Hackers Will Increasingly Build Malware Campaigns on Legitimate Infrastructure Services

Note from Lionel: Welcome to the third post in our Future Insights 2025 series. This post from the X-Labs research team analyzes the rise of malware campaigns built on top of legitimate infrastructure services. Click to read previous posts in the series.

###

Throughout 2024, as we continued tracking activity around the latest malware and phishing campaigns, the X-Labs team noticed a trend: hackers are moving away from using compromised websites for hosting malware to building malware campaigns on legitimate infrastructure services. Based on our data, we expect that trend to accelerate into 2025 and beyond.

Malware Campaign Examples

Take blogspot.com, Google’s free domain service that provides a subdomain for Blogger. That’s where we found Agent Tesla malware authors hosting stage payloads there.  In July, we saw a rash of activity emanating where hackers leveraged Trycloudflare.com and Python to deploy AsyncRAT malware. And the Remcos RAT activity we blogged about in June also leveraged Trycloudflare.com. Hackers used TryCloudflare for XWorm and other malware campaigns as well. The Snakekeylogger malware campaign used Discord CDN as a public content distribution network to host malicious files.

Hackers leveraged Secureserver.net heavily for malware activities as well. That was the origin of a malware campaign we blogged about that primarily targeted financial institutions in Latin America. Additional malware like Grandoreiro and the NetSupport RAT leveraged Secureserver.net domain as well. To provide a sense of scale, Forcepoint intercepted over 3.7 million suspicious emails that contained Secureserver.net URLs just in the last few months:

In the case of Remcos and Agent Tesla, we found examples of both using free services to host steganography images or other stage downloads:

• uploaddeimagens.com.br  
• archive.org
• raw.githubusercontent.com

For data exfiltration and command and control communication, several malware campaigns leveraged the following legitimate services:

ONE - Dynamic DNS Services 
Hackers use these services to change IP addresses in an effort to evade detection.

• freeddns.noip.com (servequake.com)
• freeddns.dynu.com
• duckdns.org

TWO - Telegram Bot API
The Telegram Bot API allows bad actors to build bots to interact with users on the Telegram platform.

• api.telegram.org/bot

THREE - Small File Hosting Services 

Storing files using well-known free storage services makes it more difficult to track malicious activity.

• qu.ax
• store2.gofile.io/download

FOUR - Port forwarding services: 

Storing files in multiple well-known remote locations makes it more difficult to track ongoing malicious activity.

• ply.gg
• portmap.host

To get a sense of scale on the hackers switching to legitimate services, we analyzed threat activity seen on the top 50 web hosting services. That list featured several of the main players like Windows.net, Wordpress.com, Bluehost, Wix, Google’s Firebase and many others. Here’s the graph that shows web hosting platforms with security risks on subdomain:

Legitimate Services Used for Phishing Campaigns

Turning our attention to phishing, we’ve come across phishing campaigns where hackers leverage various Cloudflare services: Pages to deploy static webpages, and they take advantage of Workers to deploy serverless code to multiple potential locations around the globe. And bad actors also take advantage of the Cloudflare CDN to speed delivery of SaaS apps anywhere in the world. 

We’ve observed significant levels of activity on the Windows.net domain where hackers leverage Azure Blob Storage to host and serve static web content, files and applications. Attackers take advantage of this by hosting phishing pages, malware, or tech support scams on subdomains like web.core.windows.net or azurewebsites.net. These subdomains make the malicious content appear more credible because they are associated with Microsoft’s trusted infrastructure.

And of course, hackers also rely on open-source services like IPFS. Its decentralized nature makes it harder to take down web pages, files or applications since they are spread across multiple servers. Hackers count on the fact that traditional web-hosting takedown methods (like contacting the hosting provider) don’t work effectively with IPFS, as the content is distributed across many nodes. 

Attackers use rotating malicious URLs, hosted on platforms like AWS or Azure, to evade detection and blocking.

Hackers Thinking Like Digital Marketers

For phishing campaigns, attackers will sometimes put on their digital marketing hats. In this regard, they resort to tactics like SEO poisoning, where they’ll use popular or trending keywords in the content of their malicious websites to trick search engines into ranking them higher. These keywords are often related to current events, popular software or security concerns (e.g., "free antivirus," "Google Authenticator," etc.).

Speaking of thinking like digital marketers, hackers also use Google Ads to promote their wares to unsuspecting victims. We’ve observed scenarios where they impersonate items from Google's product line, such as Google Authenticator, or Google Maps for example. They’ll use Google’s Looker Studio to create fake home pages. On those fake pages, they’ll display images that resemble what you’d expect on the Google search page, to trick users into interacting with the fake page. They’ll use ads to lure users to these fake Google pages.

Malware Categories Trend Heading into 2025

We compared different malware categories detected via our real-time signatures over the last several months to get a sense for what malware categories will trend in 2025. In the graph below, the number of malicious websites more than quadrupled from less than 100,000 in Q1 2024 to nearly 500,000 instances at the end of Q3. We expect that trend to continue. Phishing and scams represented the second most by volume, growing from about 125,000 instances in Q1 to almost 400,000 by the end of Q3 2024. By comparison, we expect the compromised website category to continue to lag those leading malware categories.

From there, we decided to take a closer look at which sectors are most at risk due to malicious websites, the leading malware category we examined. This graph below highlights the trends of various sectors at risk due to hosting malicious websites. The Business and Economy sector was impacted most by volume over the last year. But we expect the Financial Data and Services platform to outpace it since financial services companies continue to be targeted at a higher rate from Q1 to Q3 2024.

Lastly, we looked into which sectors were most at risk due to phishing and scams, the second most popular malware category. Not surprisingly the Business and Economy sector leads the way as the most at risk, with a trajectory increasing most from Q1 to Q2 2024 and to a lesser extent between Q2 and Q3 2024. Information Technology is the second most sector at risk, though it significantly trails the leading category. See the graph below: 

How AI Fits into the Malware Mix

Just like most of us, hackers continue to leverage AI in their efforts. They use it to craft components of a campaign—from writing convincing web copy for fake websites to crafting authentic-sounding emails, to creating well-structured phishing attempts via SMS or even sophisticated voice phishing efforts. They can use it to create convincing documents like invoices, job details, or reference items that carry a malware payload. Or they might use chatbots to engage potential victims via real-time conversations, working to trick them into sharing sensitive information. Similarly, LLMs can also be leveraged to generate context-aware responses, replying quickly to a victim who responds to a phishing email for example. In those cases, real-time conversions may go a long way to increase the believability of an attack. 

The other reality is that AI makes technology more accessible to a new generation of hackers. With AI’s help, a young person can create many of the elements of a malware campaign using legitimate services as infrastructure to host and deploy all of it. Add it all up, and it seems there’s a good chance script kiddies will make way for malware kiddies or phishing kiddies. Time will tell.