Dropbox links as a malware-delivery channel: RAT distribution via trusted shares
2024
Beyond credential phishing, attackers have used Dropbox links to deliver malware — distributing remote-access trojans such as AsyncRAT through Dropbox-hosted archives and shortcut files that abuse the service's trusted reputation to get past defenses.
What happened
Dropbox's role in attacks is not limited to hosting phishing pages; it is also used to deliver executable malware. Security reporting in 2024 documented multi-stage campaigns that placed malicious payloads behind Dropbox links — for example ZIP archives containing internet-shortcut files that, when opened, pulled down further stages and ultimately installed remote-access trojans such as AsyncRAT, in some chains combined with throwaway TryCloudflare tunnels and Python payloads.
The appeal for attackers is the same trust that powers Dropbox's business: links to dropbox.com are routinely allowed by mail filters and proxies, and a download from a familiar cloud host raises less suspicion than one from an unknown domain. By staging malware on Dropbox, adversaries borrow the platform's reputation to slip past reputation-based and domain-blocking controls.
Impact
Malware-via-Dropbox keeps the service on the list of legitimate platforms abused for payload delivery, complicating defense because blocking Dropbox outright is impractical for most organizations. It puts the onus on attachment/behavioral analysis rather than domain reputation, and it means Dropbox shares — like its notifications — can serve as an attack vector even when no Dropbox account is compromised.