Veriti has uncovered a concerning trend where cybercriminals are actively exploiting misconfigured cloud services to distribute malware and control compromised systems.
Over 40% of networks allow “any/any” communication with at least one major cloud provider, creating significant security vulnerabilities for organizations worldwide.
This permissive configuration essentially creates an open gateway for threat actors, enabling unrestricted data exfiltration to attacker-controlled cloud instances and facilitating the deployment of malicious payloads from trusted cloud services that can trick users into downloading malware.
The implications of these findings are profound for enterprise security. When organizations configure their networks to allow unrestricted communication with cloud providers, they inadvertently create a security blind spot that malicious actors can exploit.
These misconfigurations allow attackers to establish command-and-control infrastructure within trusted cloud environments, making detection significantly more challenging as the malicious traffic blends with legitimate business communications.
Security teams often whitelist major cloud providers, further complicating the identification of malicious activities originating from these trusted sources.
Forensic analysis of recent attacks has revealed multiple sophisticated malware campaigns specifically designed to leverage cloud storage for payload delivery.
In one documented case, threat actors distributed malware through Amazon Web Services (AWS) S3 buckets, with payload locations such as “hxxps://dctdownload.s3.amazonaws[.]com/grabs/s3_n..Jexe” being used to host malicious executables.
The use of legitimate cloud infrastructure helps attackers evade traditional security controls that might otherwise flag suspicious domains.
Another particularly concerning campaign identified by Veriti researchers involved Remcos remote access trojan (RAT) distribution.
This campaign utilized malicious RTF files that exploited known vulnerabilities (CVE-2017-11882 and CVE-2017-0199) to target victims, particularly in Egypt.
The attackers hosted their payloads on AWS S3 buckets at locations like “f8a076dcf0384e1f93bded36c8a9646c.s3.amazonaws./com” – again leveraging trusted infrastructure to distribute malware.
Beyond simple malware hosting, Veriti’s research identified numerous cases where cloud platforms serve as command-and-control (C2) servers, allowing adversaries to remotely control infected systems.
The abuse spans multiple cloud providers, with different malware families preferring specific cloud environments for their operations.
Cloud-Based Command and Control Infrastructure
The research uncovered a concerning pattern of cloud platforms being systematically exploited as command-and-control hubs across major providers.
AWS infrastructure has been observed hosting Havoc Malware C2 operations using the IP address 3.136.231.230 and domains like www.fortinet./app and avina./cloud.
Google Cloud instances have been compromised to host Caldera C2 operations at 34.160.47, while Microsoft Azure has been implicated in supporting both HookBot (52.140.39.118) and Mythic malware operations (172.211.76.248).
Meanwhile, Alibaba Cloud infrastructure has been linked to Pupy RAT (8.210.107.12035.2, 41.106.118) and Brutal Ratel (8.212.128.240) command and control activities.
Sliver C2 (Source – Veriti)
One of the most alarming developments identified in the research is the growing adoption of Sliver C2 framework in cloud-based attacks.
This open-source adversary emulation framework has gained popularity among Advanced Persistent Threat (APT) groups for facilitating stealthy command-and-control operations.
Security researchers have observed Sliver being used in conjunction with Rust-based malware such as KrustyLoader to establish persistent backdoors in compromised environments.
The framework has demonstrated particular effectiveness when combined with zero-day vulnerability exploitation, including recent attacks against Ivanti Connect Secure and Policy Secure vulnerabilities.
The research also documented specific malware strains commonly distributed through cloud infrastructure.
These include variants of Mirai botnet malware (hash: 1045447b3a83e357l2048bc2ea283fa2) and NJRAT remote access trojan (hash: 194f17553dc3daf9c7975a26d1cf908e1557ab5debca1cc79e2815dc9266c8de).
Each of these threats leverages the perceived legitimacy of cloud services to evade detection and establish persistence within victim networks.
To mitigate these emerging threats, security experts recommend implementing strict network rules that define explicit parameters for cloud communications rather than allowing “any/any” configurations.
Organizations should deploy cloud-native security solutions capable of monitoring for suspicious activities within their cloud environments and implement comprehensive logging to identify potential data exfiltration attempts.
Regular security assessments focusing specifically on cloud service configurations can help identify and remediate these dangerous misconfigurations before they can be exploited.
