Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.
Malware may be placed on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Malware can also be staged on web services, such as GitHub or Pastebin, or hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022)
Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via User Execution. Masquerading may increase the chance of users mistakenly executing these files.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2025-32709 | Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability | primary_impact | T1608.001 | Upload Malware |
Comments
This use-after-free vulnerability in Windows has been exploited by attackers to gain SYSTEM-level privileges, leading to remote code execution, full system compromise, the modification of system processes to establish persistence on the machine, and the deployment of malware such as credential harvesters and ransomware.
References
|
| CVE-2025-32701 | Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability | primary_impact | T1608.001 | Upload Malware |
Comments
This zero-day vulnerability has been exploited by attackers to gain SYSTEM-level privileges in Windows, leading to remote code execution, as well as the ability to disable security tools, deploy malicious payloads, and extract credentials from memory.
References
|
| CVE-2023-33246 | Apache RocketMQ Command Execution Vulnerability | secondary_impact | T1608.001 | Upload Malware |
Comments
This vulnerability is exploited by a remote attacker who leverages a command injection flaw in Apache RocketMQ versions 5.1 and lower. By using the update configuration function, the adversary can execute commands as the system user under which RocketMQ is running. This lack of permission verification in components like NameServer, Broker, and Controller, which are exposed on the extranet, allows for remote command execution. Additionally, attackers can forge RocketMQ protocol content to achieve the same effect. Since at least June 2023, threat actors have actively exploited this vulnerability to gain initial access and deploy the DreamBus botnet, a Linux-based malware.
References
|
| CVE-2025-32756 | Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability | secondary_impact | T1608.001 | Upload Malware |
Comments
Attackers use a Python script (publicly available or custom) to send a malformed POST request, triggering a buffer overflow. From there, they execute remote code and malicious payloads (i.e. malware), harvest credentials, move laterally over the network, erase logs to avoid detection, and exfiltrate data over C2.
References
|
| CVE-2025-32706 | Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability | primary_impact | T1608.001 | Upload Malware |
Comments
Attackers have exploited this heap-based buffer overflow vulnerability to escalate their privileges to SYSTEM-level, allowing them to execute arbitrary code, disable security tools, deploy malicious payloads, and extract credentials from memory.
References
|
| CVE-2021-44228 | Apache Log4j2 Remote Code Execution Vulnerability | secondary_impact | T1608.001 | Upload Malware |
Comments
CVE-2021-44228, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.
References
|
| CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability | primary_impact | T1608.001 | Upload Malware |
Comments
CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.
References
|
| CVE-2024-37085 | VMware ESXi Authentication Bypass Vulnerability | secondary_impact | T1608.001 | Upload Malware |
Comments
This vulnerability is exploited by an adversary who has already exploited an ESXi system and gained access to a valid account. Using this account, the adversary creates a new AD group named "ESXi Admins" that the ESXi Hypervisor grants full admin privileges. Adversary groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have leveraged this vulnerability to deploy ransomware known as Akira and Black Basta onto compromised environments.
References
|
| CVE-2024-54085 | AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability | primary_impact | T1608.001 | Upload Malware |
Comments
By sending a malicious request to the Redfish Host Interface, an attacker can manipulate the HTTP header, tricking the Baseboard Management Controller (BMC) into thinking that the request originates from a trusted source, leading to authentication bypass. This can lead to complete system control, deployment of malware at the firmware level, and network disruptions.
References
|
| CVE-2024-20353 | Cisco ASA and FTD Denial of Service Vulnerability | secondary_impact | T1608.001 | Upload Malware |
Comments
This vulnerability is exploited by a remote, unauthenticated attacker by sending a crafted HTTP request to a vulnerable device's web server. This exploitation is possible due to incomplete error checking when parsing HTTP headers. If successfully exploited, it can cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices.
References
|
| CVE-2025-4632 | Samsung MagicINFO 9 Server Path Traversal Vulnerability | secondary_impact | T1608.001 | Upload Malware |
Comments
By exploiting a path traversal vulnerability in Samsung MagicINFO 9 Server, an unauthenticated attacker can write arbitrary files with system privileges. This can be used to deploy malware or to hijack resources for activity such as cryptocurrency mining.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Unknown | Unknown | related-to | T1608.001 | Upload Malware |