Trusted by design, abused in practice: Dropbox as malware command-and-control
2020–2026
State-aligned hacking groups, including North Korea's Kimsuky and ScarCruft, have repeatedly used the Dropbox API as a command-and-control and data-exfiltration channel, exploiting the fact that Dropbox traffic is trusted and rarely blocked.
What happened
Because Dropbox is ubiquitous in corporate environments and its traffic is encrypted and generally allow-listed, it is an attractive 'living off trusted services' channel for attackers. Multiple threat-intelligence reports document advanced persistent threat (APT) groups — including the North Korea-aligned Kimsuky and ScarCruft (APT37) — using Dropbox API endpoints to receive commands, stage additional payloads, and exfiltrate stolen data from compromised machines. The malware authenticates to Dropbox with attacker-controlled OAuth tokens and beacons over ordinary HTTPS to dropbox.com, which blends into normal enterprise activity.
This is not a breach of Dropbox's own systems; it is abuse of the platform's legitimate functionality. But it is a documented, recurring security problem that flows directly from Dropbox's design and reach: a service trusted enough to be exempted from many security controls becomes a convenient covert channel. Defenders increasingly have to treat Dropbox API traffic as something to monitor rather than automatically trust.
The pattern has persisted across years and multiple campaigns, and Dropbox shares it with other widely trusted SaaS platforms (GitHub, Google Drive, OneDrive) that are similarly repurposed as C2 infrastructure.
Impact
For enterprises, the takeaway is uncomfortable: the same ubiquity and trust that make Dropbox useful make it useful to attackers, and 'allow Dropbox' rules can become blind spots. It also creates an account-abuse and content-moderation burden on Dropbox to detect and disable malicious app tokens and accounts. The issue reframes platform 'trust' as a double-edged property rather than an unalloyed good.