific AppleScript modules using a constructed URL with the curl command, https://" & domain & "/agent/scripts/" & moduleName & ".applescript.(Citation: trendmicro xcsset xcode project 2020)

Disco can download files to targeted systems via SMB.(Citation: MoustachedBouncer ESET August 2023)

Dipsind can download remote files.(Citation: Microsoft PLATINUM April 2016)

Octopus can download additional files and tools onto the victim’s machine.(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018)

SoreFang can download additional payloads from C2.(Citation: CISA SoreFang July 2016)(Citation: NCSC APT29 July 2020)

Industroyer downloads a shellcode payload from a remote C2 server and loads it into memory.(Citation: ESET Industroyer)

Kevin can download files to the compromised host.(Citation: Kaspersky Lyceum October 2021)

BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017)

Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.(Citation: Symantec Linfo May 2012)

ShadowPad has downloaded code from a C2 server.(Citation: Securelist ShadowPad Aug 2017)

Astaroth uses certutil and BITSAdmin to download additional malware. (Citation: Cofense Astaroth Sept 2018)(Citation: Cybereason Astaroth Feb 2019)(Citation: Securelist Brazilian Banking Malware July 2020)

QakBot has the ability to download additional components and malware.(Citation: Trend Micro Qakbot May 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Cyberint Qakbot May 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020)

CookieMiner can download additional scripts from a web server.(Citation: Unit42 CookieMiner Jan 2019)

Hancitor has the ability to download additional files from C2.(Citation: Threatpost Hancitor)

Gelsemium can download additional plug-ins to a compromised host.(Citation: ESET Gelsemium June 2021)

jRAT can download and execute files.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspersky Adwind Feb 2016)(Citation: Symantec Frutas Feb 2013)

Helminth can download additional files.(Citation: Palo Alto OilRig May 2016)

BBK has the ability to download files from C2 to the infected host.(Citation: Trend Micro Tick November 2019)

OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the curl -fsL "$url" >$tmp_path command to download malicious payloads into a temporary directory.(Citation: Carbon Black Shlayer Feb 2019)(Citation: sentinelone shlayer to zshlayer)(Citation: 20 macOS Common Tools and Techniques)(Citation: objectivesee osx.shlayer apple approved 2020)

Denis deploys additional backdoors and hacking tools to the system.(Citation: Cybereason Cobalt Kitty 2017)

Waterbear can receive and load executables from remote C2 servers.(Citation: Trend Micro Waterbear December 2019)

Vasport can download files.(Citation: Symantec Vasport May 2012)

JSS Loader has the ability to download malicious executables to a compromised host.(Citation: CrowdStrike Carbon Spider August 2021)

Lizar can download additional plugins, files, and tools.(Citation: BiZone Lizar May 2021)

Dtrack’s can download and upload a file to the victim’s computer.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack)

H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.(Citation: Cisco H1N1 Part 2)

Seth-Locker has the ability to download and execute files on a compromised host.(Citation: Trend Micro Ransomware February 2021)

LoudMiner used SCP to update the miner from the C2.(Citation: ESET LoudMiner June 2019)

Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)

Zox can download files to a compromised machine.(Citation: Novetta-Axiom)

UPPERCUT can download and upload files to and from the victim’s machine.(Citation: FireEye APT10 Sept 2018)

StrifeWater can download updates and auxiliary modules.(Citation: Cybereason StrifeWater Feb 2022)

Mivast has the capability to download and execute .exe files.(Citation: Symantec Backdoor.Mivast)

HiddenWasp downloads a tar compressed archive from a download server to the system.(Citation: Intezer HiddenWasp Map 2019)

WarzoneRAT can download and execute additional files.(Citation: Check Point Warzone Feb 2020)

SLOTHFULMEDIA has downloaded files onto a victim machine.(Citation: CISA MAR SLOTHFULMEDIA October 2020)

Small Sieve has the ability to download files.(Citation: NCSC GCHQ Small Sieve Jan 2022)

Frankenstein has uploaded and downloaded files to utilize additional plugins.(Citation: Talos Frankenstein June 2019)

APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.(Citation: Bitdefender APT28 Dec 2015)(Citation: Unit 42 Playbook Dec 2017)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)

Turla has used shellcode to download Meterpreter after compromising a victim.(Citation: ESET Turla Mosquito May 2018)

Tropic Trooper has used a delivered trojan to download additional files.(Citation: TrendMicro Tropic Trooper May 2020)

Evilnum can deploy additional components or tools as needed.(Citation: ESET EvilNum July 2020)

APT33 has downloaded additional files and programs from its C2 server.(Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020)

Operation Wocao can download additional files to the infected system.(Citation: FoxIT Wocao December 2019)

Fox Kitten has downloaded additional tools including PsExec directly to endpoints.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: Google TAG Lazarus Jan 2021)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)(Citation: ESET Twitter Ida Pro Nov 2021)

Gamaredon Group has downloaded additional malware and tools onto a compromised host.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Microsoft Actinium February 2022) For example, Gamaredon Group uses a backdoor script to retrieve and decode additional payloads once in victim environments.(Citation: unit42_gamaredon_dec2022)

APT29 has downloaded additional tools and malware onto compromised networks.(Citation: Mandiant No Easy Breach)(Citation: PWC WellMess July 2020)(Citation: F-Secure The Dukes)(Citation: Mandiant APT29 Eye Spy Email Nov 22)

TA2541 has used malicious scripts and macros with the ability to download additional payloads.(Citation: Cisco Operation Layover September 2021)

WIRTE has downloaded PowerShell code from the C2 server to be executed.(Citation: Lab52 WIRTE Apr 2019)

Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.(Citation: Crowdstrike Indrik November 2018)(Citation: Symantec WastedLocker June 2020)(Citation: Mandiant_UNC2165)

Whitefly has the ability to download additional tools from the C2.(Citation: Symantec Whitefly March 2019)

Darkhotel has used first-stage payloads that download additional malware from C2 servers.(Citation: Microsoft DUBNIUM June 2016)

APT39 has downloaded tools to compromised hosts.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)

APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.(Citation: FireEye APT38 Oct 2018) Additionally, APT38 has downloaded other payloads onto a victim’s machine.(Citation: 1 - appv)

MuddyWater has used malware that can upload additional files to the victim’s machine.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)

Leviathan has downloaded additional scripts and files from adversary-controlled servers.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)

Dragonfly 2.0 copied and installed tools for operations once in the victim environment.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

Volatile Cedar can deploy additional tools.(Citation: ClearSky Lebanese Cedar Jan 2021)

Rocke used malware to download additional malicious files to the target system.(Citation: Talos Rocke August 2018)

Aquatic Panda has downloaded additional malware onto compromised hosts.(Citation: CrowdStrike AQUATIC PANDA December 2021)

BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).(Citation: Secureworks BRONZE BUTLER Oct 2017)

ZIRCONIUM has used tools to download malicious files to compromised hosts.(Citation: Zscaler APT31 Covid-19 October 2020)

Molerats used executables to download malicious files from different sources.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)

BlackByte has transferred tools such as Cobalt Strike to victim environments from file sharing and hosting websites.(Citation: Microsoft BlackByte 2023)

SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.(Citation: MalwareBytes SideCopy Dec 2021)

Silence has downloaded additional modules and malware to victim’s machines.(Citation: Group IB Silence Sept 2018)

Nomadic Octopus has used malicious macros to download additional files to the victim's machine.(Citation: ESET Nomadic Octopus 2018)

Wizard Spider can transfer malicious payloads such as ransomware to compromised machines.(Citation: Mandiant FIN12 Oct 2021)

Confucius has downloaded additional files and payloads onto a compromised host following initial access.(Citation: Uptycs Confucius APT Jan 2021)(Citation: TrendMicro Confucius APT Aug 2021)

Threat Group-3390 has downloaded additional malware and tools, including through the use of `certutil`, onto a compromised host .(Citation: Dell TG-3390)(Citation: Trend Micro DRBControl February 2020)

APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.(Citation: Volexity OceanLotus Nov 2017)

Metador has downloaded tools and malware onto a compromised system.(Citation: SentinelLabs Metador Sept 2022)

Moses Staff has downloaded and installed web shells to following path C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx.(Citation: Checkpoint MosesStaff Nov 2021)

Dragonfly has copied and installed tools for operations once in the victim environment.(Citation: US-CERT TA18-074A)

INC Ransom has downloaded tools to compromised servers including Advanced IP Scanner. (Citation: Huntress INC Ransom Group August 2023)(Citation: Huntress INC Ransomware May 2024)

Sidewinder has used LNK files to download remote files to the victim's network.(Citation: ATT Sidewinder January 2021)(Citation: Cyble Sidewinder September 2020)

OilRig had downloaded remote files onto victim infrastructure.(Citation: FireEye APT34 Dec 2017)(Citation: Trend Micro Earth Simnavaz October 2024)

LuminousMoth has downloaded additional malware and tools onto a compromised host.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)

APT37 has downloaded second stage malware from compromised websites.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft May 2019)(Citation: Volexity InkySquid BLUELIGHT August 2021)(Citation: Volexity InkySquid RokRAT August 2021)

Chimera has remotely copied tools and malware onto targeted systems.(Citation: Cycraft Chimera April 2020)

Andariel has downloaded additional tools and malware onto compromised hosts.(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)

HEXANE has downloaded additional payloads and malicious scripts onto a compromised host.(Citation: Kaspersky Lyceum October 2021)

FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.(Citation: FireEye FIN7 April 2017)(Citation: DOJ FIN7 Aug 2018)(Citation: Mandiant FIN7 Apr 2022)

BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.(Citation: ESET BackdoorDiplomacy Jun 2021)

APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.(Citation: QiAnXin APT-C-36 Feb2019)

Volt Typhoon has downloaded an outdated version of comsvcs.dll to a compromised domain controller in a non-standard folder.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

FIN13 has downloaded additional tools and malware to compromised systems.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

Kimsuky has downloaded additional scripts, tools, and malware onto victim systems.(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)

BITTER has downloaded additional malware and tools onto a compromised host.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)

Cinnamon Tempest has downloaded files, including Cobalt Strike, to compromised hosts.(Citation: Sygnia Emperor Dragonfly October 2022)

IndigoZebra has downloaded additional files and tools from its C2 server.(Citation: Checkpoint IndigoZebra July 2021)

Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Sharpshooter downloaded additional payloads after a target was infected with a first-stage downloader.(Citation: McAfee Sharpshooter December 2018)

APT18 can upload a file to the victim’s machine.(Citation: PaloAlto DNS Requests May 2016)

Magic Hound has downloaded additional code and files from servers onto victims.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021)

Winnti Group has downloaded an auxiliary program named ff.exe to infected machines.(Citation: Kaspersky Winnti April 2013)

menuPass has installed updates and new malware on victims.(Citation: PWC Cloud Hopper April 2017)(Citation: District Court of NY APT10 Indictment December 2018)

Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.(Citation: ESET Exchange Mar 2021)

TeamTNT has the curl and wget commands as well as batch scripts to download new tools.(Citation: Intezer TeamTNT September 2020)(Citation: Cisco Talos Intelligence Group)

Ke3chang has used tools to download files to compromised machines.(Citation: Microsoft NICKEL December 2021)

Windshift has used tools to deploy additional payloads to compromised hosts.(Citation: BlackBerry Bahamut)

Storm-1811 has used scripted `cURL` commands, BITSAdmin, and other mechanisms to retrieve follow-on batch scripts and tools for execution on victim devices.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary June Insights 2024)

Patchwork payloads download additional files from the C2 server.(Citation: Securelist Dropping Elephant)(Citation: TrendMicro Patchwork Dec 2017)

Moonstone Sleet retrieved a final stage payload from command and control infrastructure during initial installation on victim systems.(Citation: Microsoft Moonstone Sleet 2024)

Mustang Panda has downloaded additional executables following the initial infection stage.(Citation: Recorded Future REDDELTA July 2020)

Ember Bear has used tools to download malicious code.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Mustard Tempest has deployed secondary payloads and third stage implants to compromised hosts.(Citation: Microsoft Ransomware as a Service)

Play has used Cobalt Strike to download files to compromised machines.(Citation: Trend Micro Ransomware Spotlight Play July 2023)

Gorgon Group malware can download additional files from C2 servers.(Citation: Unit 42 Gorgon Group Aug 2018)

Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.(Citation: Check Point Rocket Kitten)

APT3 has a tool that can copy files to remote machines.(Citation: FireEye Clandestine Fox)

Winter Vivern executed PowerShell scripts to create scheduled tasks to retrieve remotely-hosted payloads.(Citation: DomainTools WinterVivern 2021)

TA551 has retrieved DLLs and installer binaries for malware execution from C2.(Citation: Unit 42 TA551 Jan 2021)

GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)

Daggerfly has used PowerShell and BITSAdmin to retrieve follow-on payloads from external locations for execution on victim machines.(Citation: Symantec Daggerfly 2023)

Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016) The group's JavaScript backdoor is also capable of downloading files.(Citation: Morphisec Cobalt Gang Oct 2018)

The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.(Citation: Symantec Ristol May 2012)

APT41 used certutil to download additional files.(Citation: FireEye APT41 March 2020)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Group IB APT 41 June 2021) APT41 downloaded post-exploitation tools such as Cobalt Strike via command shell following initial access.(Citation: Rostovcev APT41 2021) APT41 has uploaded Procdump and NATBypass to a staging directory and has used these tools in follow-on activities.(Citation: apt41_dcsocytec_dec2022)

UNC2452 downloaded additional tools, such as TEARDROP malware and Cobalt Strike, to the compromised host following initial compromise.(Citation: FireEye SUNBURST Backdoor December 2020)

FIN8 has used remote code execution to download subsequent payloads.(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender FIN8 July 2021)

TA505 has downloaded additional malware to execute on victim systems.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)(Citation: ProofPoint SettingContent-ms July 2018)

HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.(Citation: Microsoft HAFNIUM March 2020)(Citation: Rapid7 HAFNIUM Mar 2021)

LazyScripter had downloaded additional tools to a compromised host.(Citation: MalwareBytes LazyScripter Feb 2021)

PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.(Citation: Microsoft PLATINUM June 2017)

Rancor has downloaded additional malware, including by using certutil.(Citation: Rancor Unit42 June 2018)

Use intrusion detection signatures to block traffic at network boundaries.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)