Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Infra-CDNMalwareStaging.

Upgrade to Pro
THREAT-Infra-CDNMalwareStaging

Malware Payloads Staged on Abused Legitimate CDN/File-Sharing Services

Resource Development Last updated:

Loader-as-a-service operators and commodity infostealer distributors increasingly stage second- and third-stage payloads on trusted, high-reputation CDN and file-sharing infrastructure — most commonly Discord's attachment CDN (cdn.discordapp.com / media.discordapp.net), MEGA.nz, and Telegram's file API — rather than adversary-registered domains. Because these hostnames are broadly allowlisted by web filters, blend into ordinary user traffic, and offer free, effectively anonymous hosting with no registration paperwork, actors such as Storm-1113 (DarkGate loader distribution), Lumma Stealer, and Vidar operators use them as durable staging points for stage-2 payloads delivered via malvertising, cracked-software lures, and SEO-poisoned search results. Because the domain itself is never flagged as malicious, defenders must pivot detection away from domain reputation and onto the combination of requesting process, retrieved content-type, and download cadence. Detection focuses on three pillars: (1) non-browser processes (script hosts, LOLBins, unsigned binaries) issuing HTTPS requests to these CDN hostnames, (2) executable/archive content-types being retrieved from paths that are normally used for images/media, and (3) newly-created local files immediately following such a download that are then executed.

What is THREAT-Infra-CDNMalwareStaging Malware Payloads Staged on Abused Legitimate CDN/File-Sharing Services?

Malware Payloads Staged on Abused Legitimate CDN/File-Sharing Services (THREAT-Infra-CDNMalwareStaging) maps to the Resource Development tactic — the adversary is trying to establish resources they can use to support operations in MITRE ATT&CK.

This page provides production-ready detection logic for Malware Payloads Staged on Abused Legitimate CDN/File-Sharing Services, covering the data sources and telemetry it touches: Network Traffic: Network Connection Creation, Command: Command Execution, Microsoft Defender for Endpoint (DeviceNetworkEvents, DeviceProcessEvents). The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Resource Development
Microsoft Sentinel / Defender
kusto
// THREAT-Infra-CDNMalwareStaging (T1608.001) - Malware staged on abused legitimate CDN/file-sharing services
// Pillar 1: Non-browser process requesting Discord CDN / MEGA / Telegram file hosting
let StagingHosts = dynamic([
  "cdn.discordapp.com", "media.discordapp.net", "discord.com",
  "mega.nz", "mega.co.nz",
  "api.telegram.org", "t.me"
]);
let BrowserProcesses = dynamic([
  "chrome.exe", "msedge.exe", "firefox.exe", "brave.exe", "opera.exe", "iexplore.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (StagingHosts)
| where InitiatingProcessFileName !in~ (BrowserProcesses)
| extend SuspicionReason = "NonBrowserProcessToCDN"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, SuspicionReason
| union (
    // Pillar 2: Executable/archive retrieved via LOLBin from these hosts, followed by execution
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("powershell.exe", "curl.exe", "wscript.exe", "cscript.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe")
    | where ProcessCommandLine has_any (StagingHosts)
    | where ProcessCommandLine has_any (".exe", ".dll", ".zip", ".rar", ".7z", "-outfile", "downloadfile")
    | extend RemoteUrl = extract(@"(https?://[^\s\"']+)", 1, ProcessCommandLine)
    | extend RemoteIP = "", SuspicionReason = "LOLBinPayloadDownload"
    | project Timestamp, DeviceName, InitiatingProcessFileName=FileName, InitiatingProcessCommandLine=ProcessCommandLine, RemoteUrl, RemoteIP, SuspicionReason
)
| sort by Timestamp desc

Two-pillar detection for adversary payload staging on abused legitimate CDN/file-sharing infrastructure. Pillar 1 flags any non-browser process (scripting engines, LOLBins, unsigned binaries) establishing a network connection to Discord CDN, MEGA, or Telegram file-hosting hostnames via DeviceNetworkEvents. Pillar 2 flags common LOLBins (powershell, certutil, bitsadmin, mshta) whose command line references those same hostnames alongside an executable/archive extension or a file-download cmdlet/flag, indicating an active payload retrieval rather than incidental traffic.

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Command: Command Execution Microsoft Defender for Endpoint (DeviceNetworkEvents, DeviceProcessEvents)

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

  • Discord desktop/web client itself, or bots/integrations legitimately fetching attachments and avatars from cdn.discordapp.com
  • IT-approved use of MEGA.nz or Telegram for legitimate file transfer/backup by employees or automation accounts
  • Software update mechanisms or Electron apps (including Discord's own updater) that fetch assets from media.discordapp.net
  • Security or IT tooling using certutil/bitsadmin for legitimate certificate or content retrieval that happens to traverse a matching hostname pattern

Sigma rule & cross-platform mapping

The detection logic for Malware Payloads Staged on Abused Legitimate CDN/File-Sharing Services (THREAT-Infra-CDNMalwareStaging) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Non-Browser Process Requesting Discord CDN Hostname

    Expected signal: Sysmon Event ID 3 / DeviceNetworkEvents: outbound connection from powershell.exe to cdn.discordapp.com. Sysmon Event ID 11: file creation at atomic_test_dl.tmp immediately following the request.

  2. Test 2Certutil Payload-Style Retrieval Referencing Staging Host and Executable Extension

    Expected signal: Sysmon Event ID 1: certutil.exe with -urlcache -split -f and a discordapp.com URL ending in .exe in CommandLine. Sysmon Event ID 3 for the outbound connection. Request will likely 404 but the command-line pattern and connection attempt are logged regardless.

  3. Test 3MSHTA Reference to MEGA File-Hosting Archive Path

    Expected signal: Sysmon Event ID 1: mshta.exe with CommandLine containing 'mega.nz' and '.zip'. No actual network connection to MEGA occurs since the URL is embedded in an inert JavaScript comment, but the command-line telemetry is captured.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Infra-CDNMalwareStaging — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections