The file is hosted on a trusted cloud service instead of the threat actor's command and control (C2) server, so the chances of raising security alarms while fetching it are minimized. "Disguising ...