Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Attackers Using IPFS for Distributed, Bulletproof Malware Hosting

The InterPlanetary File System (IPFS), considered one of the building blocks of web3, is increasingly being used to provide hidden bulletproof hosting for malware.

“Multiple malware families are currently being hosted within IPFS and retrieved during the initial stages of malware attacks,” say researchers at Cisco Talos.

The InterPlanetary File System (IPFS), considered one of the building blocks of web3, is increasingly being used to provide hidden bulletproof hosting for malware.

“Multiple malware families are currently being hosted within IPFS and retrieved during the initial stages of malware attacks,” say researchers at Cisco Talos.

IPFS is a distributed file system where access is facilitated by content rather than physical location. The target file’s URL is a hash of the content, not a definition of the server’s location. Files are entered into the system and then automatically copied to multiple nodes. The physical location of the nodes is unknown to the user since the file is retrieved by the content hash rather than the IP address. The relationship between node and hash is maintained by IPFS gateways – the whole purpose is to create and maintain legitimate resilient, decentralized and uncensored access to internet content.

“While these technologies have legitimate uses in a variety of practical applications, they also create opportunities for adversaries to take advantage of them within their phishing and malware distribution campaigns,” says Talos in its latest Threat Spotlight.

“As an attacker,” Talos told SecurityWeek, “you will typically install an IPFS client on a system under your control.” This could be a computer you own, a compromised host or an anonymized virtual private server. “You publish the file to the IPFS network, and you effectively and automatically make local content available to multiple other nodes within the IPFS network.”

You can then disengage the initial computer, and yet the file lives on within IPFS at locations known only to the hash tables used by the IPFS gateways. Resilience is maintained, there is no single point of failure, and the target does not have to be part of IPFS.

The attraction for attackers is clear: they have no cost associated with malware storage, and their IPFS ‘servers’ cannot be taken down in the same way as traditional IP malware servers can be taken down.

To be clear, the process of an attack is unchanged. Targets still need to be directed to the IPFS file, which is likely to be malware or a phishing page. This will continue to be primarily through malicious links or weaponized attachments. A particularly savvy user could recognize an IPFS URL in an email (it just appears to be a random series of characters) and decline to click – but we know empirically that users tend not to look closely at links, being easily swayed by the social engineering context around the link.

“For now,” Talos told SecurityWeek, “if you’re an organization that has no association with web3, and you’re not dealing with NFTs, I would recommend simply blocking access to all the IPFS gateways because there’s a maintained list of them. That would provide quite a bit of mitigation to this.”

But this is no long-term solution. As web3 evolves and grows, and NFT/blockchain applications become more pervasive on IPFS, it is unlikely that many users will be able to disengage from the process. 

Any form of local or IPFS gateway block on malicious files will be difficult. While malicious IPFS URLs may be recognized and individually blocked, the process will be similar to using traditional signatures to block malware. The attacker need only change a few characters in the file and a new hash signature will be created – creating a new IPFS file that will be redistributed to different nodes.

The Talos report describes several different attacks the researchers have discovered within IPFS. One example appears to be a PDF associated with DocuSign. If the victim clicks on ‘review document’, he or she is redirected to a page that appears to be a Microsoft authentication page but is a phishing page hosted on the IPFS network. Any data collected is sent to the attacker through an HTTP POST request to an attacker-controlled web server for use in further attacks.

Another example is an Agent Tesla malspam campaign using IPFS throughout the infection process to eventually deliver a malware payload. 

To be clear, the use of IPFS does not require new malware. It is primarily a growing hosting and delivery mechanism. It offers the attacker resilient hosting and makes it difficult if not impossible for defenders to block malicious links. Defense against delivered malware remains the same with defenders even more reliant on malware detection and response.

Attackers are likely to increase the use of IPFS-hosted malware because of its simple, free and resilient hosting capabilities. Whether this will lead to any dramatic increase in the volume of attacks remains to be seen.

Related: New Malware Lays P2P Network on Top of IPFS

Related: Romanian Operator of Bulletproof Hosting Service Extradited to the US

Related: Securing the Metaverse and Web3

Related: Protecting Cryptocurrencies and NFTs – What’s Old is New

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.