| 8220 Gang |
Exploit outdated and misconfigured software |
JupiterOne - 8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads |
| AlienFox |
Opportunistic exploitation of server side misconfigurations, AWS SES-centric functionality |
Sentinel Labs - Dissecting AlienFox | The Cloud Spammer’s Swiss Army Knife |
| APT41 / Winnti |
ELF backdoor with cloud credential harvesting (AWS IAM, GCP, Azure, Alibaba), IMDS metadata harvesting, typosquatted C2 domains |
Breakglass Intel - APT41 Winnti ELF Cloud Credential Harvester |
| AMBERSQUID |
Cryptomining, distributed on Docker Hub, using non-EC2 services |
AWS’s Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation |
| AndroxGh0st / Xcatze |
Exposed Laravel .env configs, use compromise for SES spam or malicious email |
Lacework Labs - AndroxGh0st: the python malware exploiting your AWS keys, CISA - Known Indicators of Compromise Associated with Androxgh0st Malware |
| Automated Libra |
PurpleUrchin freejacking |
PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources |
| Cloud Snooper |
Rootkit, AWS SSM for pivoting |
Sophos - Cloud Snooper Attack Bypasses AWS Security Measures, Pacific Rim: Inside the Counter-Offensive |
| Crimson Collective |
Abuse exposed credentials, data exfiltration |
Crimson Collective: A New Threat Group Observed Operating in the Cloud |
| CRYSTALRAY |
Abuse vulnerabilities, Cryptominers |
CRYSTALRAY: Inside the Operations of a Rising Threat Actor Exploiting OSS Tools |
| Cosmic Wolf |
Credential compromise |
CrowdStrike - 2022 Global Threat Report |
| Demonia |
Lambda Malware |
Cado Discovers Denonia: The First Malware Specifically Targeting Lambda |
| EC2 Grouper |
Credential compromise (primarily code repository) |
Catching "EC2 Grouper"- no indicators required! |
| FBot |
AWS SES Abuse |
SentinelOne - Exploring FBot, Ian Ahl (tweet) |
| FulcrumSec |
Exploit unpatched vulnerabilities, data exfiltration without ransomware |
New Threat Actor: FulcrumSec, WatchGuard - FulcrumSec Ransomware |
| Greenbot |
Unknown, use compromise for SES spam or malicious email |
Our Approach to Detection: AndroxGh0st and GreenBot Edition |
| GUI-Vil |
Credential compromise and known vulnerabilities |
Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor |
| Hazy Hawk |
Subdomain takeovers |
Cloudy with a Chance of Hijacking Forgotten DNS Records Enable Scam Actor |
| Kinsing |
Malware |
CyberArk - Kinsing: The Malware with Two Faces, Cloud Defense in Depth: Lessons from the Kinsing Malware, Looney Tunables Vulnerability Exploited by Kinsing, Kinsing Malware Hides Itself as a Manual Page and Targets Cloud Servers |
| LAPSUS$ / DEV-0537 |
phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval |
Microsoft - DEV-0537 criminal actor targeting organizations for data exfiltration and destruction |
| Legion |
AWS SES Abuse |
Permiso - Legion: The Latest Threat in Mass Spam Attacks, Cado Security - Legion: an AWS Credential Harvester and SMTP Hijacker, Updates to Legion: A Cloud Credential Harvester and SMTP Hijacker |
| P2PInfect |
P2P Redis botnet (11.2% AWS IPs) |
Cado Security Labs Researchers Witness a 600X Increase in P2Pinfect Traffic |
| RBAC Buster |
Targeting k8s anonymous access, and use a ClusterRoleBinding and gain full access to the cluster with persistence |
First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters |
| Outlaw |
Targeting known CVEs or SSH bruteforce |
Outlaw Group Distributes Cryptocurrency-Mining Botnet |
| Predator AI |
Stealer and hacktool targets AWS SES |
ChatGPT-Powered Infostealer Takes Aim at Cloud Platforms |
| Rocke |
Targeting known CVEs |
Cisco Talos - Rocke: The Champion of Monero Miners |
| Silentbob (TeamTNT or copycat) |
Exploit misconfigured docker and k8s |
Aqua Security - Threat Alert: Anatomy of Silentbob’s Cloud Attack, Permiso - Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead, SentinelOne - Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP, Datadog - An analysis of a TeamTNT doppelgänger |
| SNS Sender |
AWS SNS SMS Phishing Kit |
SentinelOne - SNS Sender | Active Campaigns Unleash Messaging Spam Through the Cloud |
| Spoiled Scorpius (Distributors of RansomHub) |
"Delete backups from both on-premises and cloud storage" |
Unit 42: Ransomware Review: First Half of 2024 |
| TeamPCP / DeadCatx3 / PCPcat / ShellForce / UNC6780 |
Exploit misconfigured Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers; GitHub Actions supply chain attacks (CVE-2026-33634); CVE-2025-29927 and CVE-2025-55182 (React2Shell); worm-driven ransomware, data exfiltration, cryptomining |
Flare - Threat Alert: TeamPCP, An Emerging Force in the Cloud Native and Ransomware Landscape, The Hacker News - TeamPCP Worm Exploits Cloud Infrastructure, Unit42 - Weaponizing the Protectors: TeamPCP's Multi-Stage Supply Chain Attack |
| TeamTNT |
Exploit misconfigured docker and k8s |
MITRE ATT&CK - TeamTNT |
| TraderTraitor / UNC4899 / Slow Pisces |
Social Engineering, malware delivery, AWS enumeration (S3, RDS, Lambda, Secrets Manager, EKS), stolen AWS tokens, React2Shell exploitation, Kubernetes service account token theft, pod enumeration |
TraderTraitor: Deep Dive, Investigating Suspected DPRK-Linked Crypto Intrusions, Unit42 - Modern Kubernetes Threats |
| TRIPLESTRENGTH |
Leverage stolen credentials and cookies for mining and resource hijack, as well as access resale |
M-Trends 2025: TRIPLESTRENGTH Leverages Stolen Credentials for Cloud Assets for Illicit Cryptocurrency Mining |
| Turla / Pensive Uras |
Stealer targets AWS credentials |
Appendix for "Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (aka Turla)" |
| UAT-10608 |
Exploit React2Shell (CVE-2025-55182), automated credential harvesting via NEXUS Listener, IMDS querying for cloud credentials |
Talos - UAT-10608: Inside a large-scale automated credential harvesting operation |
| UNC2903 |
SSRF (targeting known CVEs) |
Mandiant - Old Services, New Tricks: Cloud Metadata Abuse by UNC2903 |
| UNC3944 / Scattered Spider / Starfraud / Scatter Swine / Muddled Libra / LUCR-3 |
Social engineering, Accidental credential leakage |
CISA - Joint Advisory Scattered Spider, Mandiant - Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety, Reliaquest - Scattered Spider Attack Analysis, Crowdstrike - Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies, Unit42 - Muddled Libra’s Evolution to the Cloud, LUCR-3: Scattered Spider Getting SaaS-y in the Cloud, Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries |
| VoidLink |
AI-generated, cloud-first malware |
Unveiling VoidLink – A Stealthy, Cloud-Native Linux Malware Framework |
| Watchdog |
Exploit misconfigured docker and k8s |
TeamTNT Returns – or Does It? |