June 9, 2022by Adi Bleih

File Sharing Services on the Cybercriminal Underground

The digital workforce is transferring far more and far larger files among a more comprehensive network of computers at faster speeds than ever before. Managing, controlling, and securing the ad hoc data flow across systems, ecosystem partners, and customers grows more and more complex as enterprise organizations attempt to balance the dueling needs of ensuring the free flow of data for continued business operations while also maintaining the necessary security controls.

Be it via email, a file-sharing platform (Google Drive or similar), or a dedicated server, when sharing or enabling access to digital media, security must remain a priority.

A file hosting service is an internet-based cloud solution that allows users to host and maintain files on an external server securely. Users can access and retrieve their cloud-hosted data remotely, on any device, using standard FTP or HTTP.

What’s Out There?

The data hosted on this platform might include images, videos, audio, data files, software, and more. The clear web is replete with file-sharing service providers, offering the use of their cloud-based hosting servers for various uses. Some data storage providers offer free file hosting services with limited storage capacity, such as MediaFire. Some providers provide storage services for larger quantities of data, known as premium accounts.

File sharing platforms and services are also in high demand among cybercriminals, who seek a secure solution to transfer stolen, pirated, and malicious data files to their peers. Let's take a closer look at the various file hosting services offered and used on the underground:

The graph above depicts the number of mentions for various file-sharing services and platforms on the deep and dark web. As reflected in the results, is the most popular file-sharing service in the cybercriminal community, followed by known, clear-web platforms such as Dropbox, Mediafire, Rapidgator, and Google drive.

The Rise of MEGA.NZ

Since 2018, the New Zealand-based hosting service Mega.NZ has undergone a dramatic rise in popularity within the cybercriminal underground, becoming the undisputed favorite file sharing service on the deep and dark web, beating its closest competitor with more than 500,000 mentions.

The appeal of Mega.NZ to cybercriminal threat actors is likely the result of the service’s user-controlled end-to-end file encryption and time-limited link permission options. The data stored on Mega’s platform is encrypted with a key derived from the user’s password, whereby Mega has zero access to their users’ passwords or data. In addition, in their Pro and Business packages, Mega limits link permissions when sharing files - users can share their data through a password-protected link, making the link operational only for a specific time and only accessible to those who possess the correct decryption key. New customers gain 50GB in free storage upon signing up as a bonus.

Use of File Hosting Services Among Cybercriminal Threat Actors

Several popular underground file-sharing platforms listed in Figure 1 have been flagged as malicious domains on VirusTotal, AnonFiles, and Anonfile.

Both of these domains are highly popular within the threat actor community. However, in general, cybercriminal threat actors appear to prefer using less popular file hosting services for their malicious purposes to evade the security regulations employed by the more well-established providers.

Threat actors use file hosting services to store various malicious files, including compromised data and credentials stolen through successful cyberattacks, malwares (RATs, for example) to be deployed on their victims' devices, and more. By convincing their targets to open a link to the file stored on the hosting service - through phishing scams and other fraudulent means - threat actors then use the service as a vehicle to upload malware to infect their victims’ devices (such as keyloggers and stealers used to exfiltrate login information and gain access to personal data and accounts), thereby bypassing any antivirus mechanisms on their victims’ machine.

For example:

In the post above, a threat actor seeks a hosting service that supports file sharing through a direct download link as a mechanism to deliver a RAT payload on targeted devices. Many file hosting services do not offer such an option. Instead of directly initiating the download of the file, the link provided is redirected to the download page, sometimes even leaving the main domain in the URL, making it more difficult for the threat actor to deploy the attack without raising suspicion. In one of the comments, an anonymous actor recommends a free file hosting service that would allow the original author to upload any executable file and receive a direct link to initiate the download.

With a direct shareable link to deploy malware on a victim's device, the threat actor has established a transparent attack vector to execute their scheme. Using the stealer advertised in the post below as an example, let's assume the role of a cybercriminal, going step-by-step through the weaponization of this attack vector in practice. In the post below, a threat actor advertises a stealer malware called Xreactor. Once deployed on a target device, this multi-stealer can crash the computer, remove any trace of itself on the machine, disable anti-virus mechanisms, run executable files, and more.

The author of the post noted that to initiate the attack successfully, the attacker must deploy the stealer on the target’s device through a file hosting service that supports file sharing through a direct download link. Should the unwitting victim click on the link, the stealer will be immediately downloaded on their machines, infecting their device with the malware.


In today's world, file-sharing services are critical to support the transfer of our rapidly expanding digital assets - both personal and professional - across multiple networks and devices. This Cybersixgill research shows that threat actors exploit these services for their malicious ends.  To protect your devices from malware infection, it is imperative to beware of suspicious links from Anonfiles or Google Drive or any other file sharing site. You just may be the target of a threat actor’s next attack.

You may also like

SANS Report Blog-Thumbnail

July 18, 2024

SANS CTI Survey 2024: Reports Rise to the Top for Communicating Critical Information

Read more
Analyst looking at multiple monitors

July 11, 2024

Chinese APT40 Hackers Hijack SOHO Routers: Unleashing Cyber Espionage Attacks

Read more
Abstract digital landscape with flowing lines of glowing binary code in blue and orange, representing data streams and modern technology.

July 08, 2024

CVE-204-6387 Poses Risk to Organizations Relying on OpenSSH’s Server (sshd)

Read more