{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/malware-delivery/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["execution","malware-delivery","command-and-control","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief focuses on the abuse of \u003ccode\u003ewget.exe\u003c/code\u003e, a legitimate command-line utility, by malicious actors to download suspicious files from various public file-sharing and content delivery network (CDN) domains. This technique is commonly employed during the execution phase of an attack to deliver malware, additional tools, or configuration files to compromised systems, often bypassing traditional network security controls. Prominent threat actors, including FIN7 and Mint Sandstorm (also known as Phosphorus/APT35), have been observed leveraging this method in their campaigns. For instance, FIN7 utilized such downloads in their attacks targeting Veeam servers, while Mint Sandstorm employed similar tactics in campaigns against high-profile individuals in universities and research organizations in early 2024. Detection of \u003ccode\u003ewget.exe\u003c/code\u003e making connections to domains like \u003ccode\u003egithubusercontent.com\u003c/code\u003e, \u003ccode\u003eanonfiles.com\u003c/code\u003e, or \u003ccode\u003emega.nz\u003c/code\u003e for executable or script file types is a critical indicator of potential malicious activity.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via suspicious file downloads using \u003ccode\u003ewget.exe\u003c/code\u003e can lead to severe consequences. Attackers can deliver a variety of payloads, including remote access trojans (RATs), ransomware, information stealers, or custom backdoors, leading to full system compromise. This can result in unauthorized data exfiltration, disruption of operations, financial theft (as seen with FIN7), or corporate espionage (as seen with Mint Sandstorm). The long-term impact includes significant financial losses, reputational damage, and extensive recovery efforts. The scope of targeting for actors employing this technique can range from specific high-value individuals and organizations to broader campaigns.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious File Download From File Sharing Domain Via Wget.EXE\u003c/code\u003e to your SIEM/detection platform and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eEnable \u003ccode\u003eprocess_creation\u003c/code\u003e logging on all Windows endpoints to capture \u003ccode\u003ewget.exe\u003c/code\u003e execution details, including command-line arguments.\u003c/li\u003e\n\u003cli\u003eReview network traffic logs for connections to the domains listed in the \u003ccode\u003eiocs\u003c/code\u003e section and consider blocking or alerting on outbound connections from sensitive systems to these domains.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T15:12:50Z","date_published":"2026-07-03T15:12:50Z","id":"https://feed.craftedsignal.io/briefs/2026-07-wget-file-sharing-download/","summary":"This brief details a high-severity threat involving the use of `wget.exe` to download suspicious files from known file-sharing domains, a technique observed in campaigns by threat actors such as FIN7 and Mint Sandstorm, enabling initial malware delivery and subsequent system compromise.","title":"Suspicious File Download From File Sharing Domain Via Wget.EXE","url":"https://feed.craftedsignal.io/briefs/2026-07-wget-file-sharing-download/"}],"language":"en","title":"CraftedSignal Threat Feed - Malware-Delivery","version":"https://jsonfeed.org/version/1.1"}