MITRE ATT&CK Technique
Description
Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server. Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin; hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult; or saved on the blockchain as smart contracts, which are resilient against takedowns that would affect traditional infrastructure.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022)(Citation: Guardio Etherhiding 2023)(Citation: Bleeping Computer Binance Smart Chain 2023) Adversaries may upload backdoored files, such as software packages, application binaries, virtual machine images, or container images, to third-party software stores, package libraries, extension marketplaces, or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub, PyPi, NPM).(Citation: Datadog Security Labs Malicious PyPi Packages 2024) By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). Masquerading, including typo-squatting legitimate software, may increase the chance of users mistakenly executing these files.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2021-03-17T20:09:13.222Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may upload malware to third-party or adversary '
'controlled infrastructure to make it accessible during '
'targeting. Malicious software can include payloads, droppers, '
'post-compromise tools, backdoors, and a variety of other '
'malicious content. Adversaries may upload malware to support '
'their operations, such as making a payload available to a '
'victim network to enable [Ingress Tool '
'Transfer](https://attack.mitre.org/techniques/T1105) by '
'placing it on an Internet accessible web server.\n'
'\n'
'Malware may be placed on infrastructure that was previously '
'purchased/rented by the adversary ([Acquire '
'Infrastructure](https://attack.mitre.org/techniques/T1583)) '
'or was otherwise compromised by them ([Compromise '
'Infrastructure](https://attack.mitre.org/techniques/T1584)). '
'Malware can also be staged on web services, such as GitHub or '
'Pastebin; hosted on the InterPlanetary File System (IPFS), '
'where decentralized content storage makes the removal of '
'malicious files difficult; or saved on the blockchain as '
'smart contracts, which are resilient against takedowns that '
'would affect traditional infrastructure.(Citation: Volexity '
'Ocean Lotus November 2020)(Citation: Talos IPFS '
'2022)(Citation: Guardio Etherhiding 2023)(Citation: Bleeping '
'Computer Binance Smart Chain 2023)\n'
'\n'
'Adversaries may upload backdoored files, such as software '
'packages, application binaries, virtual machine images, or '
'container images, to third-party software stores, package '
'libraries, extension marketplaces, or repositories (ex: '
'GitHub, CNET, AWS Community AMIs, Docker Hub, PyPi, '
'NPM).(Citation: Datadog Security Labs Malicious PyPi Packages '
'2024) By chance encounter, victims may directly '
'download/install these backdoored files via [User '
'Execution](https://attack.mitre.org/techniques/T1204). '
'Masquerading, including typo-squatting legitimate software, '
'may increase the chance of users mistakenly executing these '
'files. ',
'external_references': [{'external_id': 'T1608.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1608/001'},
{'description': ' Sebastian Obregoso and Christophe '
'Tafani-Dereeper. (2024, May 23). '
'Malicious PyPI packages targeting '
'highly specific MacOS machines. '
'Retrieved May 22, 2025.',
'source_name': 'Datadog Security Labs Malicious PyPi '
'Packages 2024',
'url': 'https://securitylabs.datadoghq.com/articles/malicious-pypi-package-targeting-highly-specific-macos-machines/'},
{'description': 'Adair, S. and Lancaster, T. (2020, '
'November 6). OceanLotus: Extending '
'Cyber Espionage Operations Through '
'Fake Websites. Retrieved November '
'20, 2020.',
'source_name': 'Volexity Ocean Lotus November 2020',
'url': 'https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/'},
{'description': 'Bill Toulas. (2023, October 13). '
'Hackers use Binance Smart Chain '
'contracts to store malicious '
'scripts. Retrieved May 22, 2025.',
'source_name': 'Bleeping Computer Binance Smart '
'Chain 2023',
'url': 'https://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/'},
{'description': 'Edmund Brumaghin. (2022, November '
'9). Threat Spotlight: Cyber Criminal '
'Adoption of IPFS for Phishing, '
'Malware Campaigns. Retrieved March '
'8, 2023.',
'source_name': 'Talos IPFS 2022',
'url': 'https://blog.talosintelligence.com/ipfs-abuse/'},
{'description': 'Nati Tal and Oleg Zaytsev. (2023, '
'October 13). “EtherHiding” — Hiding '
'Web2 Malicious Code in Web3 Smart '
'Contracts. Retrieved May 22, 2025.',
'source_name': 'Guardio Etherhiding 2023',
'url': 'https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16'}],
'id': 'attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:48:41.583Z',
'name': 'Upload Malware',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Kobi Haimovich, CardinalOps',
'Menachem Goldstein',
'Adam Hunt',
'Ray Jasinski'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.3'}