The threat group JavaGhost has evolved from website defacement to persistent phishing operations targeting cloud environments, particularly AWS. Between 2022 and 2024, JavaGhost leveraged exposed long-term AWS access keys due to customer misconfigurations. These keys allowed the group to access AWS services like Amazon SES and WorkMail to send phishing emails, often from preexisting, trusted infrastructure. Their advanced evasion tactics included avoiding typical detection patterns—such as skipping the commonly used GetCallerIdentity
API call—and instead making less suspicious API requests to maintain stealth.
To establish long-term persistence, JavaGhost used a combination of IAM manipulation (e.g., creating new users and roles with admin privileges), phishing infrastructure setup through SES, and console login generation via temporary credentials. They employed the GetFederationToken
and GetSigninToken
APIs, along with the urllib3
Python library, to generate temporary AWS console URLs. Additionally, they created IAM roles with trust policies allowing cross-account access, added “calling cards” like empty EC2 security groups named "Java_Ghost," and made subtle changes such as enabling unused AWS regions or attempting to leave AWS Organizations to bypass security controls.