Suspicious File Download From File Sharing Domain Via Curl.EXE
A high-severity threat involves the abuse of `curl.exe` on Windows systems to download potentially malicious files from various public file-sharing and content delivery network (CDN) domains, a technique observed in campaigns by threat actors such as FIN7, leading to further system compromise.
Threat actors, including sophisticated groups like FIN7, are known to leverage legitimate system utilities such as curl.exe to download secondary stage payloads or malicious tools onto compromised Windows machines. This technique involves using curl.exe to connect to publicly accessible, but often abused, file-sharing services and CDNs (e.g., githubusercontent.com, mega.nz, cdn.discordapp.com) to retrieve executable binaries, scripts (.ps1, .bat), or dynamic link libraries (.dll). The activity is characterized by curl.exe command-line arguments specifying a download operation (e.g., -O, --remote-name, --output) and targeting specific file extensions. This method allows adversaries to bypass traditional perimeter defenses and introduce hostile code into a network, establishing persistence, escalating privileges, or preparing for data exfiltration and ransomware deployment. This behavior was highlighted in a detection rule originally published in May 2023 and updated in March 2026.
Attack Chain
- Initial Access: An attacker gains initial access to a Windows system, possibly through spearphishing, exploiting a vulnerable service, or compromised credentials.
- Execution of Initial Command: The attacker establishes a foothold and executes an initial command-and-control mechanism or interactive shell (e.g., PowerShell, cmd.exe).
- Ingress Tool Transfer:
curl.exeis launched from the command line with parameters to download additional malicious tools or payloads from an external source. - Suspicious Download:
curl.execonnects to a public file-sharing or content delivery network (CDN) domain (e.g.,githubusercontent.com,mega.nz,cdn.discordapp.com) to retrieve a file. - Payload Staging: The malicious file (e.g.,
.exe,.ps1,.dll,.msi) is saved to a specific location on the compromised system, often a temporary directory or a less scrutinized path. - Secondary Payload Execution: The downloaded malicious payload is executed, leading to further compromise, such as establishing persistence, escalating privileges, deploying ransomware, or exfiltrating data.
Impact
Successful exploitation results in the introduction and execution of arbitrary malicious code on the compromised system. This can lead to severe consequences including, but not limited to, full system compromise, data exfiltration, deployment of ransomware, establishment of persistent backdoors for long-term access, and lateral movement within the network. The specific impact depends on the nature of the downloaded payload, but the use of legitimate tools like curl.exe increases the likelihood of unnoticed initial compromise and enables sophisticated post-exploitation activities, potentially affecting multiple systems across an organization.
Recommendation
- Deploy the Sigma rule "Suspicious File Download From File Sharing Domain Via Curl.EXE" to your SIEM and tune for your environment to detect
curl.exeactivity. - Enable comprehensive process creation logging (e.g., via Sysmon) to ensure visibility into
curl.exeexecutions and their command-line arguments. - Review network egress logs for connections to the file-sharing domains listed in the IOC section, especially when initiated by non-standard processes.
- Implement application control policies to restrict unauthorized execution of
curl.exeor its use to download specific file types from untrusted sources.
Detection coverage 1
Suspicious File Download From File Sharing Domain Via Curl.EXE
highDetects potentially suspicious file download from public file-sharing or CDN domains using `curl.exe`.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
36
domain
| Type | Value |
|---|---|
| domain | githubusercontent.com |
| domain | 0x0.st |
| domain | anonfiles.com |
| domain | bashupload.com |
| domain | cdn.discordapp.com |
| domain | chunk.io |
| domain | ddns.net |
| domain | dl.dropboxusercontent.com |
| domain | ghostbin.co |
| domain | github.com |
| domain | glitch.me |
| domain | gofile.io |
| domain | hastebin.com |
| domain | mediafire.com |
| domain | mega.nz |
| domain | onrender.com |
| domain | pages.dev |
| domain | paste.ee |
| domain | pastebin.com |
| domain | pastebin.pl |
| domain | pastetext.net |
| domain | pixeldrain.com |
| domain | privatlab.com |
| domain | privatlab.net |
| domain | send.exploit.in |
| domain | sendspace.com |
| domain | storage.googleapis.com |
| domain | storjshare.io |
| domain | supabase.co |
| domain | temp.sh |
| domain | transfer.sh |
| domain | trycloudflare.com |
| domain | ufile.io |
| domain | w3spaces.com |
| domain | workers.dev |
| domain | x0.at |