Skip to content
Threat Feed
high advisory

Remote AppX Package Downloaded from File Sharing or CDN Domain

This brief details the detection of a malicious AppX package downloaded from untrusted file-sharing or CDN domains, a technique employed by threat actors like BazarLoader to deliver malware via abused Windows app mechanisms, potentially leading to system compromise and ransomware.

This threat brief focuses on the detection of Windows AppX packages that are downloaded from suspicious file-sharing or Content Delivery Network (CDN) domains. This technique is actively leveraged by various threat actors, including those behind BazarLoader campaigns, to bypass security controls and deliver malware. Starting as early as late 2021, adversaries have been observed abusing legitimate Windows mechanisms, such as the AppInstaller.exe utility and the appxdeployment-server service, to install malicious applications. The delivery typically involves phishing attacks leading to the download of .appinstaller or .appx files hosted on platforms like Discord's CDN, GitHub, or various file-sharing services. This method allows threat actors to distribute payloads discreetly, often bypassing traditional perimeter defenses and leading to initial access for further exploitation, data exfiltration, or ransomware deployment.

Attack Chain

  1. Initial Access: A user receives a phishing email containing a malicious attachment, often a compressed archive (e.g., .iso or .zip file) impersonating a legitimate document or software update.
  2. Execution - Malicious Loader: The user opens the attachment, which contains a shortcut (.lnk) or a script that, when executed, triggers a download or execution process.
  3. AppInstaller Abuse: The malicious loader initiates AppInstaller.exe to process a specially crafted .appinstaller file, bypassing typical security prompts for unsigned applications.
  4. Ingress Tool Transfer: AppInstaller.exe, utilizing the appxdeployment-server service, downloads a malicious .appx or .msix package from a remote file-sharing or CDN domain (e.g., cdn.discordapp.com, githubusercontent.com, storage.googleapis.com).
  5. Execution - Malware Deployment: The downloaded AppX package is installed and then executes an embedded malicious payload, such as a loader for BazarLoader, IcedID, or other infostealers.
  6. Command and Control (C2): The deployed malware establishes persistence on the compromised system and communicates with its command and control infrastructure to receive further instructions or download additional modules.
  7. Impact: The attacker proceeds with post-exploitation activities, including reconnaissance, privilege escalation, lateral movement, data exfiltration, or the deployment of ransomware.

Impact

Successful exploitation allows threat actors to gain initial access to target systems, often bypassing standard application security measures and leading to significant consequences. Campaigns leveraging this technique, such as those deploying BazarLoader, have been observed across various sectors globally. The primary impact includes system compromise, execution of arbitrary code, installation of further malware (e.g., ransomware, infostealers, banking trojans), and potential data exfiltration. This can result in severe financial losses, operational disruption, and reputational damage for affected organizations.

Recommendation

  • Deploy the Sigma rule "Remote AppX Package Downloaded from File Sharing or CDN Domain" to your SIEM system to detect suspicious AppX package downloads from untrusted domains.
  • Ensure appxdeployment-server logs are being collected from all Windows endpoints and forwarded to your SIEM for analysis.
  • Block the domains listed in the IOC section at your network perimeter (e.g., DNS resolver, firewall) to prevent access to known malicious AppX package hosting locations.
  • Implement strong email filtering and user awareness training to reduce the success rate of phishing attempts that serve as the initial access vector for such attacks.
  • Restrict the ability of non-administrative users to install applications via AppInstaller.exe or AppX packages where possible.

Detection coverage 1

Remote AppX Package Downloaded from File Sharing or CDN Domain

high

Detects an AppX package added to the processing pipeline that was downloaded from a remote file-sharing or CDN domain, indicating potential malware delivery.

sigma tactics: command_and_control, defense_evasion, stealth techniques: T1105, T1542.003 sources: windows, appxdeployment-server

Detection queries are available on the platform. Get full rules →

Indicators of compromise

35

domain

TypeValue
domaingithubusercontent.com
domain0x0.st
domainanonfiles.com
domainbashupload.com
domaincdn.discordapp.com
domainchunk.io
domainddns.net
domaindl.dropboxusercontent.com
domainghostbin.co
domaingithub.com
domainglitch.me
domaingofile.io
domainhastebin.com
domainmediafire.com
domainmega.nz
domainonrender.com
domainpages.dev
domainpaste.ee
domainpastebin.com
domainpastebin.pl
domainpastetext.net
domainprivatlab.com
domainprivatlab.net
domainsend.exploit.in
domainsendspace.com
domainstorage.googleapis.com
domainstorjshare.io
domainsupabase.co
domaintemp.sh
domaintransfer.sh
domaintrycloudflare.com
domainufile.io
domainw3spaces.com
domainworkers.dev
domainx0.at