What Is Malware Hosting? Cloud Abuse Explained
Malware hosting is the practice of storing and delivering malicious files from a legitimate, trusted hosting service such as a code repository, file-sharing app, or content delivery network, instead of from attacker-owned infrastructure.
export const frontmatter = { title: "What Is Malware Hosting? Cloud Abuse Explained", description: "Malware hosting is the abuse of trusted cloud services to store and deliver malware. Learn how attackers hide in GitHub, OneDrive, and Drive, and how to detect it.", date: "2026-06-21", author: "CyberDefenders", tags: ["cloud-security", "malware-analysis", "threat-detection", "threat-hunting"], readingTime: 9, image: "/blog-malware-hosting.png" };
What Is Malware Hosting?
Malware hosting is the practice of storing and delivering malicious files from a legitimate, trusted hosting service instead of from attacker-owned infrastructure. The attacker uploads a payload to a service the target already trusts, such as a code repository, a file-sharing app, or a content delivery network, and sends victims a link that points there. The download looks ordinary because it comes from a reputable domain.
The point is concealment. A file pulled from github.com or onedrive.live.com rides on the provider's reputation. It passes domain allowlists, slips past IP reputation filters, and blends into the SaaS traffic that flows through every enterprise network all day. The attacker pays nothing for hosting, registers no suspicious domain, and inherits TLS, uptime, and a clean reputation for free.
This is now the dominant delivery channel, not a fringe trick. In the Netskope Cloud and Threat Report 2026, GitHub was the most abused service, with 12% of organizations detecting employee exposure to malware through it each month, followed by Microsoft OneDrive at 10% and Google Drive at 5.8%. Across prior Netskope reporting, more than half of all HTTP and HTTPS malware downloads have consistently originated from cloud apps. When the majority of malware arrives from services you cannot block, the trusted source becomes the attack surface.
How Malware Hosting Works
The mechanics are simple, which is why they work. The attacker does not break the cloud service. They use it the way any customer would.
- Acquire an account. A free signup, a trial, or a compromised account on a sanctioned service. No domain registration, no server to stand up.
- Upload the payload. A dropper, a loader, an archive with a malicious macro, or a second-stage binary lands in a repo, a shared folder, or a storage bucket.
- Generate a trusted link. The service issues a clean URL on its own domain, often with valid TLS and a public share token.
- Deliver the link. It goes out by phishing email, a chat message, a malvertising redirect, or a compromised web page. The victim sees a familiar brand and clicks.
- Reuse the service for more than delivery. The same provider's API often doubles as a command and control channel and an exfiltration drop zone. Dropbox, GitHub, Telegram, and Discord APIs have all been abused this way, so delivery, C2, and data theft all ride one trusted domain.
The evasion comes from trust, not stealth. Signature-based scanners that key on suspicious domains or fresh infrastructure see a request to a Fortune 500 cloud provider. Many organizations explicitly allowlist these domains because blocking GitHub or OneDrive would break legitimate work. The attacker borrows that allowlist.
Reputation-jacking and trusted-TLD evasion
Security tooling leans heavily on reputation. New domains are suspicious, aged trusted domains are not. By hosting on *.blob.core.windows.net, *.cloudfront.net, raw.githubusercontent.com, or *.web.app, the attacker gets a domain with years of clean history and millions of legitimate requests. URL filters that score reputation give it a pass. This is reputation-jacking: stealing the credibility of a domain you do not own by parking your payload on it.
Common Cloud Attack Vectors That Enable Hosting
Malware hosting rarely stands alone. It pairs with other cloud-focused techniques that give an attacker the account, the access, or the compute to host from inside a trusted environment.
| Vector | What the attacker does | Why it helps hosting |
|---|---|---|
| Account compromise | Phishes or brute-forces SaaS or IaaS credentials | Lets the payload live in a real corporate tenant, not a free account |
| Storage bucket abuse | Uploads to misconfigured or public S3, Blob, or GCS buckets | Public buckets serve files over a trusted CDN edge with no auth |
| Repository abuse | Commits payloads to public Git repos and gists | Raw file URLs deliver binaries over a developer-trusted domain |
| Live migration and hypervisor attacks | Tampers with VM migration or seizes the hypervisor (hyperjacking) | Plants and serves malware from inside the virtualization layer |
| Linux and container malware | Targets cloud workloads, often with ransomware or coinminers | Turns owned cloud compute into a hosting and staging node |
Account compromise and bucket abuse are the common path. The hypervisor-level attacks are rarer and require deep access, but they matter because a compromised hypervisor can serve malware to every VM it hosts.
Malware Hosting vs Bulletproof Hosting
Both deliver malware from infrastructure, but the model is opposite, and that changes how you defend.
| Legitimate cloud abuse | Bulletproof hosting (BPH) | |
|---|---|---|
| Infrastructure | Real provider (GitHub, OneDrive, AWS) | Rogue or offshore host that ignores abuse reports |
| Provider intent | Unwitting, abused by a customer | Knowingly shelters criminal content for a fee |
| Domain reputation | Clean and trusted, hard to block | Often already on blocklists |
| Takedown | Fast once reported to the provider | Slow or never; that is the product |
| Detection difficulty | High; blends into sanctioned traffic | Lower; the infrastructure itself is a signal |
| Cost to attacker | Free or near free | Paid, sometimes expensive |
Bulletproof hosting sells takedown resistance. Legitimate cloud abuse sells camouflage. The defender's problem with cloud abuse is that the bad traffic is indistinguishable from the good traffic at the network layer, so blocking the domain is not an option.
Detecting and Preventing Malware Hosting
You cannot blocklist the cloud. Defense shifts from "is this domain bad" to "is this specific transaction bad," which means inspecting content and behavior inside sanctioned-app traffic.
- Inspect sanctioned-app traffic. A Cloud Access Security Broker or a Secure Service Edge inspects downloads from approved apps rather than waving them through on domain reputation. This is where you catch a payload pulled from a trusted bucket.
- Filter egress to cloud APIs. Control which cloud APIs hosts can reach. A workstation that suddenly talks to the Dropbox, Telegram, or Discord API may be using it for C2 or exfiltration, not work.
- Detect on behavior, not signature. Endpoint detection that flags a document spawning PowerShell to pull a file from a trusted URL catches the chain even when the file source is clean. The sequence is the signal.
- Hunt the patterns. Proactive threat hunting for raw GitHub URLs, public share links, and unusual cloud API calls in proxy and DNS logs surfaces hosting that automated tools allowlisted.
- Tighten identity and segmentation. Strong IAM and MFA reduce account compromise, the route that lets attackers host from inside your own tenant. Segmentation limits what a compromised workload can reach.
- Train users on trusted-source clicks. Staff are taught to distrust odd domains. They are not taught that a OneDrive or GitHub link can be hostile. Close that gap.
A Cloud-Native Application Protection Platform ties workload, identity, and storage telemetry together so a public bucket serving binaries or an anomalous API call shows up as one finding instead of three disconnected logs.
Frequently Asked Questions
What is malware hosting?
Malware hosting is the storing and delivering of malicious files from a legitimate, trusted hosting service rather than from attacker-controlled infrastructure. The attacker uploads a payload to a service like GitHub or OneDrive and shares a link, so the download inherits the provider's clean reputation and evades domain-based controls.
Why do attackers use legitimate cloud services to host malware?
Trusted cloud domains pass allowlists, IP reputation filters, and signature-based controls that would flag a freshly registered attacker domain. Hosting is free, comes with valid TLS, and blends into the heavy SaaS traffic on every network, so the malicious download is hard to distinguish from normal use.
Which cloud services are most abused for malware delivery?
In the Netskope Cloud and Threat Report 2026, GitHub was the most abused, with 12% of organizations detecting malware exposure through it monthly, followed by Microsoft OneDrive at 10% and Google Drive at 5.8%. Dropbox, Discord, Telegram, Azure Blob Storage, and Amazon CloudFront are also routinely abused.
How is malware hosting different from bulletproof hosting?
Bulletproof hosting is a paid service from a rogue provider that knowingly ignores abuse reports to keep criminal content online. Malware hosting on legitimate cloud abuses an unwitting mainstream provider for free, trading takedown resistance for camouflage in trusted traffic.
How do you detect malware hosted on trusted cloud services?
Inspect the content of downloads from sanctioned apps rather than trusting the domain, filter and monitor egress to cloud APIs, and detect on behavior such as a document spawning a script to fetch a file. Threat hunting through proxy and DNS logs for raw repository URLs and unusual cloud API calls surfaces what automated allowlisting missed.
Can you just block the cloud services attackers abuse?
No. Blocking GitHub, OneDrive, or Google Drive breaks legitimate work, which is exactly why attackers choose them. Defense moves from blocking domains to inspecting individual transactions and behaviors inside that trusted traffic.
Frequently asked questions
<p>Malware hosting is the storing and delivering of malicious files from a legitimate, trusted hosting service rather than from attacker-controlled infrastructure. The attacker uploads a payload to a service like GitHub or OneDrive and shares a link, so the download inherits the provider's clean reputation and evades domain-based controls.</p>
<p>Trusted cloud domains pass allowlists, IP reputation filters, and signature-based controls that would flag a freshly registered attacker domain. Hosting is free, comes with valid TLS, and blends into the heavy SaaS traffic on every network, so the malicious download is hard to distinguish from normal use.</p>
<p>In the Netskope Cloud and Threat Report 2026, GitHub was the most abused, with 12% of organizations detecting malware exposure through it monthly, followed by Microsoft OneDrive at 10% and Google Drive at 5.8%. Dropbox, Discord, Telegram, Azure Blob Storage, and Amazon CloudFront are also routinely abused.</p>
<p>Bulletproof hosting is a paid service from a rogue provider that knowingly ignores abuse reports to keep criminal content online. Malware hosting on legitimate cloud abuses an unwitting mainstream provider for free, trading takedown resistance for camouflage in trusted traffic.</p>
<p>Inspect the content of downloads from sanctioned apps rather than trusting the domain, filter and monitor egress to cloud APIs, and detect on behavior such as a document spawning a script to fetch a file. Threat hunting through proxy and DNS logs for raw repository URLs and unusual cloud API calls surfaces what automated allowlisting missed.</p>
<p>No. Blocking GitHub, OneDrive, or Google Drive breaks legitimate work, which is exactly why attackers choose them. Defense moves from blocking domains to inspecting individual transactions and behaviors inside that trusted traffic.</p>