Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Infra-CDNMalwareStaging.
Upgrade to ProDetect Malware Payloads Staged on Abused Legitimate CDN/File-Sharing Services in Google Chronicle
Loader-as-a-service operators and commodity infostealer distributors increasingly stage second- and third-stage payloads on trusted, high-reputation CDN and file-sharing infrastructure — most commonly Discord's attachment CDN (cdn.discordapp.com / media.discordapp.net), MEGA.nz, and Telegram's file API — rather than adversary-registered domains. Because these hostnames are broadly allowlisted by web filters, blend into ordinary user traffic, and offer free, effectively anonymous hosting with no registration paperwork, actors such as Storm-1113 (DarkGate loader distribution), Lumma Stealer, and Vidar operators use them as durable staging points for stage-2 payloads delivered via malvertising, cracked-software lures, and SEO-poisoned search results. Because the domain itself is never flagged as malicious, defenders must pivot detection away from domain reputation and onto the combination of requesting process, retrieved content-type, and download cadence. Detection focuses on three pillars: (1) non-browser processes (script hosts, LOLBins, unsigned binaries) issuing HTTPS requests to these CDN hostnames, (2) executable/archive content-types being retrieved from paths that are normally used for images/media, and (3) newly-created local files immediately following such a download that are then executed.
MITRE ATT&CK
- Tactic
- Resource Development
YARA-L Detection Query
rule cdn_malware_staging_abuse {
meta:
author = "Detection Engineering"
description = "Detects non-browser processes retrieving payload-style content from abused legitimate CDN/file-hosting infrastructure"
severity = "HIGH"
confidence = "medium"
mitre_attack = "T1608.001"
reference = "https://attack.mitre.org/techniques/T1608/001/"
events:
$e.metadata.event_type = "NETWORK_HTTP"
$e.network.http.method = "GET"
re.regex($e.target.url, `(?i)(cdn\.discordapp\.com|media\.discordapp\.net|mega\.nz|mega\.co\.nz|api\.telegram\.org|t\.me)`)
not re.regex($e.principal.process.file.full_path, `(?i)(chrome|msedge|firefox|brave|opera|discord)\.exe`)
condition:
$e
} Google Chronicle YARA-L 2.0 detection for non-browser HTTP GET requests to Discord CDN, MEGA, or Telegram file-hosting hostnames — flags the network pattern generated when a script host or LOLBin retrieves a staged payload rather than a user's browser loading an inline attachment.
Data Sources
Required Tables
False Positives & Tuning
- Discord's own client processes fetching legitimate CDN content
- Approved automation accessing MEGA/Telegram file APIs
- Security crawlers or threat intel tooling accessing these hosts for research
Other platforms for THREAT-Infra-CDNMalwareStaging
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Non-Browser Process Requesting Discord CDN Hostname
Expected signal: Sysmon Event ID 3 / DeviceNetworkEvents: outbound connection from powershell.exe to cdn.discordapp.com. Sysmon Event ID 11: file creation at atomic_test_dl.tmp immediately following the request.
- Test 2Certutil Payload-Style Retrieval Referencing Staging Host and Executable Extension
Expected signal: Sysmon Event ID 1: certutil.exe with -urlcache -split -f and a discordapp.com URL ending in .exe in CommandLine. Sysmon Event ID 3 for the outbound connection. Request will likely 404 but the command-line pattern and connection attempt are logged regardless.
- Test 3MSHTA Reference to MEGA File-Hosting Archive Path
Expected signal: Sysmon Event ID 1: mshta.exe with CommandLine containing 'mega.nz' and '.zip'. No actual network connection to MEGA occurs since the URL is embedded in an inert JavaScript comment, but the command-line telemetry is captured.
References (5)
- https://attack.mitre.org/techniques/T1608/001/
- https://attack.mitre.org/tactics/TA0042/
- https://www.microsoft.com/en-us/security/blog/2024/05/28/malware-distributor-storm-1113-uses-fake-cdn-landing-pages-to-lure-victims/
- https://www.trendmicro.com/en_us/research/23/discord-cdn-abuse-malware-delivery.html
- https://www.sophos.com/en-us/threat-center/threat-monitoring/threat-analyses/discord-content-delivery-network-abuse
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-Infra-CDNMalwareStaging — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month