In recent years, cybercrime has evolved not only in technical sophistication, but also in strategy. The new tactic gaining momentum in 2025 is the use of legitimate platforms such as cloud storage services, code repositories, corporate forums and even social networks to distribute malware stealthily and effectively.
The great asset of this approach is the breach of trust: by trafficking their malicious code via "safe" routes, criminals are able to circumvent traditional defenses, make it difficult for antiviruses to detect them and drastically increase the scope of their attacks.
In this article, we'll reveal how this technique is being used by cybercriminal groups, the latest malware that takes advantage of this strategy and, above all, how your company can protect itself with continuous monitoring, incident response and cutting-edge technologies.
The new face of cybercrime: How legitimate platforms are being exploited
A new vector: trust as a weapon
Instead of relying on suspicious links or files coming from obscure channels, cybercriminals have started to exploit what is most familiar in everyday corporate life: legitimate platforms. They are reliable, widely used and often ignored by traditional defenses, making them fertile ground for malicious code.
Known platforms, hidden threats
Services such as Google Drive, Dropbox, GitHub, Discord, Microsoft Teams and Slacl, essential for productivity and collaboration, are being used as distribution channels for malware. The camouflage is effective: malicious files hide under the appearance of harmless documents or routine links.
Examples of current threats: When malware is behind a common link
The sophistication of these threats lies not only in the concealment technique, but also in the customization and adaptability of the malware used. Banshee Stealer, for example, is a threat that hides in files shared via Google Drive. Once installed, it steals authentication data, cookies, browsing history and even banking access tokens.
ResolverRAT was identified circulating in Discord communities, disguised as utility tools. Its differential lies in its ability to establish complete remote control of the compromised machine, turning it into a silent spy point.
AsyncRAT, on the other hand, takes advantage of public GitHub repositories for dissemination and has already been used in targeted campaigns against technology companies, offering persistent control and keylogger and file exfiltration functionalities.
Another relevant name is RedLine Stealer, which circulates via Dropbox or file-sharing platforms as a payload hidden in apparently harmless executables. Its main focus is data theft and exploitation of internal systems.
When routine digital becomes a trap
This new phase of cybercrime turns common routines into potential loopholes. Dubious plugins, shortened links, ZIP files and masked extensions are among the most commonly used methods for spreading threats, requiring a closer look and more sophisticated defense systems.
How these attacks work follows a meticulously planned flow. First, the cybercriminal chooses a widely trusted platform such as Google Drive, GitHub or Discord to host the malware.
The aim is simple: to use the positive reputation of these services to mask the malicious intent of the file.
It then distributes the link to this infected content via phishing campaigns, messages on social networks, corporate emails or even via automation on technical forums. Often, the message is accompanied by a legitimate pretext such as a supposed invoice, an invitation or collaboration on a project, boosting the click-through rate.
When the file is downloaded and executed, the malware starts communicating with a command and control server (C2), allowing the attacker to trigger extra functionalities. From there, the infection can quickly escalate: stealing credentials, intercepting authentication codes, turning the endpoint into a home proxy to mask criminal traffic or even participating in DDoS campaigns.
Why is detection more difficult?
The sophistication of attacks using legitimate platforms has completely changed the cybersecurity game. What used to be easily filtered out by antivirus or basic firewall policies now goes unnoticed by most traditional solutions.
Camouflage in familiar environments
Trust is a powerful weapon and attackers know it. By exploiting platforms that are already part of everyday corporate life, such as Google Drive, OneDrive, GitHub and Microsoft Teams, cybercriminals are able to disguise malicious behavior. Because these platforms are widely trusted and integrated into legitimate operational flows, they often escape traditional security filters. This allows dangerous files to pass as harmless documents or malicious links to be treated as routine communications.
This type of disguise drastically reduces user suspicion and makes it more difficult for automated systems, which tend to trust domains with a good reputation. The result? The window between infection and detection often widens, at a high cost to the company.
Fragmenting the chain of infection
The malware campaigns of 2025 are no longer simple or linear. Today, cybercriminals create fragmented and distributed chains of infection: an email may contain a seemingly reliable link that directs to a file repository such as Dropbox or WeTransfer, where a script or ZIP file triggers the attack.
This fragmentation makes it more difficult for security tools to correlate events. An isolated alert may seem irrelevant until, added to others, it reveals the real threat. In the meantime, the malware is already active, collecting data or opening doors to other attacks.
Obfuscation and evasion engineering
To avoid detection by antivirus systems, firewalls or security gateways, attackers use obfuscation techniques, scrambling the malicious code with layers of coding, compression or encryption. This makes static analysis (before execution) and even inspection during traffic difficult.
In addition, modern malware uses conditional techniques, in which the malicious code is only activated in specific situations such as after a click, at certain times, or depending on the victim's geographical location. This adaptive intelligence makes real-time detection even more challenging, requiring sandboxing mechanisms, behavioral analysis and continuous investigation.
Limitations of traditional tools
Conventional antiviruses, based on known signatures, simply can't keep up with the pace at which attacks evolve. Each new malware variant or new attack vector requires an update to the database, and this process is not instantaneous.
In addition, these tools are rarely able to analyze the behavior of a file or process in real time. This is why investing in more modern solutions such as EDR (Endpoint Detection and Response), NDR (Network Detection and Response), behavioral analysis and integration with threat intelligence feeds is essential. These tools detect the "how" and "why" of suspicious activity and not just "what" is being carried out.
Real impacts for companies
The use of legitimate platforms as malware vectors represents a silent but devastating challenge for companies. When the threat hides inside already authorized environments, the impacts go far beyond the initial infection. We're talking about financial losses, operational paralysis, reputational damage and compromised trust both internally and externally.
Compromised infrastructure and increased response time
Attacks that exploit trusted channels tend to remain undetected for longer. This directly affects MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond), two crucial metrics for the health of the security operation. The longer the time to detection and response, the greater the damage: malware can move laterally, compromise more systems, install backdoors and exfiltrate sensitive data.
Furthermore, delays in identification have a cascading effect: investigations take longer, containment is more complex and recovery is more costly.
Data leaks and compliance breaches
By infiltrating through legitimate platforms, malware can gain access to confidential documents, customer data, project information and intellectual property. This is particularly critical in regulated sectors such as health, finance, legal and telecom, where data loss or exposure can generate severe penalties under legislation such as LGPD, GDPR, HIPAA, among others.
Accidental exposure of the company as a malware dissemination point can also jeopardize partnerships, lead to the loss of contracts and open the door to litigation.
Damaged reputation and brand risks
Even without a targeted attack, an organization can suffer damage to its image because it has been used as an infection channel. When malware leaves its structure to reach third parties, suppliers, partners or customers, the perception of fragility sets in. This impacts market confidence, devalues intangible assets and, in extreme cases, can have a direct impact on revenue.
Employees as unwitting vectors
In many cases, the weakest link remains the human factor. Unsuspecting employees who share or click on malicious links hosted on platforms they use every day become unwitting agents of propagation. This increases the risk and reveals the importance of combining technology with education and clear security policies.
How to protect yourself: Technical and governance strategies
Faced with the use of legitimate platforms to spread malware, protecting your company requires more than traditional antivirus and firewalls. You need to adopt an integrated approach that combines cutting-edge technology, access governance and constant preparation. Below, we've put together the most effective strategies for mitigating this new type of threat.
Defense in Depth: Layers that Complement Each Other
To mitigate the risks posed by malware hidden in trusted platforms, it is essential to adopt a security posture based on multiple layers, also known as Defense in Depth.
The first layer is at the network perimeter, where modern firewalls must be equipped with blocking rules and lists of malicious domains based on up-to-date IOCs. IDS/IPS solutions are also crucial for detecting anomalous traffic originating from devices that may have been compromised.
The second layer, aimed at endpoints and connected devices, includes solutions such as NGAV (next generation antivirus) and EDRs, which monitor suspicious activity in real time and prevent unauthorized code from being executed. It is also necessary to restrict the installation of non-approved devices or apps, a measure that is especially relevant with the increased use of personal and IoT devices in corporate environments.
The third layer involves continuous monitoring and incident response. Here, UEBA (User and Entity Behavior Analytics) technologies help identify non-standard behavior. Log analysis and proactive threat hunting complement this effort, offering visibility into possible attempts to connect to C2 servers.
Finally, education and governance are the structural basis: keeping employees informed about current risks such as those posed by uncertified TV Boxes or links to unknown repositories and applying strict access control and asset inventory policies ensures that the organization is always one step ahead of the attacker.
Reinforce traffic and behavior monitoring
The first line of defense starts with continuous visibility of what is happening on your network and on your endpoints. Tools such as EDR (Endpoint Detection and Response), NDR (Network Detection and Response) and solutions with behavioral analysis (UEBA) are capable of identifying anomalous activity even on trusted platforms.
These technologies detect variations in user behavior, unusual access patterns and unexpected traffic, critical elements when malware disguises itself as legitimate channels.
Define clear policies for the use of platforms
Many companies still don't have a formalized policy on the use of tools such as Google Drive, Dropbox, GitHub, Slack or Microsoft Teams. However, it is vital to define access rules, types of files allowed and sharing permissions.
Adopting multi-factor authentication (MFA), controlling downloads and checking the integrity of shared files are simple measures that have a high impact on prevention.
Feed your security with threat intelligence
Threat detection today depends heavily on the quality of information. This means that your security infrastructure must be constantly fed with threat intelligence feeds, IOCs (indicators of compromise) and up-to-date data on active campaigns.
The integration of SIEM, EDR and Threat Intelligence makes it possible to identify trends, anticipate movements and block attacks before they advance. Collaboration with specialized partners such as Asper is essential in this process.
Structure a realistic incident response plan
Many companies still don't have a practical and tested plan for dealing with infections originating on trusted platforms. Having a structured response playbook, with defined roles, communication flows and regular testing, is what separates efficient containment from a reputational crisis.
This plan should include everything from automatic isolation of endpoints to communication with internal and external stakeholders. The ability to act in the first few minutes is critical.
Invest in safety education and culture
Technology is essential, but cybersecurity maturity can only be achieved with human involvement. Continuously training employees to identify threats in disguise, even when they come from reliable sources, is a competitive differentiator.
Simulated phishing campaigns, short training sessions and awareness-raising actions are effective ways of reducing the human factor as a risk vector.
Asper's role: Rapid response, continuous monitoring and endpoint protection
Faced with a scenario where threats lurk in common everyday platforms, reactive action is no longer enough. Asper offers a modern approach, combining proactive monitoring, applied intelligence and real capacity to respond to exactly what the context requires.
Through its Cyber Fusion Center, Asper delivers a robust 24/7 security model, capable of identifying anomalous behavior even when disguised as apparently legitimate traffic. The solutions operated by Asper, such as CrowdStrike Falcon Complete, EDRs, SIEMs and NDRs, guarantee total visibility over the attack surface, combining automation, behavioral analysis and qualified human action.
More than identifying, Asper acts. This means:
- Surgical response in less than 10 minutes after detection of the threat.
- Remote removal of malicious artifacts before they compromise the entire infrastructure.
- Continuous hardening of the environment based on lessons learned from real threats.
- Technical translation into business language, enabling strategic decisions by the leadership.
In addition to technology, there is the human factor: a consultative team that understands the context, guides prevention and adapts solutions to each client's reality. With Asper, security is no longer a promise but a strategic business asset.
Want to see how this protection structure would work in your company?
When the ordinary becomes an attack channel, strategy needs to evolve
Cyber attacks are no longer obvious. Today, they travel silently through platforms we use every day: Google Drive, GitHub, Slack, Teams, Dropbox. Legitimate tools, trusted environments, now converted into threat vectors. And that changes everything.
What used to be classified as "external risks" is now blurred into everyday operations. The boundaries between safe and dangerous have become blurred. Trust, once a facilitator of productivity, has become a vulnerability exploited by increasingly sophisticated criminals.
In this scenario, companies that continue to protect themselves only with traditional solutions based on signatures, blacklists and point detection are exposed not only to attacks, but also to a loss of credibility, compliance and competitiveness.
The response requires evolution. It requires continuous monitoring, threat intelligence, behavioral analysis and, above all, an agile response. More than security products, we need strategic partners who think ahead, act quickly and master the scenario.
Asper represents this new model: an ally with offensive and defensive vision, who delivers cutting-edge technology and translates threats into actionable decisions. For companies that want to anticipate and not just react.
Because in today's world, where even the trustworthy can be the start of an attack, your competitive advantage starts with your security posture.
