<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Malware-Delivery - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/malware-delivery/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 15:12:50 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/malware-delivery/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious File Download From File Sharing Domain Via Wget.EXE</title><link>https://feed.craftedsignal.io/briefs/2026-07-wget-file-sharing-download/</link><pubDate>Fri, 03 Jul 2026 15:12:50 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-wget-file-sharing-download/</guid><description>This brief details a high-severity threat involving the use of `wget.exe` to download suspicious files from known file-sharing domains, a technique observed in campaigns by threat actors such as FIN7 and Mint Sandstorm, enabling initial malware delivery and subsequent system compromise.</description><content:encoded><![CDATA[<p>This threat brief focuses on the abuse of <code>wget.exe</code>, a legitimate command-line utility, by malicious actors to download suspicious files from various public file-sharing and content delivery network (CDN) domains. This technique is commonly employed during the execution phase of an attack to deliver malware, additional tools, or configuration files to compromised systems, often bypassing traditional network security controls. Prominent threat actors, including FIN7 and Mint Sandstorm (also known as Phosphorus/APT35), have been observed leveraging this method in their campaigns. For instance, FIN7 utilized such downloads in their attacks targeting Veeam servers, while Mint Sandstorm employed similar tactics in campaigns against high-profile individuals in universities and research organizations in early 2024. Detection of <code>wget.exe</code> making connections to domains like <code>githubusercontent.com</code>, <code>anonfiles.com</code>, or <code>mega.nz</code> for executable or script file types is a critical indicator of potential malicious activity.</p>
<h2 id="impact">Impact</h2>
<p>Successful exploitation via suspicious file downloads using <code>wget.exe</code> can lead to severe consequences. Attackers can deliver a variety of payloads, including remote access trojans (RATs), ransomware, information stealers, or custom backdoors, leading to full system compromise. This can result in unauthorized data exfiltration, disruption of operations, financial theft (as seen with FIN7), or corporate espionage (as seen with Mint Sandstorm). The long-term impact includes significant financial losses, reputational damage, and extensive recovery efforts. The scope of targeting for actors employing this technique can range from specific high-value individuals and organizations to broader campaigns.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Suspicious File Download From File Sharing Domain Via Wget.EXE</code> to your SIEM/detection platform and tune it for your environment.</li>
<li>Enable <code>process_creation</code> logging on all Windows endpoints to capture <code>wget.exe</code> execution details, including command-line arguments.</li>
<li>Review network traffic logs for connections to the domains listed in the <code>iocs</code> section and consider blocking or alerting on outbound connections from sensitive systems to these domains.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>execution</category><category>malware-delivery</category><category>command-and-control</category><category>windows</category></item></channel></rss>