This analytic detects suspicious file downloads conducted via headless Chromium-based browsers, particularly targeting instances where these browsers are initiated with the `--headless` and `--dump-dom` command-line arguments. Such behavior has been noted in threat campaigns like DUCKTAIL, where the intent is to stealthily capture and download content using automated browser capabilities. The detection rule utilizes telemetry data from the Cisco Network Visibility Module to monitor network connections established by processes identified as Chromium-based browsers, specifically Brave, Chrome, Microsoft Edge, Opera, and Vivaldi. The rule assesses network flow data to distinguish connections targeting known file-sharing domains or specific IP addresses derived from the command-line arguments passed to the processes. By filtering known local IP ranges to avoid false positives, the analytic helps security teams identify potentially malicious activity without flagging legitimate network behavior.