Crimson Collective: A New Threat Group Observed Operating in the Cloud

Oct. 10, 2025, 5:35 p.m.

Description

Over the past few weeks, Rapid7 has observed increased activity of a new threat group attacking AWS cloud environments with the goal of data exfiltration and subsequent extortion of the victim. This threat group refers to itself as ‘Crimson Collective’ and has recently announced that it is behind an attack on Red Hat, wherein it claims to have stolen private repositories from Red Hat’s GitLab.

External References

https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
https://otx.alienvault.com/pulse/68e93e6f7b450153bae6599b
Tags
extortion
exfiltration
aws
trufflehog
iam
2025-10-10
crimson collective
amazon web services
valid accounts
s3 bucket

Date

  • Created: Oct. 10, 2025, 5:12 p.m.
  • Published: Oct. 10, 2025, 5:12 p.m.
  • Modified: Oct. 10, 2025, 5:35 p.m.

Indicators

  • 5.9.108.250
  • 195.201.175.210
  • 45.148.10.141
Download all indicators here!

Attack Patterns

  • Crimson Collective