Skip to content
Threat Feed
high threat

Suspicious File Download From File Sharing Domain Via Curl.EXE

A high-severity threat involves the abuse of `curl.exe` on Windows systems to download potentially malicious files from various public file-sharing and content delivery network (CDN) domains, a technique observed in campaigns by threat actors such as FIN7, leading to further system compromise.

Threat actors, including sophisticated groups like FIN7, are known to leverage legitimate system utilities such as curl.exe to download secondary stage payloads or malicious tools onto compromised Windows machines. This technique involves using curl.exe to connect to publicly accessible, but often abused, file-sharing services and CDNs (e.g., githubusercontent.com, mega.nz, cdn.discordapp.com) to retrieve executable binaries, scripts (.ps1, .bat), or dynamic link libraries (.dll). The activity is characterized by curl.exe command-line arguments specifying a download operation (e.g., -O, --remote-name, --output) and targeting specific file extensions. This method allows adversaries to bypass traditional perimeter defenses and introduce hostile code into a network, establishing persistence, escalating privileges, or preparing for data exfiltration and ransomware deployment. This behavior was highlighted in a detection rule originally published in May 2023 and updated in March 2026.

Attack Chain

  1. Initial Access: An attacker gains initial access to a Windows system, possibly through spearphishing, exploiting a vulnerable service, or compromised credentials.
  2. Execution of Initial Command: The attacker establishes a foothold and executes an initial command-and-control mechanism or interactive shell (e.g., PowerShell, cmd.exe).
  3. Ingress Tool Transfer: curl.exe is launched from the command line with parameters to download additional malicious tools or payloads from an external source.
  4. Suspicious Download: curl.exe connects to a public file-sharing or content delivery network (CDN) domain (e.g., githubusercontent.com, mega.nz, cdn.discordapp.com) to retrieve a file.
  5. Payload Staging: The malicious file (e.g., .exe, .ps1, .dll, .msi) is saved to a specific location on the compromised system, often a temporary directory or a less scrutinized path.
  6. Secondary Payload Execution: The downloaded malicious payload is executed, leading to further compromise, such as establishing persistence, escalating privileges, deploying ransomware, or exfiltrating data.

Impact

Successful exploitation results in the introduction and execution of arbitrary malicious code on the compromised system. This can lead to severe consequences including, but not limited to, full system compromise, data exfiltration, deployment of ransomware, establishment of persistent backdoors for long-term access, and lateral movement within the network. The specific impact depends on the nature of the downloaded payload, but the use of legitimate tools like curl.exe increases the likelihood of unnoticed initial compromise and enables sophisticated post-exploitation activities, potentially affecting multiple systems across an organization.

Recommendation

  • Deploy the Sigma rule "Suspicious File Download From File Sharing Domain Via Curl.EXE" to your SIEM and tune for your environment to detect curl.exe activity.
  • Enable comprehensive process creation logging (e.g., via Sysmon) to ensure visibility into curl.exe executions and their command-line arguments.
  • Review network egress logs for connections to the file-sharing domains listed in the IOC section, especially when initiated by non-standard processes.
  • Implement application control policies to restrict unauthorized execution of curl.exe or its use to download specific file types from untrusted sources.

Detection coverage 1

Suspicious File Download From File Sharing Domain Via Curl.EXE

high

Detects potentially suspicious file download from public file-sharing or CDN domains using `curl.exe`.

sigma tactics: command_and_control, execution techniques: T1071.001, T1105 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →

Indicators of compromise

36

domain

TypeValue
domaingithubusercontent.com
domain0x0.st
domainanonfiles.com
domainbashupload.com
domaincdn.discordapp.com
domainchunk.io
domainddns.net
domaindl.dropboxusercontent.com
domainghostbin.co
domaingithub.com
domainglitch.me
domaingofile.io
domainhastebin.com
domainmediafire.com
domainmega.nz
domainonrender.com
domainpages.dev
domainpaste.ee
domainpastebin.com
domainpastebin.pl
domainpastetext.net
domainpixeldrain.com
domainprivatlab.com
domainprivatlab.net
domainsend.exploit.in
domainsendspace.com
domainstorage.googleapis.com
domainstorjshare.io
domainsupabase.co
domaintemp.sh
domaintransfer.sh
domaintrycloudflare.com
domainufile.io
domainw3spaces.com
domainworkers.dev
domainx0.at