Tag: cloud

15 Attack Reports | 0 Vulnerabilities

Attack reports

Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems

The Shai-hulud 2.0 campaign features an advanced malware variant that steals credentials and secrets from major cloud platforms and developer services. It automates the backdooring of NPM packages maintained by victims, enabling rapid propagation across the software supply chain. The malware target…
supply chain
cloud
credential theft
azure
npm
aws
github
shai-hulud
2025-11-27
gcp
Published: November 27, 2025
Downloadable IOCs: 6

RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies

A new variant of RoKRAT malware used by APT37 has been identified, employing a two-stage encrypted shellcode injection method and steganography to conceal malicious code in image files. The malware uses shortcut files with embedded commands to execute its attack, distributed via compressed archives…
apt
dropbox
rokrat
cloud
injection
steganography
shellcode
edr
fileless
xor
2025-08-07
Published: August 7, 2025
Downloadable IOCs: 0

Dero miner spreads inside containerized Linux environments

A new Dero mining campaign is infecting containerized Linux environments through exposed Docker APIs. The attack uses two Golang malware components: 'nginx' for propagation and 'cloud' for mining. The 'nginx' malware scans for vulnerable Docker hosts, creates malicious containers, and compromises e…
linux
persistence
cloud
docker
cryptocurrency mining
container security
nginx
2025-05-21
dero
golang malware
port scanning
Published: May 21, 2025
Downloadable IOCs: 3

Dero miner zombies biting through Docker APIs to build a cryptojacking horde

A new Dero mining campaign exploits insecurely published Docker APIs to spread through containerized Linux environments. The attack uses two Golang malware implants: 'nginx' for propagation and 'cloud' for cryptocurrency mining. The 'nginx' malware scans for vulnerable Docker APIs, creates maliciou…
linux
cloud
exploitation
docker
cryptocurrency mining
nginx
2025-05-21
dero
containerized environments
golang malware
Published: May 21, 2025
Downloadable IOCs: 3

PhaaS actor uses DoH and DNS MX to dynamically distribute phishing

Infoblox discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands.
phishing
cloud
malspam
2025-03-31
morphing meerkat
Published: March 31, 2025
Downloadable IOCs: 21

Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries

The Scattered Spider cybercriminal group is targeting cloud infrastructures in the insurance and financial sectors using advanced techniques. They exploit leaked authentication tokens, conduct phishing and smishing campaigns, and leverage SIM swapping to bypass multi-factor authentication. The grou…
phishing
ransomware
blackcat
alphv
persistence
cloud
noberus
vidar stealer
stealc
redline stealer
raccoon stealer
2024-09-11
sim swapping
finance
insurance
Published: September 11, 2024
Downloadable IOCs: 12

Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments

Unit 42 researchers uncovered an extortion campaign that compromised and extorted multiple victim organizations by leveraging exposed environment variable files containing sensitive credentials. The campaign involved setting up attack infrastructure within victims' Amazon Web Services (AWS) environ…
extortion
cloud
credentials
aws
2024-08-16
scanning
automation
compromised
Published: August 16, 2024
Linked vulnerabilities : CVE-2024-6387 (CVSS 8.1), CVE-2024-3094
Downloadable IOCs: 37

Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic

Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
backdoor
espionage
exfiltration
cloud
2024-08-07
gogra
moontag
api
trojan.grager
onedrivetools
whipweave
Published: August 7, 2024
Downloadable IOCs: 20

Cloud Cover: How Malicious Actors Are Leveraging Cloud Services

In recent times, there has been a notable rise in the exploitation of legitimate cloud services by threat actors, including nation-state groups. Attackers have realized the potential of these services to provide low-cost infrastructure, evading detection as communication to trusted platforms may no…
espionage
cloud
graphite
graphon
birdyclient
2024-08-07
gogra
grager
moontag
Published: August 7, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2024-21893
Downloadable IOCs: 20

DERO cryptojacking adopts new techniques to evade detection

This report examines the threat actors behind a 2023 cryptojacking campaign targeting misconfigured Kubernetes clusters, focusing on their evolving techniques to avoid detection. It analyzes the malicious Docker images they deployed, the hardcoded wallet and pool information in the DERO miner binar…
cloud
kubernetes
cryptojacking
2024-06-14
dero miner
Published: June 14, 2024
Downloadable IOCs: 18

APT Attacks Using Cloud Storage

The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
apt
dropbox
powershell
cloud
2024-06-11
xenorat
Published: June 11, 2024
Downloadable IOCs: 1

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

This report details a cryptojacking campaign exploiting exposed Docker remote API servers. Threat actors employ the cmd.cat/chattr Docker image for initial access, utilizing techniques like chroot and volume binding to break out of the container and access host systems. They deploy cryptocurrency m…
malware
cryptocurrency
cloud
2024-06-07
cryptojacking
docker
containers
ziggystartux
Published: June 7, 2024
Downloadable IOCs: 7

Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware

Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
phishing
powershell
cloud
2024-05-22
vbscript
cloud#reverser
Published: May 22, 2024
Downloadable IOCs: 16

Attackers exploiting new critical vulnerabilities on Kubernetes clusters

Microsoft security researchers have uncovered an attack campaign exploiting recently disclosed critical vulnerabilities in the OpenMetadata platform to gain unauthorized access to Kubernetes clusters, followed by reconnaissance and the deployment of crypto-mining malware. The vulnerabilities, affec…
cloud
exploitation
2024-05-21
kubernetes
openmetadata
Published: May 21, 2024
Downloadable IOCs: 6

Analysis of APT Group's Use of Malicious LNK Files to Deliver RokRat Attack

The report details a recent cyber attack campaign by the APT-C-28 (ScarCruft) group, known for targeting organizations in Korea and Asia. The campaign utilized a malicious LNK file disguised as a document related to a 'North Korean Human Rights Expert Debate' to deliver the RokRat remote access tro…
apt
lnk
rokrat
cloud
korea
Published: April 29, 2024
Downloadable IOCs: 3
Click here to see more Attack Reports