Tools

Tools observed in various incidents or known to be utilized against cloud environments

Name	Tags	Incidents	Techniques
9hits	CommercialDual-use	9hits Docker campaign	Proxyjacking
ADRecon	EnumerationActive Directory	Scattered Spider SaaS targeting (2024)
AgentTesla	RAT	8820 Gang targeting WebLogic
Akira ransomware	Ransomware	Veeam Vulnerability Exploited by Akira and Fog Ransomware
AlienFox	Attacker-sideToolkit	AlienFox campaign
AndroxGh0st	Toolkit	AndroxGh0st usage (2024)Mozi Botnet Using AndroxGh0st Toolkit to Target Cloud Environments
AntSword	Toolkit	RedJuliett Exploiting VPN and Firewall Vulnerabilities
AnvilEcho powershell trojan	TrojanMalware
AnyDesk	CommercialDual-use	Peach Sandstorm targeting Azure Magnet Goblin campaign (2024)TargetCompany Abusing MSSQL Servers for Ransomware Storm-0501 Targeting Hybrid Environments with Ransomware
ASN	OffSecDual-use	CRYSTALRAY: threat actors exploiting OSS tools
ASPXSpy	Webshell	DragonRank Targeting IIS Web Servers	Webshell deployment
Atomic Red Team	OffSecK8sAttacker-sideDual-use
AWS tools for PowerShell		EC2 Grouper Campaign
aws-ethereum-miner	CryptominerCloud
AWSealion	OffSecToolkitAttacker-sideDual-use
AzureHound	OffSecToolkitAttacker-sideCloudDual-use	Peach Sandstorm targeting Azure
Babuk	Ransomware	ESXiArgs ransomware campaign
BadIIS	MalwareBackdoor	DragonRank Targeting IIS Web Servers
BlackBasta ransomware	Ransomware	Ransomware operators exploit ESXi vulnerability
BlackSmith toolkit	Toolkit
BlueShell	OffSecDual-use
BPFDoor	Malware
BRIGHTCREST	Malware
Buildkite Agent	Dual-use
BUSHWALK	Malware	Ivanti Connect Secure targeting campaign
C3Bash	Cryptominer	RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto
C3Pool		C3Pool mining via Confluence vulnerability
C3RB3R Ransomware	RansomwareMalware	Confluence targeting by C3RB3R	Vulnerability exploitation
CDK	OffSecK8sDual-use		Abusing exposed Docker socket Exploiting host mount to escape to host
Cdorked		Cdorked campaign
Cetus	WormCryptominer	Cetus campaign
CHAINLINE	Backdoor	Ivanti Connect Secure targeting campaign
Chaos RAT	RAT
Cheerscrypt	Ransomware
China Chopper	Webshell	Storm-0558 phishing campaigns RedJuliett Exploiting VPN and Firewall Vulnerabilities
Chisel	Proxy	From web app exploitation to Chisel tunneling
Cigril	Trojan	Storm-0558 phishing campaigns	DLL search order hijacking
Cl0p ransomware	Ransomware	Cleo Vulnerabilities Targeted by Cl0p Ransomware
CloudBrute	OffSecCloudDual-use
CloudFox	OffSecAttacker-sideCloudDual-use
CloudSnooper		Cyberoam breach (2018)
CloudSplaining	OffSecDual-use
CLR shell		Mimic used by Trigona operators
Cobalt Strike	OffSecDual-use	Apache server Cryptojacking with Cobalt Strike Widespread TeamCity exploitation (March ‘24)Agenda Ransomware Targets ESXi and vCenter Servers Ransomware operators exploit ESXi vulnerability Storm-0501 Targeting Hybrid Environments with Ransomware Earth Kasha’s Campaign Exploiting Fortinet Vulnerability Cleo Vulnerabilities Targeted by Cl0p Ransomware
CoinStomp	Cryptominer	CoinStomp campaign
CrackMapExec	OffSecDual-use	Ivanti Connect Secure targeting campaign
CredMaster	Dual-use
Dagon Locker	Ransomware		Phishing
Dama	Webshell	Dama webshell deployment via ThinkPHP exploitation
DarkMe	MalwareRAT	Microsoft Smartscreen Vulnerability Exploited by Water Hydra
Ddostf	DDoS
DEEPDATA	MalwareWindows	BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials	Credential theft
DEEPPOST		BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials
Denonia	Cryptominer	Denonia campaign	Serverless execution
DeRF	ToolkitOffSecCloudDual-use
DERO miner	Cryptominer	Dero cryptojacking targeting K8s
devilzshell	Webshell	RedJuliett Exploiting VPN and Firewall Vulnerabilities
Diamorphine rootkit	Rootkit	Qubitstrike Crypto Mining and Rootkit Campaign
DinodasRAT	RAT
DSLog		Ivanti Connect Secure targeting campaign
EagleRelay	Proxy	Peach Sandstorm targeting Azure
Ebury	Botnet	Operation Windigo
emp3ror	ToolkitWindowsLinuxMalware	CRYSTALRAY: threat actors exploiting OSS tools
enum4Linux	OffSecDual-use	Ivanti Connect Secure targeting campaign
enumerate-iam	ToolkitOffSecCloudDual-use
Everything	Windows	SharePoint Vulnerability Exploited in-the-Wild
FBot	ToolkitMalwareAttacker-side	FBot toolkit targets cloud environments
ffmpeg	Commercial	Sports Piracy Exploiting Misconfigured Jupyter Servers
FireProx	ProxyCloud
FireWood		Gelsemium’s Shift to Linux Malware with WolfsBane and FireWood
FleetDeck	Commercial	Scattered Spider Abuses Cloud Management Agent
Fog ransomware	Ransomware	Veeam Vulnerability Exploited by Akira and Fog Ransomware
FRAMESTING		Ivanti Connect Secure targeting campaign
frp		z0Miner targeting WebLogic servers Mauri Ransomware Exploiting Apache ActiveMQ
fscan	OffSecDual-use	From WSO2 RCE to SSH lateral movement
Fudmodule rootkit
Fuso		Silent Skimmer Attacks Exploiting Telerik UI to Steal Payment Data
Gafgyt botnet		Gafgyt Malware Targeting Cloud Environments Gafgyt Malware Targeting Misconfigured Docker Servers
Gato	ToolkitCI/CDDual-use		CI/CD system enumeration
Gelsevirine
Gh0st RAT	MalwareRAT	Apache server Cryptojacking with Cobalt Strike Cyberoam breach (2018)
Gh0stCringe	Malware
ghostfile93.aspx webshell		SharePoint Vulnerability Exploited in-the-Wild
git-dumper		EMERALDWHALE Attacks Targeting Exposed Git Config Files
Glutton backdoor		PHP Targeted with Glutton backdoor
GMiner	Cryptominer
GoBruteforcer	Botnet	GoBruteforcer campaign	Password bruteforcing
GoBuster		Volkswagen data leak through Spring Boot Actuator misconfiguration
GodPotato		DragonRank Targeting IIS Web Servers
Godzilla	Webshell	From WSO2 RCE to SSH lateral movement From ActiveMQ to Godzilla webshell RedJuliett Exploiting VPN and Firewall Vulnerabilities Earth Baku campaign Godzilla Backdoor Exploiting Confluence Vulnerability DragonRank Targeting IIS Web Servers
GOHEAVY		UNC5174 ScreenConnect and F5 BIG-IP exploitation
GooseEgg		APT28 Targeting Print Spooler Vulnerability for GooseEgg Deployment
GoTitan	Botnet	GoTitan ActiveMQ campaign
Graboid	WormCryptominer	Graboid campaign
GreenBot	ToolkitAttacker-side
Gsocket	OffSecDual-use	SilentBob cryptomining campaign Labrat GitLab campaign Campaign targeting Selenium Grid for cryptomining REF6138 campaign
HeadCrab		HeadCrab campaign
HiddenShovel	Cryptominer		Bring Your Own Vulnerable Driver
Hildegard	Cryptominer	TeamTNT campaigns
HinataBot	DDoSBotnet
Hive	Ransomware
Horoung Antivirus		SharePoint Vulnerability Exploited in-the-Wild
HubSpot Free Form Builder		Phishing campaign leading to Azure account takeover
IceFire	Ransomware	IceFire Aspera Faspex campaign
Impacket	OffSecDual-use	Ivanti Connect Secure targeting campaign Scattered Spider SaaS targeting (2024)SharePoint Vulnerability Exploited in-the-Wild
Infection Monkey	OffSecToolkitDual-use
iodine	OffSecDual-use	Ivanti Connect Secure targeting campaign
IPRoyal	CommercialDual-useProxy	Labrat GitLab campaign Campaign targeting Selenium Grid for cryptomining	Proxyjacking
Jasmin		Widespread TeamCity exploitation (March ‘24)
KAIJI	DDoS	REF6138 campaign
kerbrute		SharePoint Vulnerability Exploited in-the-Wild
KeyChecker	Cloud
KEYPLUG		Horde Panda targeting South Asian telecommunications provider
Kinsing		Kinsing campaigns (2020)
Krasue	RAT	Krasue Thailand campaign
kube-hunter	OffSecK8sDual-use
kubescape	K8sOffSecDual-use
Kubesploit	OffSecK8sDual-use
Kubestroyer	OffSecK8sDual-use
Kunpeng	OffSecDual-use	Abcbot Huawei Cloud targeting campaign
LaZagne	OffSecMalware
Legion	ToolkitAttacker-side
Leonidas	OffSecToolkitCloudDual-use
LIGHTSPY		BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials
LIGHTWIRE		Ivanti Connect Secure targeting campaign
Ligolo		Magnet Goblin campaign (2024)
Line Dancer	MalwareRATReverse shell	ArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0day	Disable logging Exfiltration via AWS Transfer
Line Runner	MalwareBackdoor	ArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0day
linPEAS	OffSecDual-use	Use of linPEAS for cloud enumeration
Linux Exploit Suggester	OffSecDual-use
LockBit	Ransomware
LODEINFO		Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
Loggerminer	Cryptominer	Loggerminer campaign
LuaPlug		Horde Panda targeting South Asian telecommunications provider
Lucifer	Botnet	Lucifer Botnet targeting Hadoop	Vulnerability exploitation Misconfigured Apache Hadoop abuse
Mallox ransomware		TargetCompany Abusing MSSQL Servers for Ransomware Hadooken Malware Targeting Weblogic Servers
Masscan	OffSecDual-use	SilentBob cryptomining campaign Docker Swarm and K8s cryptojacking campaign
Mauri ransomware	Ransomware	Mauri Ransomware Exploiting Apache ActiveMQ
Mélofée	Malware
Meson CDN		Meson Network cryptojacking campaign
Metasploit	OffSecDual-use	Andariel exploiting Apache ActiveMQ From code commit to production takeover
Meterpreter
MicroBurst	OffSecDual-use
Mimic ransomware	Ransomware	RE#TURGENCE MSSQL Server RansomOp Mimic used by Trigona operators	Password bruteforcing Vulnerability exploitation
Mimikatz	Dual-use	RE#TURGENCE MSSQL Server RansomOp Scattered Spider SaaS targeting (2024)DragonRank Targeting IIS Web Servers SharePoint Vulnerability Exploited in-the-Wild State-Sponsored APT Abuse Visual Studio Code in Attacks Storm-0501 attacking hybrid environments with ransomware
Mimipenguin	OffSecMalwareDual-use
Mimipy	OffSecDual-use
Mimo	Cryptominer	Mimo cryptomining campaign
Mimus	Ransomware	Mimo cryptomining campaign
Mineping		Panamorfi campaign
MiniNerbian		Magnet Goblin campaign (2024)
Mirai		Mirai campaign targeting Ivanti products Mirai Botnet Exploiting Apache OFBiz Vulnerability
MirrorStealer		Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
Mispadu stealer	MalwareTrojanRATBackdoor	Windows SmartScreen vulnerability exploited by Mispadu trojan	Phishing Malvertising Misconfigured Wordpress abuse
MIZARU		EMERALDWHALE Attacks Targeting Exposed Git Config Files
Monero miner		Lucifer Botnet targeting Hadoop
Msupedge backdoor		Msupedge Backdoor Targeting Taiwanese University
Muhstik		Muhstik campaign
NerbianRAT		Magnet Goblin campaign (2024)
netcat	Dual-use	z0Miner targeting WebLogic servers K8s targeted via OpenMetadata exploitation
nevada	Ransomware
ngrok	OffSecDual-use	SilentBob cryptomining campaign ngrok cryptojacking campaign Earth Simnavaz (APT34) Targeting UAE and Gulf Regions
NHAS reverse_ssh	Reverse shell	Mimo cryptomining campaign
NoaBot	BotnetCryptominer		SSH propagation
NOOPDOOR		Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
nuclei		CRYSTALRAY: threat actors exploiting OSS tools
NukeSped	RAT	Andariel exploiting Apache ActiveMQ
Onderon		Cyberoam breach (2018)
OracleIV	DDoSBotnet	OracleIV campaign
Pacu	OffSecDual-use	SilentBob cryptomining campaign SugarCRM as initial access to AWS envs
Peer2Profit	ProxyDual-use	Mimo cryptomining campaign EMERALDWHALE Attacks Targeting Exposed Git Config Files
Peirates	OffSecK8sDual-use	SilentBob cryptomining campaign TeamTNT campaigns
perfctl		perfctl campaign targeting Docker API perfctl Malware Targeting Linux
Platypus		CRYSTALRAY: threat actors exploiting OSS tools
PlugX		DragonRank Targeting IIS Web Servers
PMapper	ToolkitCloudDual-use
PowerZure	OffSecDual-use
PrintNotifyPotato		DragonRank Targeting IIS Web Servers
Prometei	Botnet	Prometei campaign
proot	OffSecDual-use
ProtonVPN		LLM Hijacking Targeting AWS
ProxyLite	CommercialDual-useProxy	Labrat GitLab campaign	Proxyjacking
PsExec	Dual-use	Agenda Ransomware Targets ESXi and vCenter Servers
PureCrypter		8220 Gang Exploiting WebLogic Vulnerabilities for Cryptojacking
pwnRig	Cryptominer
Pypikatz		Ransomware operators exploit ESXi vulnerability
PySoxy	OffSecProxyDual-use	Ivanti Connect Secure targeting campaign
Qakbot		Ransomware operators exploit ESXi vulnerability
Rakshasa		Earth Baku campaign
RansomEXX	Ransomware
rapeflake		Snowflake compromised creds abuse campaign
Rclone		Storm-0501 Targeting Hybrid Environments with Ransomware
Red-kube	OffSecK8sDual-use
Redigo		Redigo campaign
RedTail		RedTail Cryptomining campaign
Rekoobe	Malware	APT31 Rekoobe campaign
Remcos RAT		TargetCompany Abusing MSSQL Servers for Ransomware
Reptile	Rootkit	UNC3886 campaigns
RingQ loader		Silent Skimmer Attacks Exploiting Telerik UI to Steal Payment Data
ROADtoken	Cloud
ROADtools	OffSecDual-use	Peach Sandstorm targeting Azure
RomCom backdoor		RomCom exploiting Word vulnerability in campaign targeting government entities
RUDEDEVIL	Cryptominer	REF6138 campaign
S3 Browser		ShinyHunters Ransomware Targeting Cloud Environments
s3-account-search	OffSecDual-use
SASHEYAWAY		UNC1860 Attacks Targeting the Middle East
ScanBox Framework
ScoutSuite	OffSecDual-use	SugarCRM as initial access to AWS envs
ScreenConnect	Dual-use	Magnet Goblin campaign (2024)
SecureShell	Dual-use	Agenda Ransomware Targets ESXi and vCenter Servers
sedexp	Linux		Persistence via udev
ShellBot / PerlBot	Botnet	RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto	Misconfigured SSH abuse
Shikitega	MalwareCryptominer
ShroudedSnooper
Siloscape	Malware	Siloscape campaign
Silver		CRYSTALRAY: threat actors exploiting OSS tools
SkidMap	CryptominerMalware	SkidMap targeting Redis
SkyArk	OffSecDual-use
Sliver	OffSecDual-use	From PHP exploitation to AWS lateral movement From PHP vuln to Sliver execution via cron Cloudflare incident following Okta breach Sliver deployment via Confluence vulnerability TeamTNT’s Docker Gatling Gun Campaign
Snapekit	LinuxRootkit
SneakCross		Earth Baku campaign
SNOWLIGHT		UNC5174 ScreenConnect and F5 BIG-IP exploitation
SNS Sender	ToolkitAttacker-side		SNS abuse for spam or phishing Smishing (SMS phishing)
SoftEther proxy	ProxyDual-use	Microsoft signing key compromise
SparkRAT		Widespread TeamCity exploitation (March ‘24)
sqlmap		State-Sponsored APT Abuse Visual Studio Code in Attacks
SRBMiner	Cryptominer
SSH-Snake	OffSecWormDual-use	SSH-Snake Confluence targeting campaign CRYSTALRAY: threat actors exploiting OSS tools
STAYSHANTE		UNC1860 Attacks Targeting the Middle East
StealthReacher		Earth Baku campaign
StealthVector		Earth Baku campaign
Stormspotter	OffSecToolkitCloudDual-use
Stratus Red Team	OffSecK8sCloudDual-use
Subfinder		Volkswagen data leak through Spring Boot Actuator misconfiguration
SUNBURST	Backdoor	Solarigate: Solarwinds supply chain attack
SUPERSHELL	BackdoorOffSec	UNC5174 ScreenConnect and F5 BIG-IP exploitation
SWEETCOLA
Sysrv	CryptominerBotnet
SystemBC		Ransomware operators exploit ESXi vulnerability
SysUpdate	Malware
Tailscale		Earth Baku campaign
TEARDROP	Dropper	Solarigate: Solarwinds supply chain attack
TellYouThePass ransomware	Ransomware	RCE Vulnerability in PHP CGI Exploited by TellYouThePass	Vulnerability exploitation
TEMPLEPLAY		UNC1860 Attacks Targeting the Middle East
THINSPOOL		Ivanti Connect Secure targeting campaign
TinyShell		Commando Cat campaign
tmate	OffSecDual-use	SilentBob cryptomining campaign
TMChecker	ToolkitAttacker-side		Password bruteforcing
Tor		Extortion Campaign Exploiting Exposed Environment Variable APT29 Targeting Zimbra and TeamCity Servers
Trigona	Ransomware	Trigona targeting MSSQL servers Mimic used by Trigona operators	Password bruteforcing Vulnerability exploitation
TruffleHog	OffSecDual-use
Tsunami	Backdoor	SilentBob cryptomining campaign Tsunami targeting Jenkins and Weblogic Hadooken Malware Targeting Weblogic Servers TeamTNT’s Docker Gatling Gun Campaign
unMiner	Cryptominer
VIROGREEN		UNC1860 Attacks Targeting the Middle East
WARPWIRE		Ivanti Connect Secure targeting campaign Magnet Goblin campaign (2024)
WinSCP		ShinyHunters Ransomware Targeting Cloud Environments
WIREFIRE		Ivanti Connect Secure targeting campaign
WireGuard		8220 Gang Exploiting WebLogic Vulnerabilities for Cryptojacking
WolfsBane		Gelsemium’s Shift to Linux Malware with WolfsBane and FireWood
XMRig	Cryptominer	SilentBob cryptomining campaign Apache server Cryptojacking with Cobalt Strike Dreambus campaign (2021)ScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)Denonia campaign Dreambus campaign (2023)9hits Docker campaign Mimo cryptomining campaign Commando Cat campaign ECS Fargate cryptojacking Migo cryptominer targeting Redis Lucifer Botnet targeting Hadoop Sliver deployment via Confluence vulnerability z0Miner targeting WebLogic servers Widespread TeamCity exploitation (March ‘24)RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto Cryptojacking via Azure Batch Kinsing targeting cloud servers Mexals cryptojacking campaign RedTail Cryptomining campaign PG_MEM Malware Exploiting Misconfigured PostreSQL Instances Confluence exploited for cryptojacking perfctl Malware Targeting Linux Diicot Campaign Targeting Exposed SSH
XorDdos	BotnetDDoS
XZ Utils backdoor	Backdoor	XZ Utils backdoor incident
Zgrab	OffSecDual-use	SilentBob cryptomining campaign Docker Swarm and K8s cryptojacking campaign
ZIPLINE		Ivanti Connect Secure targeting campaign
zmap		CRYSTALRAY: threat actors exploiting OSS tools Diicot Campaign Targeting Exposed SSH