Skip to content

T1102 Web Service

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.1 Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

Item Value
ID T1102
Sub-techniques T1102.001, T1102.002, T1102.003
Tactics TA0011
Platforms ESXi, Linux, Windows, macOS
Version 1.3
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
G0050 APT32 APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.55
C0040 APT41 DUST APT41 DUST used compromised Google Workspace accounts for command and control.58
G1044 APT42 APT42 has used various links, such as links with typo-squatted domains, links to Dropbox files and links to fake Google sites, in spearphishing operations.494847
S1081 BADHATCH BADHATCH can be utilized to abuse sslip.io, a free IP to domain mapping service, as part of actor-controlled C2 channels.20
S0534 Bazar Bazar downloads have been hosted on Google Docs.3435
S0635 BoomBox BoomBox can download files from Dropbox using a hardcoded access token.11
S1063 Brute Ratel C4 Brute Ratel C4 can use legitimate websites for external C2 channels including Slack, Discord, and MS Teams.4
S1039 Bumblebee Bumblebee has been downloaded to victim’s machines from OneDrive.15
C0017 C0017 During C0017, APT41 used the Cloudflare services for C2 communications.61
C0027 C0027 During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee.59
S0335 Carbon Carbon can use Pastebin to receive C2 commands.10
S0674 CharmPower CharmPower can download additional modules from actor-controlled Amazon S3 buckets.23
S1149 CHIMNEYSWEEP CHIMNEYSWEEP has the ability to use use Telegram channels to return a list of commands to be executed, to download additional payloads, or to create a reverse shell.32
S1066 DarkTortilla DarkTortilla can retrieve its primary payload from public sites such as Pastebin and Textbin.29
S0600 Doki Doki has used the dogechain.info API to generate a C2 address.30
S0547 DropBook DropBook can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions.1214
G1011 EXOTIC LILY EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads.46
G0037 FIN6 FIN6 has used Pastebin and Google Storage to host content for their operations.43
G0061 FIN8 FIN8 has used sslip.io, a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control.45
G0117 Fox Kitten Fox Kitten has used Amazon Web Services to host C2.50
G0047 Gamaredon Group Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group’s .NET executable on the compromised system.54
S0561 GuLoader GuLoader has the ability to download malware from Google Drive.33
S0601 Hildegard Hildegard has downloaded scripts from GitHub.17
G0100 Inception Inception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe.3940
S1160 Latrodectus Latrodectus has used Google Firebase to download malicious installation scripts.7
G0140 LazyScripter LazyScripter has used GitHub to host its payloads to operate spam campaigns.44
S1221 MOPSLED MOPSLED can use third-party web services such as GitHub and Google Drive for C2.31
G0129 Mustang Panda Mustang Panda has used DropBox URLs to deliver variants of PlugX.53 Mustang Panda has also used Google Drive to host malicious downloads.52
S0198 NETWIRE NETWIRE has used web services including Paste.ee to host payloads.22
S0508 ngrok ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.3
S1147 Nightdoor Nightdoor can utilize Microsoft OneDrive or Google Drive for command and control purposes.56
C0005 Operation Spalax During Operation Spalax, the threat actors used OneDrive and MediaFire to host payloads.60
S1130 Raspberry Robin Raspberry Robin second stage payloads can be hosted as RAR files, containing a malicious EXE and DLL, on Discord servers.9
G1039 RedCurl RedCurl has used web services to download malicious files.3738
S1240 RedLine Stealer RedLine Stealer has leveraged legitimate file sharing web services to host malicious payloads.1819
G0106 Rocke Rocke has used Pastebin, Gitee, and GitLab for Command and Control.4142
S0546 SharpStage SharpStage has used a legitimate web service for evading detection.12
S1178 ShrinkLocker ShrinkLocker uses a subdomain on the legitimate Cloudflare resource “trycloudflare[.]com” to obfuscate the threat actor’s actual address and to tunnel information sent from victim systems.16
S0589 Sibot Sibot has used a legitimate compromised website to download DLLs to the victim’s machine.21
S0649 SMOKEDHAM SMOKEDHAM has used Google Drive and Dropbox to host files downloaded by victims via malicious links.13
S1086 Snip3 Snip3 can download additional payloads from web services including Pastebin and top4top.8
S1124 SocGholish SocGholish has used Amazon Web Services to host second-stage servers.36
G0139 TeamTNT TeamTNT has leveraged iplogger.org to send collected data back to C2.5756
G0010 Turla Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.1051
S0689 WhisperGate WhisperGate can download additional payloads hosted on a Discord channel.2526272428

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
M1021 Restrict Web-Based Content Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services.

References

  1. Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft Graph API for C&C communication. Retrieved July 1, 2024. 

  2. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. 

  3. Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020. 

  4. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  5. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024. 

  6. Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024. 

  7. Unit 42. (2024, June 25). 2024-06-25-IOCs-from-Latrodectus-activity. Retrieved September 13, 2024. 

  8. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023. 

  9. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024. 

  10. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. 

  11. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  12. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. 

  13. FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021. 

  14. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. 

  15. Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. 

  16. Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024. 

  17. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. 

  18. Proofpoint Threat Insight Team, Jeremy H, Axel F. (2020, March 16). New Redline Password Stealer Malware. Retrieved September 17, 2025. 

  19. Splunk Threat Research Team. (2023, June 1). Do Not Cross The ‘RedLine’ Stealer: Detections and Analysis. Retrieved September 17, 2025. 

  20. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021. 

  21. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  22. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. 

  23. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  24. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  25. Crowdstrike. (2022, January 19). Technical Analysis of the WhisperGate Malicious Bootloader. Retrieved March 10, 2022. 

  26. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022. 

  27. MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022. 

  28. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. 

  29. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  30. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. 

  31. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024. 

  32. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  33. Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021. 

  34. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  35. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020. 

  36. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024. 

  37. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024. 

  38. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. 

  39. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020. 

  40. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020. 

  41. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. 

  42. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. 

  43. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. 

  44. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024. 

  45. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. 

  46. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. 

  47. Google Threat Analysis Group. (2024, August 14). Iranian backed group steps up phishing campaigns against Israel, U.S.. Retrieved October 9, 2024. 

  48. Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024. 

  49. Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran’s APT42 Operations. Retrieved October 9, 2024. 

  50. ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020. 

  51. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. 

  52. Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025. 

  53. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

  54. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  55. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020. 

  56. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  57. Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021. 

  58. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. 

  59. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023. 

  60. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. 

  61. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.