Exfiltration.md

Exfiltration Tools

Tip

File synchronization and management tools are designed to facilitate the efficient transfer, backup, and synchronization of files across various platforms and cloud storage services.

Important

These tools can be misused to upload stolen data to attacker-controlled cloud accounts or destination servers. By leveraging encrypted data transfers, attackers can conceal their activities from network monitoring systems, blending malicious actions with legitimate operations. The legitimate nature of these tools often prevents immediate detection by security systems.

Tool Name	Threat Group Usage
Anonfiles	Avaddon, LockBit
AZCopy	Interlock
Bashupload	DarkSide
Catbox[.]moe	*Br0k3r
Cyberduck	Scattered Spider*
Dropbox	BlackCat, Scattered Spider*
Dropfiles	Conti
Dropmefiles	Mallox
FileZilla	Akira, Karakurt, AvosLocker, LockBit, Nokoyawa, Diavol, Scattered Spider*, PYSA, BlackCat
FreeFileSync	LockBit
File[.]io	Mallox, Babuk, Lockbit
Gofile[.io]	AvosLocker
MEGA	Akira, Conti, MountLocker, Phobos, BlackCat, Karakurt, Scattered Spider*, LockBit, BianLian, Hive, Trigona, Quantum, INC Ransom, EvilCorp*, Avaddon, MONTI, DarkSide, Vice Society, FiveHands, Storm-0501
PrivatLab	Hive, REvil, BlackMatter, mount-locker, BlackMatter
ProtonMail	Avaddon
PSCP	AvosLocker, MONTI, RansomHub, *Prophet Spider
pCloud	DarkSide, FiveHands
Qaz[.]im	Conti, BlackBasta
Restic	INC Ransom
RClone	BlackSuit, Royal, Black Basta, BlackCat, Akira, Karakurt, AvosLocker, LockBit, BianLian, Hive, Daixin, Conti, Dagon Locker, Trigona, Quantum, REvil, 8BASE, INC Ransom, Cactus, EvilCorp*, Scattered Spider*, FiveHands, DarkSide, RansomHub, Lockean*, OnePercent*, Vice Society, Cicada3301, Storm-0501
Sendspace	Hive, LockBit, Avaddon, Conti, Darkside, Mallox, REvil
share[.]riseup[.]net	AvosLocker
Temp[.]sh	Akira, LockBit
Tempsend	LockBit
Transfert-my-files	LockBit
Transfer[.]sh	LockBit
UFile	Hive, Ranzy
WinSCP	MAZE, Akira, Phobos, PLAY, LockBit, Conti, MONTI, PYSA, RansomHub, Rhysida, Vice Society