Cloud Threat Landscape
  • Incidents
  • Actors
  • Techniques
  • Defenses
  • Tools
  • Targeted Technologies
  • Posters & Newspapers
  • About
  • RSS
  • STIX
  • Back to wiz.io
Cloud Threat Landscape
Techniques

Techniques

Techniques utilized by threat actors and tools, as observed in various incidents

All Techniques

7 views

All Techniques

Initial Access

Lateral Movement

Privilege Escalation

Impact

Related to Tech

Defenses

Name
Tags
Incidents
ATT&CK Tactic
Tech
Status
Abuse access to existing KMS key
Cloud
Credential Access (TA0006)
Stub
Abuse naming patterns to guess resource IDs or fingerprint resources
Cloud
Discovery (TA0007)
Stub
Abuse of cross-job access in CI/CD system
CI/CD
Stub
Abuse trust and privileges across accounts
Cloud
LAPSUS$ campaigns
Lateral Movement (TA0008)
Stub
Abusing exposed Docker socket
K8s
Kiss-A-Dog campaignOracleIV campaign
Initial Access (TA0001)
Docker
Stub
Add attacker-controlled IdP via ADFS access
AAD
APT29 targeting Microsoft 365
Lateral Movement (TA0008)
Stub
App Script impersonation
Cloud
Persistence (TA0003)
Stub
Appstream abuse
Cloud
Initial Access (TA0001)
AWS Appstream
Stub
Attach administrative role to account
DangerDev SES abuse incidentFrom refresh token theft to global admin
Stub
Auth token signing via ADFS access
AAD
APT29 targeting Microsoft 365
Lateral Movement (TA0008)
Stub
Auth token signing via Golden SAML
AAD
APT29 targeting Microsoft 365Solarigate: Solarwinds supply chain attackPeach Sandstorm targeting Azure
Lateral Movement (TA0008)Credential Access (TA0006)
Finalized
Azure AD abuse
CloudAAD
Stealing the LIGHTSHOW
Stub
Azure Arc abuse
Cloud
Peach Sandstorm targeting Azure
Persistence (TA0003)Execution (TA0002)
Azure Arc
Stub
Azure Batch abuse
Cloud
Cryptojacking via Azure Batch
Azure Batch
Stub
Azure cross-tenant synchronization backdoor
CloudAAD
Persistence (TA0003)
Stub
Azure lateral movement via cross-tenant synchronization
CloudAAD
Lateral Movement (TA0008)
Stub
Azure Run Commands abuse
Cloud
Scattered Spider Azure Run abuse
Execution (TA0002)
Stub
Backdoor AMI
Cloud
Initial Access (TA0001)
Stub
Backdoor Docker image
K8s
AmberSquid campaigneBPF Rootkit Targeting AWS and Linux Environments
Initial Access (TA0001)
Docker
Stub
Backdoor IaC (StackSet, Terraform, etc.)
Cloud
Initial Access (TA0001)
Stub
Backdoor Lambda Layer
Cloud
Initial Access (TA0001)
AWS Lambda
Stub
Bootkit
LinuxWindows
Persistence (TA0003)
Stub
Bring Your Own Vulnerable Driver
Windows
Agenda Ransomware Targets ESXi and vCenter ServersCrazyHunter Ransomware Group Targets Critical Sectors in Taiwan
Execution (TA0002)Privilege Escalation (TA0004)
Stub
Bucket / storage ransomware
CloudRansomware
BlackCat Azure Storage Account RansomOpCodefinger Ransomware Campaign Targeting S3 Buckets
Impact (TA0040)
Stub
Bucket name squatting attack
Cloud
Initial Access (TA0001)
Stub
cAdvisor abuse
App Misconfig.
Reconnaissance (TA0043)Credential Access (TA0006)
cAdvisor
Stub
CI/CD system enumeration
CI/CD
Discovery (TA0007)
Stub
Cleartext cloud keys abuse
Supply Chain Risk in Axis Autodesk Revit Plugin Due to Exposed Azure Storage Credentials
Not started
Cloud account password reset
Phishing campaign leading to Azure account takeover
Not started
Cloud API enumeration
Cloud
Leaked long-lived AWS credsLAPSUS$ campaignsDangerDev SES abuse incidentMuddled Libra campaigns (2024)LLMjacking via Laravel exploitationS3 RansomOp following long-term key exposureScylla LLMJacking campaignScattered Spider targeting Azure environment
Reconnaissance (TA0043)
Stub
Cloud compute cryptojacking
CloudK8s
Kiss-A-Dog campaignScarletEel campaign (Feb ‘23)RBAC BusterMisconfigured firewall to cryptojacking botnetScarletEel campaign (July ‘23)EleKtra-LeakLabrat GitLab campaignAmberSquid campaignDangerDev SES abuse incidentECS Fargate cryptojackingDero cryptojacking targeting K8sDERO cryptojacking campaign (2024)SeleniumGreed: Threat actors exploit exposed Selenium Grid services for CryptominingConfluence exploited for cryptojackingREF6138 campaignUltralytics compromiseKong image compromiseUSAID cryptojacking incidentSysrv Apache Druid cryptojackingLucifer Apache Druid cryptojacking
Impact (TA0040)
Featured
Cloud key compromise
Apple cloud key exposureBMW exposed cloud storageZenlayer exposed databaseFrom social engineering to cryptocurrency theft Football Australia exposed cloud keyAbusing management tooling for cloud accessPersonal local drive to AWS ransomwareThird party to cloud compromiseScylla LLMJacking campaignAttack abusing Amazon SESFrom social engineering to Lambda modificationJavaGhost SES abuseCompromised cloud keys exfiltrated to bucket
Credential Access (TA0006)
Stub
Cloud storage cryptojacking
Cloud
Impact (TA0040)
Finalized
Cloud to on-prem lateral movement
Third party to cloud compromiseSmishing into Entra onto VMWare ransomwareStorm-0501 attacking hybrid environments with ransomwareUNC2165 Targets Hybrid Environments with Ransomware
Not started
Cloud-init persistence
Cloud
Persistence (TA0003)
Stub
Cluster anonymous access
K8s
RBAC Buster
Initial Access (TA0001)
Stub
Command execution via Lambda
From social engineering to Lambda modification
Not started
Container enumeration
K8s
Commando Cat campaign
Discovery (TA0007)
Stub
Container escape
Not started
Create an IAM Roles Anywhere trust anchor
Cloud
Initial Access (TA0001)
Stub
Create new application user
Cloudflare incident following Okta breachEarth Lamia Custom Toolkit Targets Multiple Sectors via Web Vulnerabilities
Stub
Create new cloud user
Cloud
RBAC BusterSIM-Swap to Data Leak on Dark WebDangerDev SES abuse incidentS3 data exfiltrationLeaked long-lived AWS credsScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)S3 RansomOp following long-term key exposureScattered Spider SaaS targeting (2023)Phishing campaign leading to Azure account takeoverFrom stolen cloud key to persistence-as-a-serviceGENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access BrokerageTruffleNet Campaign Exploits AWS SES for Large-Scale Cloud Abuse and BEC FraudCloud-Native Phishing Infrastructure via Abused AWS WorkMail
Persistence (TA0003)
Stub
Create new local user
LinuxWindows
Commando Cat campaign
Persistence (TA0003)
Stub
Create or modify cloud key
From refresh token theft to global admin
Persistence (TA0003)Credential Access (TA0006)
Stub
Create or modify firewall or security group rules
Cosmic Wolf cloud activityDangerDev SES abuse incidentFrom password reset to data exfiltrationScattered Spider targeting GCP environmentEC2 Grouper campaign
Defense Evasion (TA0005)
Stub
Create SSH backdoor
SilentBob cryptomining campaignQubitstrike Crypto Mining and Rootkit CampaignCommando Cat campaignCRYSTALRAY: threat actors exploiting OSS toolsScattered Spider targeting GCP environmentOperation WindigoGelsemium’s Shift to Linux Malware with WolfsBane and FireWoodPlague PAM-Based Backdoor for LinuxDripDropper Malware Exploits Patched Apache ActiveMQ for Persistence on Cloud Linux SystemseBPF Rootkit Targeting AWS and Linux EnvironmentsUnauthenticated Remote Access via Triofox Vulnerability Exploited by UNC6485Cryptomining Campaign Exploiting Exposed Ray AI Infrastructure
Persistence (TA0003)
Stub
Credential compromise via Infostealer infection
Otelier data breachShai-Hulud 2.0 Supply Chain Attack
Not started
Credential harvesting from code repository
CI/CD
SIM-Swap to Data Leak on Dark WebEleKtra-LeakSisense breachRabbit AI exposed keys in codeMercedes-Benz source code exposureShinyHunters Ransomware Targeting Cloud Environmentstj-actions/changed-files supply chain attackZapier data breachxAI leaked API keyGhostAction campaignShai-Hulud: Ongoing Package Supply Chain Compromise Delivering Data-Stealing MalwareShai-Hulud 2.0 Supply Chain Attack
Credential Access (TA0006)
Stub
Credential stuffing
CloudLinux
Fast Company incidentNew Relic incident (November 2023)
Initial Access (TA0001)
Stub
Credential theft
SilentBob cryptomining campaignQubitstrike Crypto Mining and Rootkit CampaignLAPSUS$ campaignsFBot toolkit targets cloud environmentsCommando Cat campaignFrom S3 bucket to Jenkins credential dumpAffirmed Networks breachLLMjacking via Laravel exploitationAtlas Lion phishing campaignSmishing into Entra onto VMWare ransomwareScattered Spider SaaS targeting (2024)CRYSTALRAY: threat actors exploiting OSS toolsRansomware operators exploit ESXi vulnerabilityScattered Spider Abuses Cloud Management AgentShinyHunters Ransomware Targeting Cloud EnvironmentsExtortion Campaign Exploiting Exposed Environment VariableAPT29 Targeting Zimbra and TeamCity ServersEarth Simnavaz (APT34) Targeting UAE and Gulf RegionsUNC5820 exploiting FortiManager flawBrowserStack Data BreachDropbox Github breachMozi Botnet Using AndroxGh0st Toolkit to Target Cloud EnvironmentsSharePoint Vulnerability Exploited in-the-WildEarth Kasha’s Campaign Exploiting Fortinet VulnerabilityVolkswagen data leak through Spring Boot Actuator misconfigurationPhishing campaign leading to Azure account takeoverStorm-0501 attacking hybrid environments with ransomwareBapak Exploiting Stolen Cloud Access KeysTRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen CredentialsSeashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data ExfiltrationRevivalStone Campaign by WinntiZapier data breachWeaver Ant data exfiltration campaignAtlas Lion Campaign Exploits Device Enrollment and MFA for PersistenceGrafana GitHub Action attempted supply chain attackRspack supply chain attackUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” CampaignAzure Account Hijack via Stolen TokensAWS CodeBuild Vulnerability Allows Build Process Secrets ExtractionUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source ToolsGENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access BrokerageCompromised Salesloft Drift Tokens Enable Data Theft Across IntegrationsGhostAction campaignShai-Hulud: Ongoing Package Supply Chain Compromise Delivering Data-Stealing MalwareBRICKSTORM Espionage Backdoor Targeting U.S. Tech and Legal SectorsIIS Backdoor Exploiting Exposed ASP.NET Machine KeysTruffleNet Campaign Exploits AWS SES for Large-Scale Cloud Abuse and BEC FraudCisco ISE Vulnerability Exploited as 0day by APTCryptomining Campaign Exploiting Exposed Ray AI InfrastructureShai-Hulud 2.0 Supply Chain AttackAmadey Loader Abuses Compromised Self-Hosted GitLab to Deliver StealC InfostealerVoidLink: A Cloud-Native Linux Malware FrameworkLLMJacking for Roleplaying CampaignSupply-Chain Attack via Force Pushes on Plone GitHub RepositoriesSupply-Chain Hijacking of Notepad++ Updates via Hosting Provider Compromise
Credential Access (TA0006)
Stub
Cron persistence
From PHP exploitation to AWS lateral movementCoinStomp campaignFrom PHP vuln to Sliver execution via cronDiicot Campaign Targeting Exposed SSHMexals cryptojacking campaignCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for CryptominingUNC5174 Linux Espionage CampaignCryptomining Campaign Exploiting Exposed Ray AI Infrastructure
Persistence (TA0003)
Stub
Custom ELF loaders
Cryptomining Campaign Exploiting Exposed Ray AI InfrastructureChina-nexus Campaign Exploits CVE-2025-20393 in Cisco Email Security Devices
Not started
Dangling DNS takeover
Network
fsevents supply chain attackMasterCard Fixes Five-Year-Old DNS Typo MisconfigurationCDC dangling domain hijack
Resource Development (TA0042)
Stub
Data exfiltration from cloud storage
S3 data exfiltrationS3 ransomware scam
Stub
Database ransomware
Ransomware
DarkRadiation campaign
Impact (TA0040)
Stub
DCSync attack
Horde Panda targeting South Asian telecommunications provider
Not started
DDoS attack
REF6138 campaignLangflow Vulnerability Exploited to Deliver Flodrix Botnet
Not started
Delete compute snapshot
Scattered Spider targeting GCP environment
Not started
Direct Kernel object manipulation
Not started
Disable anti-virus
UNC2165 Targets Hybrid Environments with Ransomware
Not started
Disable logging
Cloud
Ubiquiti incidentScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)Cloud lateral movement via Citrix cookieAPT29 targeting Microsoft 365
Defense Evasion (TA0005)
Stub
Discover origin IP of fronted domain
Network
Fast Company incident
Discovery (TA0007)
Stub
Disk Wipe
DarkRadiation campaign
Impact (TA0040)
Stub
DLL search order hijacking
Execution (TA0002)
Stub
DLL Side-Loading
Earth Kasha’s Campaign Exploiting Fortinet VulnerabilityEarth Preta’s Campaign Abusing MAVInject to Bypass Detection
Not started
DNS tunneling
Msupedge Backdoor Targeting Taiwanese UniversityeBPF Rootkit Targeting AWS and Linux Environments
Not started
DNS-over-HTTPS (DoH)
Denonia campaign
Command and Control (TA0011)
Stub
Domain registration abuse
DangerDev SES abuse incident
Stub
EDR whitelisting
Smishing into Entra onto VMWare ransomware
Not started
Email C2
New Relic incident (November 2023)
Stub
Email server hijacking
Supply Chain
Cyber Toufan Linux destruction
Impact (TA0040)
Microsoft Exchange
Stub
Erase logs
Cloud
Cloud lateral movement via Citrix cookieAWS Breach at a SaaS CompanyIIS Backdoor Exploiting Exposed ASP.NET Machine Keys
Defense Evasion (TA0005)
Stub
Escape to host via cgroups release_agent
Linux
Gin Docker cryptojacking campaign
Privilege Escalation (TA0004)
Stub
Evasive username patterns
DangerDev SES abuse incident
Stub
Execute Command on VM using Custom Script Extension
Execution (TA0002)
Stub
Exfiltration via AWS DataSync
Cloud
Muddled Libra campaigns (2024)
Exfiltration (TA0010)
Stub
Exfiltration via AWS Transfer
Cloud
Muddled Libra campaigns (2024)
Exfiltration (TA0010)
Stub
Exploiting BPF load to escape to host
K8s
Privilege Escalation (TA0004)
Stub
Exploiting host mount to escape to host
K8s
Kiss-A-Dog campaignDoki cryptojacking campaign
Privilege Escalation (TA0004)
Stub
Export disk via SAS URL
Cloud
Exfiltration (TA0010)
Stub
Exposed ComfyUI abuse
ComfyUI exploitation campaign
Not started
Exposed environment config abuse
DepositFiles exposed config fileAndroxGh0st usage (2024)
Initial Access (TA0001)
Stub
Exposed git config files abuse
EMERALDWHALE Attacks Targeting Exposed Git Config FilesGame Freak data leak
Credential Access (TA0006)Reconnaissance (TA0043)
Stub
Exposed resource abuse
Not started
Exposed resource abuse
AWS Network Exploitation and Ransomware DetonationGENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access BrokerageeBPF Rootkit Targeting AWS and Linux EnvironmentsGeoServer RCE Exploited in CoinMiner CampaignsTeamPCP Cloud-Native Campaign Targeting Exposed Control Planes
Not started
Extract credentials from resource tags
Cloud
Credential Access (TA0006)Lateral Movement (TA0008)
Stub
FTP access
Meow database server campaign
Initial Access (TA0001)
Stub
Gift card fraud
Atlas Lion phishing campaign
Not started
Git commit timestamp forgery
Node.js repository CI/CD vulnerable to RCE
Not started
Global socket communication
Network
Commando Cat campaign
Command and Control (TA0011)
Stub
IAM privilege escalation
CloudAuthentication
Cryptomining Campaign Exploiting Exposed Ray AI Infrastructure
Privilege Escalation (TA0004)
Stub
IIS native module malware
Larva-25003: IIS Native Module Malware Used in Targeted Web Server AttacksIIS Backdoor Exploiting Exposed ASP.NET Machine Keys
Not started
Image dependency confusion
Supply ChainK8s
Initial Access (TA0001)
Stub
IMDS abuse
Cloud
ScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)SilentBob cryptomining campaignFrom PHP exploitation to AWS lateral movementMisconfigured firewall to cryptojacking botnetCapital One incident (March 2019)UNC2903 campaignsSQL Server to cloud lateral movementFrom PHP vuln to Sliver execution via cronFrom web app exploitation to Chisel tunnelingCommando Cat campaignHugging Face cross-tenant accessUS DoD NIPRNet access via Atlassian SSRFGENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access Brokerage
Credential Access (TA0006)
Featured
Impersonate GCP Service Accounts
Privilege Escalation (TA0004)
Stub
In-band signaling
Not started
Intune abuse
Stealing the LIGHTSHOW
Execution (TA0002)Persistence (TA0003)
Stub
Jira ScriptRunner abuse
Cloudflare incident following Okta breach
Stub
Jupyter Notebook misconfig abuse
App Misconfig.
Jupyter Notebook cred harvesting campaignMeow Jupyter Notebook campaignPanamorfi campaignSports Piracy Exploiting Misconfigured Jupyter ServersExposed Jupyter Notebooks Targeted for Cryptomining
Initial Access (TA0001)Privilege Escalation (TA0004)
Jupyter Notebook
Stub
Jupyter Notebook ransomware
Ransomware
Impact (TA0040)
Jupyter Notebook
Stub
K8s anonymous auth abuse
K8sAuthentication
Dero cryptojacking targeting K8sDERO cryptojacking campaign (2024)
Initial Access (TA0001)
Kubernetes
Stub
Lambda persistence
Cloud
Persistence (TA0003)
AWS Lambda
Stub
Launch new cloud resources
DangerDev SES abuse incidentSmishing into Entra onto VMWare ransomwareFrom password reset to data exfiltrationScattered Spider targeting GCP environment
Stub
Linux fileless malware
Linux
PHP Targeted with Glutton backdoorCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for Cryptomining
Persistence (TA0003)
Stub
LLM Prompt Injection
AI/ML
Operation Bizarre Bazaar: Commercialized LLMjacking
Initial Access (TA0001)
Stub
LLMjacking
LLMjacking via Laravel exploitationScylla LLMJacking campaignLLM Hijacking Targeting AWSLLMJacking for Roleplaying Campaign
Stub
Local privilege escalation via vulnerability exploitation
BORN Group supply chain attack
Not started
LOLBin abuse
Windows
Peach Sandstorm targeting AzureWidespread TeamCity exploitation (March ‘24)
Defense Evasion (TA0005)
Stub
LSASS dumping
Windows
Storm-0558 phishing campaignsUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
Credential Access (TA0006)Privilege Escalation (TA0004)
Stub
Malicious AI model
AI/ML
Hugging Face cross-tenant access
ML Attack Staging (AML.TA0001)
Stub
Malicious Github Runner
Shai-Hulud 2.0 Supply Chain Attack
Not started
Malicious pull request submission
AWS CodeBuild Vulnerability Allows Build Process Secrets Extraction
Not started
Malicious Terraform provider or module
Supply ChainCloud
Initial Access (TA0001)
Stub
Malvertising
Not started
MFA bypass
CircleCI incidentTwilio incidentTRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen CredentialsFrom stolen cloud key to persistence-as-a-serviceAkira Ransomware Targeting Critical Vulnerability in SonicWall SSLVPN
Initial Access (TA0001)
Stub
MFA enrollment
Authentication
APT29 targeting Microsoft 365Atlas Lion phishing campaignSmishing into Entra onto VMWare ransomwareScattered Spider SaaS targeting (2023)Scattered Spider targeting Azure environmentPhishing campaign leading to Azure account takeoverAtlas Lion Campaign Exploits Device Enrollment and MFA for PersistenceAzure Account Hijack via Stolen Tokens
Persistence (TA0003)
Stub
MFA prompt spam
AuthenticationSocial Eng.
Initial Access (TA0001)
Stub
Misconfigured Apache Hadoop abuse
App Misconfig.
Lucifer Botnet targeting HadoopRedis, Hadoop, and Docker exploitationDreambus campaign (2021)
Apache Hadoop
Stub
Misconfigured Argo abuse
App Misconfig.
Initial Access (TA0001)
Argo CD
Stub
Misconfigured Consul abuse
App Misconfig.
Qubitstrike Crypto Mining and Rootkit CampaignDreambus campaign (2021)
Initial Access (TA0001)
Hashicorp Consul
Stub
Misconfigured DB abuse
App Misconfig.
Meow database server campaignCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for Cryptomining
Initial Access (TA0001)
PostgreSQL
Stub
Misconfigured Docker abuse
App Misconfig.
Redis, Hadoop, and Docker exploitationKinsing campaigns (2020)TeamTNT’s Docker Gatling Gun CampaignGafgyt Malware Targeting Misconfigured Docker ServersDocker Swarm and K8s cryptojacking campaignTeamPCP Cloud-Native Campaign Targeting Exposed Control Planes
Initial Access (TA0001)
Docker
Stub
Misconfigured Gitea Abuse
App Misconfig.
Cryptojacking Campaign Targets Misconfigured DevOps Tools
Initial Access (TA0001)Privilege Escalation (TA0004)
Gitea
Finalized
Misconfigured GitHub Action abuse
Grafana GitHub Action attempted supply chain attackGhostAction campaign
Not started
Misconfigured GitHub Runner abuse
Backdoored self-hosted GitHub Runner
Not started
Misconfigured KubeFlow abuse
App Misconfig.K8s
Initial Access (TA0001)
KubeFlow
Stub
Misconfigured Nomad abuse
Cryptojacking Campaign Targets Misconfigured DevOps Tools
Not started
Misconfigured OIDC service account abuse
CloudCI/CD
Initial Access (TA0001)Credential Access (TA0006)
Featured
Misconfigured PostgreSQL abuse
Kinsing campaigns (2023-2024)Dreambus campaign (2021)PG_MEM Malware Exploiting Misconfigured PostreSQL InstancesSoco404 Cryptomining Campaign Exploits PostgreSQL and Cloud Misconfigurations
Not started
Misconfigured Power Pages abuse
Cloud
Exfiltration (TA0010)
Microsoft Power Pages
Stub
Misconfigured Redis abuse
App Misconfig.
P2PInfect campaignSkidMap targeting RedisMigo cryptominer targeting RedisRedis, Hadoop, and Docker exploitationHeadCrab campaignDreambus campaign (2021)RedisRaider Linux Cryptojacking Campaign Targets Redis ServersTeamPCP Cloud-Native Campaign Targeting Exposed Control Planes
Initial Access (TA0001)
Redis
Stub
Misconfigured Selenium Grid abuse
App Misconfig.
SeleniumGreed: Threat actors exploit exposed Selenium Grid services for CryptominingCampaign targeting Selenium Grid for cryptomining
Initial Access (TA0001)
Selenium Grid
Stub
Misconfigured SSH abuse
LinuxOS Misconfig.NetworkAuthentication
ChinaZ campaignsDiicot Campaign Targeting Linux Environments
Initial Access (TA0001)Lateral Movement (TA0008)
Featured
Misconfigured WebLogic abuse
Hadooken Malware Targeting Weblogic Servers
Not started
Misconfigured Wordpress abuse
App Misconfig.
Meson Network cryptojacking campaign
Initial Access (TA0001)
WordPress
Stub
Modify compute startup script
Scattered Spider targeting GCP environment
Not started
Modify existing IAM user or role
Cloud
DangerDev SES abuse incidentFrom stolen cloud key to persistence-as-a-service
Persistence (TA0003)
Stub
Modify VPC / subnet / security group configuration
Cloud
Persistence (TA0003)
Stub
Network lateral movement
CRYSTALRAY: threat actors exploiting OSS toolsRansomware operators exploit ESXi vulnerabilityAPT28 Targeting Print Spooler Vulnerability for GooseEgg DeploymentBORN Group supply chain attackHorde Panda targeting South Asian telecommunications provider SharePoint Vulnerability Exploited in-the-WildDocker Swarm and K8s cryptojacking campaignCampaign targeting exposed FortiGate firewall management interfacesRevivalStone Campaign by WinntiBPFDoor’s Hidden Controller Targets AMEA SectorsAWS Breach at a SaaS CompanyUTG-Q-015 Exploits 0-Days for Espionage in AsiaUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” CampaignAWS Data Exfiltration and Attempted Ransomware
Not started
OAuth app creation
OAuth applications to deploy VMs for cryptominingMicrosoft email exfiltration by Nobelium
Persistence (TA0003)
Stub
OAuth app hijack
OAuth applications to deploy VMs for cryptominingMicrosoft email exfiltration by Nobelium
Persistence (TA0003)
Stub
On-prem to cloud lateral movement
From social engineering to Lambda modificationSilk Typhoon Targeting IT and Cloud ApplicationsStorm-0501 Deploys Cloud-Based Ransomware
Not started
OS password reset
Scattered Spider targeting GCP environment
Not started
OverPass-The-Hash
Cleo Vulnerabilities Targeted by Cl0p Ransomware
Not started
Package dependency confusion
Supply ChainCI/CD
Multiple organizations vulnerable to dependency confusionIvanti supply chain attack via compromised libraryPyTorch-nightly torchtriton dependency compromiseSANDWORM_MODE: Typosquatted npm Packages Used to Hijack CI Workflows
Initial Access (TA0001)Execution (TA0002)
npmPyPI
Finalized
Package hijacking
Package hijacking redteam opNx Package Supply Chain Compromise Delivers Data-Stealing Malware
Initial Access (TA0001)
Stub
Package Starjacking
Cloud tools imitation campaign
Initial Access (TA0001)
Stub
Package typosquatting
Cloud tools imitation campaignRspack supply chain attackSANDWORM_MODE: Typosquatted npm Packages Used to Hijack CI Workflows
Initial Access (TA0001)
Stub
Password bruteforcing
Trigona targeting MSSQL serversGoBruteforcer campaignFBot toolkit targets cloud environmentsRE#TURGENCE MSSQL Server RansomOpMimic used by Trigona operatorsRUBYCARP: Botnet Exploiting Vulnerabilities for CryptoTargetCompany Abusing MSSQL Servers for RansomwareGafgyt Malware Targeting Cloud EnvironmentsPG_MEM Malware Exploiting Misconfigured PostreSQL InstancesPrometei campaignCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for CryptominingUTG-Q-015 Exploits 0-Days for Espionage in AsiaSonicWall MySonicWall Cloud Backup File Security Incident
Initial Access (TA0001)
Stub
Password spraying
CredentialsAuthentication
Peach Sandstorm targeting AzureMicrosoft email exfiltration by NobeliumSmishing into Entra onto VMWare ransomwareAPT29 Targeting Zimbra and TeamCity ServersUSAID cryptojacking incidentPassword spray attack leads to containers being used for cryptominingTeamFiltration Account Takeover Campaign
Credential Access (TA0006)Initial Access (TA0001)
Stub
Persistence via AI service backend
CloudAI/ML
Persistence (TA0003)
Stub
Persistence via udev
Not started
Persistence via VM user data
Cloud
Persistence (TA0003)
Stub
Phishing
Storm-0558 phishing campaignsRUBYCARP: Botnet Exploiting Vulnerabilities for CryptoGitHub certificate theft incidentAtlas Lion phishing campaignPersonal local drive to AWS ransomwareScattered Spider SaaS targeting (2023)RomCom exploiting Word vulnerability in campaign targeting government entitiesMicrosoft Smartscreen Vulnerability Exploited by Water HydraWindows SmartScreen vulnerability exploited by Mispadu trojanScattered Spider Abuses Cloud Management AgentTriad Nexus: Funnull malicious campaignDropbox Github breachEarth Kasha’s Campaign Exploiting Fortinet VulnerabilityFrom social engineering to Lambda modificationBlack Basta Exploiting Vulnerabilities in Multiple ProductsKiss-A-Dog campaignUTG-Q-015 Exploits 0-Days for Espionage in AsiaSupply Chain Attack on npm Packages via Maintainer Phishing
Initial Access (TA0001)
Stub
Poison AI training data
AI/ML
Resource Development (TA0042)Persistence (TA0003)
Stub
Policy simulation
DangerDev SES abuse incident
Stub
Process injection
Earth Preta’s Campaign Abusing MAVInject to Bypass DetectionOperation LongFangPassiveNeuron Campaign: Espionage Campaign Targeting Windows Server Environments
Not started
Propagation via Kubelet
K8s
Lateral Movement (TA0008)
Kubernetes
Stub
Proxyjacking
Labrat GitLab campaign9hits Docker campaignCampaign targeting Selenium Grid for cryptomining
Impact (TA0040)
Stub
Public exposure abuse
Cloud
Reuters leaky ElasticSearch DBScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)K8s targeted via OpenMetadata exploitationExploitation in the wild of Aviatrix Controller RCEOperation LongFang
Initial Access (TA0001)
Stub
Public malicious container image
ECS Fargate cryptojackingTeamTNT’s Docker Gatling Gun CampaignMulti-Layered Cryptojacking via Docker
Stub
Publishing trojanized npm packages
Shai-Hulud 2.0 Supply Chain AttackSANDWORM_MODE: Typosquatted npm Packages Used to Hijack CI Workflows
Not started
pwn request
CI/CD
Initial Access (TA0001)
GitHub
Stub
Redis-as-a-backdoor
LinuxCloud
Kiss-A-Dog campaign
Persistence (TA0003)
Redis
Stub
Refresh token compromise
Authentication
From refresh token theft to global admin
Credential Access (TA0006)
Stub
Register self-hosted runner
CI/CD
Privilege Escalation (TA0004)
GitHub
Stub
Registry secret scanning
Credentials
Python infrastructure leaked access token
Reconnaissance (TA0043)Credential Access (TA0006)
Stub
Remotely execute commands or scripts on a VM
DarkRadiation campaign
Execution (TA0002)
Stub
Repo encryption for extortion
Gitloker campaign
Stub
Repojacking
Supply Chain
Initial Access (TA0001)
Stub
Repository webhook abuse
CI/CDApp Misconfig.Network
Initial Access (TA0001)
GitHubTeamCityJenkins
Stub
Resource enumeration
AWS Breach at a SaaS CompanyTeamFiltration Account Takeover CampaignVoidLink: A Cloud-Native Linux Malware FrameworkOperation Bizarre Bazaar: Commercialized LLMjacking
Not started
Resource injection in CloudFormation template
Cloud
Execution (TA0002)
AWS CloudFormation
Stub
Retrieve EC2 Password Data
Cloud
Credential Access (TA0006)
Stub
Reverse DNS manipulation
ByBit hack
Not started
Reverse shell
CoinStomp campaignCloud lateral movement via Citrix cookieFrom code commit to production takeoverSilent Skimmer Attacks Exploiting Telerik UI to Steal Payment DataDiicot Campaign Targeting Linux EnvironmentsMalicious AI Models Bypass Picklescan DetectionBPFDoor’s Hidden Controller Targets AMEA SectorsIvanti EPMM RCE Vulnerability Chain Exploited in the WildUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” CampaignCryptomining Campaign Exploiting Exposed Ray AI Infrastructure
Execution (TA0002)
Stub
Rootkit - LD_PRELOAD
DarkRadiation campaign
Persistence (TA0003)Execution (TA0002)Privilege Escalation (TA0004)Defense Evasion (TA0005)
Stub
Script injection into CICD workflow
Supply ChainCI/CD
Ultralytics compromiseKong image compromise
Initial Access (TA0001)
GitHubGitLab
Not started
Serial port abuse
SIM swapping to serial port abuseScattered Spider SaaS targeting (2023)
Stub
Serverless execution
Cloud
Denonia campaign
Execution (TA0002)
AWS Lambda
Stub
SES abuse for spam or phishing
DangerDev SES abuse incidentJavaGhost SES abuse
Impact (TA0040)
Stub
SES enumeration
From stolen cloud key to persistence-as-a-service
Not started
Session hijacking
MITRE breach via Ivanti Connect Secure
Stub
Share compromised resources to an external account
Cloud
DangerDev SES abuse incident
Exfiltration (TA0010)Persistence (TA0003)
Stub
SIM swap scam
SIM-Swap to Data Leak on Dark WebScattered Spider SaaS targeting (2023)Scattered Spider SaaS targeting (2024)
Initial Access (TA0001)
Stub
Slopsquatting
Supply Chain
Initial Access (TA0001)Resource Development (TA0042)
npmPyPI
Stub
Smishing (SMS phishing)
Atlas Lion phishing campaignSmishing into Entra onto VMWare ransomwareScattered Spider SaaS targeting (2023)Scattered Spider SaaS targeting (2024)
Stub
SNS abuse for spam or phishing
Cloud
Amazon SNS
Stub
Sockpuppet infiltration
Social Eng.
XZ Utils backdoor incident
Initial Access (TA0001)
Stub
Spearphishing
Retool hackEarth Preta’s Campaign Abusing MAVInject to Bypass Detection
Initial Access (TA0001)
Stub
Spring Boot Actuator abuse
App Misconfig.
Initial Access (TA0001)
Spring Boot
Stub
SQL commands
App Misconfig.
SQL Server to cloud lateral movement
Execution (TA0002)
MySQLMicrosoft SQL Server
Stub
SQL injection
App Misconfig.
GambleForce SQL injection campaignSQL Server to cloud lateral movementRedJuliett Exploiting VPN and Firewall VulnerabilitiesBoolka campaignRevivalStone Campaign by Winnti
Initial Access (TA0001)
MySQLMicrosoft SQL Server
Stub
SSH bruteforcing
Gafgyt Malware Targeting Cloud EnvironmentsOperation VelesDiicot Campaign Targeting Exposed SSHMexals cryptojacking campaignDiicot Campaign Targeting Linux EnvironmentsLinux SSH Servers Compromised to Deploy Proxies
Not started
SSH key compromise
BORN Group supply chain attack
Not started
SSH propagation
Dreambus campaign (2021)S3 data exfiltrationSSH-Snake Confluence targeting campaign
Lateral Movement (TA0008)
Stub
SSM document phishing
Social Eng.
Initial Access (TA0001)
Stub
SSM misconfiguration abuse
Cyberoam breach (2018)
Not started
SSM orchestration abuse
From PHP exploitation to AWS lateral movement
Stub
SSM-facilitated remote desktop connection
Cloud
Lateral Movement (TA0008)
Stub
SSRF
Misconfigured firewall to cryptojacking botnetCapital One incident (March 2019)UNC2903 campaignsUS DoD NIPRNet access via Atlassian SSRF
Initial Access (TA0001)
Stub
Steal EC2 Instance Credentials
Cloud
SilentBob cryptomining campaign
Credential Access (TA0006)
Stub
Storage Denial of Wallet amplification attack
CloudNetwork
Impact (TA0040)
S3 Bucket
Stub
Subdomain takeover
Krpano XSS exploitation campaignGambling Network Exploits Abandoned Subdomains
Not started
Supply Chain Compromise
Supply Chain
Triad Nexus: Funnull malicious campaignSupply Chain Attack on lottie-playerUltralytics compromiseKong image compromiseDogWifTool supply chain attackMalicious AI Models Bypass Picklescan DetectionSupply Chain Compromise of rand-user-agent: Obfuscated RAT with C2 Communication and File ExfiltrationSolana web3.js Supply Chain AttackDragonForce Exploits SimpleHelp Vulnerabilities in Ransomware CampaignNPM Supply Chain Attack Compromises 16 Popular React Native and GlueStack PackagesNx Package Supply Chain Compromise Delivers Data-Stealing MalwareQix npm package supply chain compromiseShai-Hulud: Ongoing Package Supply Chain Compromise Delivering Data-Stealing MalwareUNC3379 npm supply chain attacksSupply Chain Risk in Axis Autodesk Revit Plugin Due to Exposed Azure Storage CredentialsShai-Hulud 2.0 Supply Chain AttackSupply-Chain Attack via Force Pushes on Plone GitHub Repositories
Initial Access (TA0001)
Not started
Thread impersonation to escape to host
Linux
Siloscape campaign
Privilege Escalation (TA0004)
Stub
Timestomping
CoinStomp campaignFrom WSO2 RCE to SSH lateral movement
Defense Evasion (TA0005)
Stub
Token forgery
Microsoft signing key compromiseIn-Memory IIS Attacks via View State Deserialization
Initial Access (TA0001)Credential Access (TA0006)
Stub
TOR anonymization
Peach Sandstorm targeting AzureMicrosoft signing key compromiseCyber Toufan Linux destructionSiloscape campaign
Command and Control (TA0011)Defense Evasion (TA0005)
Stub
Traffic routing through residential proxy network
Network
Microsoft email exfiltration by Nobelium
Defense Evasion (TA0005)
Stub
Trojanized DLLs
Weaver Ant data exfiltration campaign
Not started
Trusted technologies abuse
State-Sponsored APT Abuse Visual Studio Code in Attacks
Not started
UPX packing
Campaign targeting Selenium Grid for cryptominingDiicot Campaign Targeting Exposed SSHMexals cryptojacking campaignCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for CryptominingExposed Jupyter Notebooks Targeted for Cryptomining
Not started
Use DNS for exfiltration
Cloud
SQL Server to cloud lateral movement
Exfiltration (TA0010)
Stub
Valid creds abuse
Rollbar hackSnowflake compromised creds abuse campaignRansomware operators exploit ESXi vulnerabilityScattered Spider Abuses Cloud Management AgentShinyHunters Ransomware Targeting Cloud EnvironmentsExtortion Campaign Exploiting Exposed Environment VariableStorm-0501 Targeting Hybrid Environments with RansomwareVeeam Vulnerability Exploited by Akira and Fog RansomwareDropbox Github breachCleo Vulnerabilities Targeted by Cl0p RansomwareVolkswagen data leak through Spring Boot Actuator misconfigurationPhishing campaign leading to Azure account takeoverBapak Exploiting Stolen Cloud Access KeysTRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen CredentialsCode Injection Attacks Exploiting Publicly Disclosed ASP.NET KeysAtlas Lion Campaign Exploits Device Enrollment and MFA for PersistenceAWS Breach at a SaaS CompanyCompromised cloud keys exfiltrated to bucketAzure Account Hijack via Stolen TokensAWS Data Exfiltration and Attempted RansomwareCompromised Salesloft Drift Tokens Enable Data Theft Across IntegrationsShai-Hulud: Ongoing Package Supply Chain Compromise Delivering Data-Stealing MalwareBRICKSTORM Espionage Backdoor Targeting U.S. Tech and Legal SectorsPassiveNeuron Campaign: Espionage Campaign Targeting Windows Server EnvironmentsTata Motors Hardcoded AWS Keys and API Tokens Exposed TruffleNet Campaign Exploits AWS SES for Large-Scale Cloud Abuse and BEC FraudShai-Hulud 2.0 Supply Chain AttackCloud-Native Phishing Infrastructure via Abused AWS WorkMailSupply-Chain Attack via Force Pushes on Plone GitHub Repositories
Initial Access (TA0001)Credential Access (TA0006)
Stub
Vishing
Scattered Spider targeting Azure environment
Not started
VM extension abuse
SIM swapping to serial port abuse
Privilege Escalation (TA0004)
Stub
VPN anonymization
New Relic incident (November 2023)AWS Breach at a SaaS CompanyUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” Campaign
Stub
Vulnerability exploitation
Network
Apache server Cryptojacking with Cobalt StrikeProphet Spider campaignAndariel exploiting Apache ActiveMQGoTitan ActiveMQ campaignLAPSUS$ campaignsP2PInfect campaign8820 Gang targeting WebLogicTrigona targeting MSSQL serversRE#TURGENCE MSSQL Server RansomOpMimic used by Trigona operatorsLucifer Botnet targeting HadoopC3Pool mining via Confluence vulnerabilityz0Miner targeting WebLogic serversMeson Network cryptojacking campaignShadowSyndicate aiohttp exploitationUNC5174 ScreenConnect and F5 BIG-IP exploitationRUBYCARP: Botnet Exploiting Vulnerabilities for CryptoK8s targeted via OpenMetadata exploitationKinsing campaigns (2020)Redigo campaignTargetCompany Abusing MSSQL Servers for RansomwareKinsing targeting cloud serversRedTail Cryptomining campaign Muhstik campaignRedJuliett Exploiting VPN and Firewall Vulnerabilities8220 Gang Exploiting WebLogic Vulnerabilities for CryptojackingCRYSTALRAY: threat actors exploiting OSS toolsRansomware operators exploit ESXi vulnerabilityDama webshell deployment via ThinkPHP exploitationRomCom exploiting Word vulnerability in campaign targeting government entitiesMicrosoft Smartscreen Vulnerability Exploited by Water HydraWindows SmartScreen vulnerability exploited by Mispadu trojanArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0dayAPT28 Targeting Print Spooler Vulnerability for GooseEgg DeploymentRCE Vulnerability in PHP CGI Exploited by TellYouThePassMirai Botnet Exploiting Apache OFBiz VulnerabilityGodzilla Backdoor Exploiting Confluence VulnerabilityDragonRank Targeting IIS Web ServersUNC1860 Attacks Targeting the Middle EastStorm-0501 Targeting Hybrid Environments with Ransomwareperfctl Malware Targeting LinuxVeeam Vulnerability Exploited by Akira and Fog RansomwareAPT29 Targeting Zimbra and TeamCity ServersEarth Simnavaz (APT34) Targeting UAE and Gulf RegionsUNC5820 exploiting FortiManager flawBrowserStack Data BreachMozi Botnet Using AndroxGh0st Toolkit to Target Cloud EnvironmentsPrometei campaignRCE Vulnerability in PAN-OS Exploited in-the-WildBrazenBamboo Weaponizes FortiClient Vulnerability to Steal CredentialsEarth Kasha’s Campaign Exploiting Fortinet VulnerabilityState-Sponsored APT Abuse Visual Studio Code in AttacksMauri Ransomware Exploiting Apache ActiveMQ Cleo Vulnerabilities Targeted by Cl0p RansomwareByte Federal Data Breach via Gitlab VulnerabilityRCE Vulnerability in Apache Struts Targeted by AttackersUS Treasury breach via BeyondTrust supply chain attackExploitation in the wild of Aviatrix Controller RCECampaign targeting exposed FortiGate firewall management interfacesSeashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data ExfiltrationBlack Basta Exploiting Vulnerabilities in Multiple ProductsSilk Typhoon Targeting IT and Cloud ApplicationsPHP-CGI Vulnerability Exploited in Attacks Targeting JapanOperation LongFangOracle Cloud Potential Supply Chain BreachKrpano XSS exploitation campaignCritical Ivanti Connect Secure Vulnerability Exploited by China-linked ActorSAP NetWeaver Visual Composer exploitation campaignMimo Exploits Craft CMS RCE to Deploy Cryptominer and Proxyware in Coordinated CampaignIvanti EPMM RCE Vulnerability Chain Exploited in the WildCoordinated One-Day Cloud Scanning Operation Targets 75 Exposure PointsDragonForce Exploits SimpleHelp Vulnerabilities in Ransomware CampaignEarth Lamia Custom Toolkit Targets Multiple Sectors via Web VulnerabilitiesUTG-Q-015 Exploits 0-Days for Espionage in AsiaLangflow Vulnerability Exploited to Deliver Flodrix BotnetAttacks on Korean IIS & Linux ServersUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” CampaignLinuxsys Cryptominer CampaignMimo Targets Magento, Docker, and Cloud Environments0day Vulnerability in Microsoft Sharepoint Exploited in-the-WildAWS CodeBuild Vulnerability Allows Build Process Secrets ExtractionAkira Ransomware Targeting Critical Vulnerability in SonicWall SSLVPNUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source ToolsAuto-Color Malware Exploits SAP Vulnerability for Linux BackdoorWarlock Ransomware Exploiting Sharepoint Vulnerabilities Silk Typhoon Exploiting Trusted Relationships for Cloud Environments CompromiseStorm-0501 Deploys Cloud-Based RansomwareDripDropper Malware Exploits Patched Apache ActiveMQ for Persistence on Cloud Linux SystemsRenewed "ArcaneDoor" Campaign Targeting 0-day Vulnerabilities in Cisco ASACl0p Extortion Campaign Claims Theft via Oracle E-Business SuiteeBPF Rootkit Targeting AWS and Linux EnvironmentsPassiveNeuron Campaign: Espionage Campaign Targeting Windows Server EnvironmentsTata Motors Hardcoded AWS Keys and API Tokens Exposed China-Linked Actors Target U.S. Policy-Oriented Non-Profit OrganisationsCisco ISE Vulnerability Exploited as 0day by APTUnauthenticated Remote Access via Triofox Vulnerability Exploited by UNC6485Cryptomining Campaign Exploiting Exposed Ray AI InfrastructureChina-nexus Campaign Exploits CVE-2025-20393 in Cisco Email Security DevicesGeoServer RCE Exploited in CoinMiner CampaignsTeamPCP Cloud-Native Campaign Targeting Exposed Control Planes
Initial Access (TA0001)Privilege Escalation (TA0004)
Stub
Webshell deployment
MITRE breach via Ivanti Connect SecureEarth Baku campaignUNC1860 Attacks Targeting the Middle EastSilent Skimmer Attacks Exploiting Telerik UI to Steal Payment DataSharePoint Vulnerability Exploited in-the-WildGelsemium’s Shift to Linux Malware with WolfsBane and FireWoodState-Sponsored APT Abuse Visual Studio Code in AttacksRevivalStone Campaign by WinntiPHP-CGI Vulnerability Exploited in Attacks Targeting JapanOperation LongFangWeaver Ant data exfiltration campaignSAP NetWeaver Visual Composer exploitation campaignLarva-25003: IIS Native Module Malware Used in Targeted Web Server AttacksMimo Exploits Craft CMS RCE to Deploy Cryptominer and Proxyware in Coordinated CampaignEarth Lamia Custom Toolkit Targets Multiple Sectors via Web VulnerabilitiesAttacks on Korean IIS & Linux ServersIn-Memory IIS Attacks via View State Deserialization0day Vulnerability in Microsoft Sharepoint Exploited in-the-WildUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source ToolsWarlock Ransomware Exploiting Sharepoint Vulnerabilities Silk Typhoon Exploiting Trusted Relationships for Cloud Environments CompromiseStorm-0501 Deploys Cloud-Based RansomwarePassiveNeuron Campaign: Espionage Campaign Targeting Windows Server EnvironmentsCisco ISE Vulnerability Exploited as 0day by APT
Stub
XML injection
Krpano XSS exploitation campaign
Not started

Made with 💙 by Wiz

Last Updated: April 3, 2025