T1071.002 File Transfer Protocols is a sub-technique of Application Layer Protocols (T1071) in the MITRE ATT&CK framework under the Command and Control tactic. It involves the use of File Transfer Protocols such as SMB, FTP, and TFTP to facilitate file sharing across networks.
These protocols play a critical role in modern network communications by embedding data within headers and content, enabling the transfer of files between systems. While essential for everyday operations, these protocols also present inherent vulnerabilities that adversaries can exploit. They allow for efficient data exchange but can also be leveraged for malicious activities, enabling attackers to hide their actions as regular network traffic.
To read about other sub-techniques of the T1071 Application Layer Protocols technique, you can visit the related hub blog.
Adversaries exploit file transfer protocols like SMB, FTP, FTPS, and TFTP for malicious activities by blending their communications with regular network traffic, making detection difficult. These protocols inherently contain numerous fields and headers, which can be manipulated to conceal malicious commands and data. This method is particularly effective for command and control operations, allowing attackers to discreetly maintain communication with compromised systems. They can also use these protocols to transfer malware or exfiltrate data, all while appearing as regular file transfer traffic.
For example, a recent analysis published in December 2025 shows that the LLM-driven LameHug malware uses SFTP, running over SSH on port 22, to exfiltrate the collected system data and user documents to the attacker-controlled C2 server [1].
The adversarial purpose here is to facilitate secure and permitted data theft. SFTP is widely used for secure file transfers in many environments. By leveraging SFTP with hardcoded credentials, the malware ensures the data leaves the network through an expected protocol channel, avoiding suspicious non-standard traffic.
The malware uses the following Python function and the paramiko library to execute the SFTP exfiltration:
|
def ssh_send(path): |
By automating this workflow, LameHug turns SFTP into a quiet and dependable exfiltration channel. Collected files are uploaded into timestamped folders on the attacker's server, making the activity hard to distinguish from normal SSH traffic. Because SFTP is encrypted and commonly allowed through firewalls, the data theft blends into routine administrative operations, showing why attackers increasingly use file transfer protocols to move stolen data without triggering alarms.
For example, in the March-April 2024 DarkGate malware campaign, adversaries exploited the SMB protocol to discreetly transfer malicious payloads and scripts [2].
Malicious Microsoft Excel files embedded objects that, when triggered, fetched VBScript (.vbs) or JavaScript (.js) files directly from public-facing SMB shares, such as:
|
\\167[.]99[.]115[.]33\share\EXCEL_OPEN_DOCUMENT[.]vbs |
These scripts executed commands to download and run follow-up PowerShell scripts, which retrieved additional malware components like obfuscated shellcode (test.txt) and AutoHotKey-based executables from SMB or HTTP locations. By leveraging SMB, a protocol trusted for legitimate file-sharing operations, DarkGate blended malicious file transfers with normal network traffic, reducing detection risk.
The staged, modular approach facilitated stealthy deployment and execution of its payloads, while the reliance on publicly accessible SMB shares minimized direct communication with traditional C2 servers, ensuring persistence and evasion of network monitoring tools.
On the other hand, reported in the April 2024 LemonDuck malware campaign, adversaries leveraged the SMB protocol to covertly transfer malicious files and maintain persistence [3]. Using the EternalBlue vulnerability (CVE-2017-0144), the attacker gained initial access and created a hidden administrative share on the C: drive, enabling remote file transfers without detection.
Malicious executables, such as msInstall.exe and its renamed versions (FdQn.exe, HbxbVCnn.exe), were transferred and executed through SMB, blending with normal file-sharing activities. The attacker utilized SMB to deploy scripts and batch files (p.bat) to facilitate scheduled tasks, modify network configurations, and download additional payloads, ensuring continuous malware execution.
By exploiting SMB for file transfer and execution, LemonDuck discreetly moved payloads across systems while avoiding detection, demonstrating the protocol's effectiveness for covert communication and malware delivery in adversarial operations.
[1] P. Labs, “Malicious AI Exposed: WormGPT, MalTerminal, and LameHug,” Dec. 06, 2025. Available: https://www.picussecurity.com/resource/blog/malicious-ai-exposed-wormgpt-malterminal-and-lamehug. [Accessed: Dec. 08, 2025]
[2] V. Thothathri, Y. Sui, A. Maurya, U. P. Singh, and B. Duncan, “DarkGate: Dancing the Samba With Alluring Excel Files,” Unit 42, Jul. 10, 2024. Available: https://unit42.paloaltonetworks.com/darkgate-malware-uses-excel-files/. [Accessed: Dec. 17, 2024]
[3] “LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits,” Oct. 04, 2024. Available: https://notes.netbytesec.com/2024/10/lemonduck-unleashes-cryptomining.html. [Accessed: Dec. 17, 2024]