The forensic report concluded:
As long as platforms like filedot.to prioritize convenience over content security, threat actors like "MERC" will continue to use them as digital highways for their malicious cargo.
: The site's Terms of Service prohibit copyrighted or offensive material and emphasize cooperation with legal authorities. filedot.to merc
: Up to 5120 MB per upload and 10240 GB of storage.
Filedot.to is a cloud-based file hosting and transfer service. Like many legitimate platforms (e.g., WeTransfer, MediaFire), it allows users to upload files and share links. Its key features——make it attractive for legitimate users with large files. However, these same features are a magnet for cybercriminals. The forensic report concluded: As long as platforms
: Used as a simple cloud-based storage solution for personal documents or media. Important Considerations
For defenders, the lesson is clear: trust no file from an untrusted source, regardless of the hosting domain's apparent legitimacy. Blocking file-hosting services by default in high-risk environments is no longer paranoid—it is prudent. Filedot
Upon execution, the file drops a legitimate-looking decoy document (e.g., a fake PDF) to distract the user while the MERC crypter unpacks in memory.
Basic users can acquire shared directories without mandatory premium configurations. Contextualizing the "Merc" Asset