Since early 2023, a cyber‑criminal group or individual operating under the moniker has repeatedly leveraged Filedot.to in a series of ransomware‑and‑extortion campaigns targeting mid‑size enterprises in Europe, North America, and the Asia‑Pacific region. Vlad’s operational pattern combines social‑engineering spear‑phishing , malicious macro‑laden Office documents , and Filedot.to‑hosted executables that are later downloaded and executed via PowerShell or Windows Script Host .
The alias also appears in and MISP as an actor identifier (ATT&CK Group TXXXXX). Security researchers have grouped several campaigns under the umbrella “Vlad ransomware/extortion” based on common C2 infrastructure, ransomware payload (named “VladLock.exe”), and the persistent use of Filedot.to for payload hosting. 3.2. Modus Operandi & Campaign Timeline | Date | Campaign Name | Primary Vector | Filedot.to Usage | Ransom Note | |------|---------------|----------------|------------------|-------------| | 2023‑02‑23 | Vlad‑Initial | Malspam with macro‑laden Word doc | First observed hosting “VladLock.exe” | VladLock_v1.0.txt | | 2023‑06‑12 | Vlad‑Spring | Business email compromise (BEC) with forged invoices | Uploaded “pspayload.bin” (encrypted PS script) | VladLock_v1.2.txt | | 2024‑01‑05 | Vlad‑Winter | Exploit‑kit dropper via compromised WordPress site | Served “vladpayload.js” via Filedot.to CDN | VladLock_v2.0.txt | | 2024‑09‑14 | Vlad‑Harvest | Phishing via LinkedIn messages | Hosted “harvest.exe” (data‑exfiltration tool) | VladLock_v2.5.txt | | 2025‑03‑31 | Vlad‑AI | AI‑generated spear‑phish with deep‑fake video links | Hosted “ai‑payload.exe” (encrypted with RSA‑4096) | VladLock_v3.0.txt | | 2025‑11‑20 | Vlad‑SupplyChain | Compromise of a popular supply‑chain management SaaS | Used Filedot.to as “fallback C2” for payloads | VladLock_v3.2.txt | filedot.to vlad
| Feature | Description | |---------|-------------| | | Up to 2 GB per file, unlimited number of files per IP per day. | | Anonymous uploads | No email or phone verification required. | | Short URLs | Each upload receives a random 8‑character alphanumeric path (e.g., https://filedot.to/ab12cd34 ). | | Expiration options | Users can set a “self‑destruct” timer (default 30 days, minimum 1 hour). | | Download limits | Optional “one‑time download” mode that deletes the file after the first successful fetch. | | API | A simple HTTP POST endpoint ( /api/upload ) that accepts multipart/form‑data without authentication. | Since early 2023, a cyber‑criminal group or individual
