Cloud Threat Landscape
  • Incidents
  • Actors
  • Techniques
  • Defenses
  • Tools
  • Targeted Technologies
  • Posters & Newspapers
  • About
  • RSS
  • STIX
  • Back to wiz.io
Cloud Threat Landscape
Tools

Tools

Tools observed in various incidents or known to be utilized against cloud environments

All Tools

4 views

All Tools

Cryptominers

Ransomware

Toolkits

Name
Tags
Incidents
Techniques
4l4md4r loader and stager
Mimo Targets Magento, Docker, and Cloud Environments
9hits
CommercialDual-use
9hits Docker campaign
Proxyjacking
AADInternals
Storm-0501 Deploys Cloud-Based Ransomware
ADRecon
EnumerationActive Directory
Scattered Spider SaaS targeting (2024)
AgentTesla
RAT
8820 Gang targeting WebLogic
Akira ransomware
Ransomware
Veeam Vulnerability Exploited by Akira and Fog RansomwareAkira Ransomware Targeting Critical Vulnerability in SonicWall SSLVPN
alamdar.so rootkit
Mimo Targets Magento, Docker, and Cloud Environments
Albabat ransomware
Albabat Ransomware Targets Windows, Linux, and macOS Using GitHub Infrastructure
AlienFox
Attacker-sideToolkit
AlienFox campaign
Amadey loader
Amadey Loader Abuses Compromised Self-Hosted GitLab to Deliver StealC Infostealer
AndroxGh0st
Toolkit
AndroxGh0st usage (2024)Mozi Botnet Using AndroxGh0st Toolkit to Target Cloud Environments
AntSword
Toolkit
RedJuliett Exploiting VPN and Firewall Vulnerabilities
AnvilEcho powershell trojan
TrojanMalware
AnyDesk
CommercialDual-use
Peach Sandstorm targeting AzureMagnet Goblin campaign (2024)TargetCompany Abusing MSSQL Servers for RansomwareStorm-0501 Targeting Hybrid Environments with RansomwareUnauthenticated Remote Access via Triofox Vulnerability Exploited by UNC6485GeoServer RCE Exploited in CoinMiner Campaigns
AquaPurge
China-nexus Campaign Exploits CVE-2025-20393 in Cisco Email Security Devices
AquaShell
China-nexus Campaign Exploits CVE-2025-20393 in Cisco Email Security Devices
AquaTunnel
China-nexus Campaign Exploits CVE-2025-20393 in Cisco Email Security Devices
ASN
OffSecDual-use
CRYSTALRAY: threat actors exploiting OSS tools
ASPXSpy
Webshell
DragonRank Targeting IIS Web Servers
Webshell deployment
Atomic Red Team
OffSecK8sAttacker-sideDual-use
Auto-Color malware
Auto-Color Malware Exploits SAP Vulnerability for Linux Backdoor
AWS tools for PowerShell
EC2 Grouper campaign
aws-ethereum-miner
CryptominerCloud
AWSealion
OffSecToolkitAttacker-sideDual-use
AzCopy
Storm-0501 Deploys Cloud-Based Ransomware
AzureChecker
Password spray attack leads to containers being used for cryptomining
AzureHound
OffSecToolkitAttacker-sideCloudDual-use
Peach Sandstorm targeting AzureStorm-0501 Deploys Cloud-Based Ransomware
Babuk
Ransomware
ESXiArgs ransomware campaign
BadIIS
MalwareBackdoor
DragonRank Targeting IIS Web Servers
Behinder
Webshell
RevivalStone Campaign by Winnti
Webshell deploymentReverse shell
BlackBasta ransomware
Ransomware
Ransomware operators exploit ESXi vulnerabilityBlack Basta Exploiting Vulnerabilities in Multiple Products
BlackSmith toolkit
Toolkit
BlueShell
OffSecDual-use
Boto3
JavaGhost SES abuse
BPFDoor
Malware
BPFDoor’s Hidden Controller Targets AMEA Sectors
BRICKSTEAL
BRICKSTORM Espionage Backdoor Targeting U.S. Tech and Legal Sectors
BRICKSTORM backdoor
BRICKSTORM Espionage Backdoor Targeting U.S. Tech and Legal Sectors
BRIGHTCREST
Malware
BRUSHFIRE
Critical Ivanti Connect Secure Vulnerability Exploited by China-linked Actor
Brute Ratel
SAP NetWeaver Visual Composer exploitation campaign
Buildkite Agent
Dual-use
BUSHWALK
Malware
Ivanti Connect Secure targeting campaign
BypassBoss
Earth Lamia Custom Toolkit Targets Multiple Sectors via Web Vulnerabilities
C3Bash
Cryptominer
RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto
C3Pool
Cryptominer
C3Pool mining via Confluence vulnerabilityExposed Jupyter Notebooks Targeted for Cryptomining
C3RB3R Ransomware
RansomwareMalware
Confluence targeting by C3RB3R
Vulnerability exploitation
CDK
OffSecK8sDual-use
Abusing exposed Docker socketExploiting host mount to escape to host
Cdorked
BackdoorLinux
Cdorked campaign
Cetus
WormCryptominer
Cetus campaign
CHAINLINE
Backdoor
Ivanti Connect Secure targeting campaign
Chaos RAT
RAT
Cheerscrypt
Ransomware
China Chopper
Webshell
Storm-0558 phishing campaignsRedJuliett Exploiting VPN and Firewall VulnerabilitiesRevivalStone Campaign by WinntiWeaver Ant data exfiltration campaignAttacks on Korean IIS & Linux Servers
Chisel
Proxy
From web app exploitation to Chisel tunnelingSeashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data ExfiltrationChina-nexus Campaign Exploits CVE-2025-20393 in Cisco Email Security Devices
Cigril
Trojan
Storm-0558 phishing campaigns
DLL search order hijacking
Cl0p ransomware
Ransomware
Cleo Vulnerabilities Targeted by Cl0p RansomwareCl0p Extortion Campaign Claims Theft via Oracle E-Business Suite
CloudBrute
OffSecCloudDual-use
CloudedHope
Silk Typhoon Exploiting Trusted Relationships for Cloud Environments Compromise
CloudFox
OffSecAttacker-sideCloudDual-use
CloudSnooper
Rootkit
Cyberoam breach (2018)
In-band signaling
CloudSplaining
OffSecDual-use
CLR shell
Reverse shellMalware
Mimic used by Trigona operators
Cobalt Strike
OffSecDual-use
Apache server Cryptojacking with Cobalt StrikeWidespread TeamCity exploitation (March ‘24)Agenda Ransomware Targets ESXi and vCenter ServersRansomware operators exploit ESXi vulnerabilityStorm-0501 Targeting Hybrid Environments with RansomwareEarth Kasha’s Campaign Exploiting Fortinet VulnerabilityCleo Vulnerabilities Targeted by Cl0p RansomwarePHP-CGI Vulnerability Exploited in Attacks Targeting JapanOperation LongFangEarth Lamia Custom Toolkit Targets Multiple Sectors via Web VulnerabilitiesUTG-Q-015 Exploits 0-Days for Espionage in AsiaUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
CoinMiner
GeoServer RCE Exploited in CoinMiner Campaigns
CoinStomp
Cryptominer
CoinStomp campaign
CrackMapExec
OffSecDual-use
Ivanti Connect Secure targeting campaign
CrazyHunter
CrazyHunter Ransomware Group Targets Critical Sectors in Taiwan
CredMaster
Dual-use
CUNNINGPIGEON
BackdoorMalware
RevivalStone Campaign by Winnti
Dagon Locker
Ransomware
Phishing
Dama
Webshell
Dama webshell deployment via ThinkPHP exploitation
DarkMe
MalwareRAT
Microsoft Smartscreen Vulnerability Exploited by Water Hydra
DCSync
Malware
Campaign targeting exposed FortiGate firewall management interfaces
Ddostf
DDoS
DEATHLOTUS
Backdoor
RevivalStone Campaign by Winnti
DEEPDATA
MalwareWindows
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials
Credential theft
DEEPPOST
Malware
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials
Denonia
Cryptominer
Denonia campaign
Serverless execution
DeRF
ToolkitOffSecCloudDual-use
DERO miner
Cryptominer
Dero cryptojacking targeting K8s
devilzshell
Webshell
RedJuliett Exploiting VPN and Firewall Vulnerabilities
Diamorphine rootkit
Rootkit
Qubitstrike Crypto Mining and Rootkit Campaign
DinodasRAT
RAT
DragonForce ransomware
DragonForce Exploits SimpleHelp Vulnerabilities in Ransomware Campaign
DripDropper
DripDropper Malware Exploits Patched Apache ActiveMQ for Persistence on Cloud Linux Systems
DSLog
Backdoor
Ivanti Connect Secure targeting campaign
Vulnerability exploitation
EagleRelay
Proxy
Peach Sandstorm targeting Azure
Ebury
Botnet
Operation Windigo
emp3ror
ToolkitWindowsLinuxMalware
CRYSTALRAY: threat actors exploiting OSS tools
enum4Linux
OffSecDual-use
Ivanti Connect Secure targeting campaign
enumerate-iam
ToolkitOffSecCloudDual-use
Everything
Windows
SharePoint Vulnerability Exploited in-the-Wild
Evil-WinRM
Storm-0501 Deploys Cloud-Based Ransomware
FAKEUPDATES
Dropper
UNC2165 Targets Hybrid Environments with Ransomware
FBot
ToolkitMalwareAttacker-side
FBot toolkit targets cloud environments
ffmpeg
Commercial
Sports Piracy Exploiting Misconfigured Jupyter Servers
FireProx
ProxyCloud
FireWood
BackdoorLinuxRootkit
Gelsemium’s Shift to Linux Malware with WolfsBane and FireWood
FleetDeck
Commercial
Scattered Spider Abuses Cloud Management Agent
Flodrix botnet
Langflow Vulnerability Exploited to Deliver Flodrix Botnet
Fog ransomware
Ransomware
Veeam Vulnerability Exploited by Akira and Fog Ransomware
FRAMESTING
Webshell
Ivanti Connect Secure targeting campaign
frp
Proxy
z0Miner targeting WebLogic serversMauri Ransomware Exploiting Apache ActiveMQ
fscan
OffSecDual-use
From WSO2 RCE to SSH lateral movementAttacks on Korean IIS & Linux Servers
Fudmodule rootkit
Rootkit
Bring Your Own Vulnerable DriverDirect Kernel object manipulation
Fuso
Silent Skimmer Attacks Exploiting Telerik UI to Steal Payment Data
Gafgyt botnet
Gafgyt Malware Targeting Cloud EnvironmentsGafgyt Malware Targeting Misconfigured Docker Servers
Gato
ToolkitCI/CDDual-use
CI/CD system enumeration
Gelsevirine
Gh0st RAT
MalwareRAT
Apache server Cryptojacking with Cobalt StrikeCyberoam breach (2018)Larva-25003: IIS Native Module Malware Used in Targeted Web Server Attacks
Gh0stCringe
Malware
Ghost
UTG-Q-015 Exploits 0-Days for Espionage in Asia
ghostfile93.aspx webshell
SharePoint Vulnerability Exploited in-the-Wild
git-dumper
EMERALDWHALE Attacks Targeting Exposed Git Config Files
Glutton backdoor
PHP Targeted with Glutton backdoor
GMiner
Cryptominer
GoBruteforcer
Botnet
GoBruteforcer campaign
Password bruteforcing
GoBuster
Volkswagen data leak through Spring Boot Actuator misconfiguration
GodPotato
DragonRank Targeting IIS Web ServersEarth Lamia Custom Toolkit Targets Multiple Sectors via Web Vulnerabilities
Godzilla
Webshell
From WSO2 RCE to SSH lateral movementFrom ActiveMQ to Godzilla webshellRedJuliett Exploiting VPN and Firewall VulnerabilitiesEarth Baku campaignGodzilla Backdoor Exploiting Confluence VulnerabilityDragonRank Targeting IIS Web ServersCode Injection Attacks Exploiting Publicly Disclosed ASP.NET KeysAttacks on Korean IIS & Linux ServersIIS Backdoor Exploiting Exposed ASP.NET Machine Keys
GOHEAVY
UNC5174 ScreenConnect and F5 BIG-IP exploitation
GooseEgg
APT28 Targeting Print Spooler Vulnerability for GooseEgg Deployment
GOREVERSE
UNC5174 Exploits Ivanti CSA Zero-Days in “Houken” Campaign
GoTitan
Botnet
GoTitan ActiveMQ campaign
Graboid
WormCryptominer
Graboid campaign
GreenBot
ToolkitAttacker-side
Gsocket
OffSecDual-use
SilentBob cryptomining campaignLabrat GitLab campaignCampaign targeting Selenium Grid for cryptominingREF6138 campaign
HeadCrab
HeadCrab campaign
Heaven’s Gate
SAP NetWeaver Visual Composer exploitation campaign
HiddenShovel
Cryptominer
Bring Your Own Vulnerable Driver
HijackDriverManager
Larva-25003: IIS Native Module Malware Used in Targeted Web Server Attacks
Hildegard
Cryptominer
TeamTNT campaigns
HinataBot
DDoSBotnet
Hive
Ransomware
Horoung Antivirus
SharePoint Vulnerability Exploited in-the-Wild
HubSpot Free Form Builder
Phishing campaign leading to Azure account takeover
IceFire
Ransomware
IceFire Aspera Faspex campaign
Impacket
OffSecDual-use
Ivanti Connect Secure targeting campaignScattered Spider SaaS targeting (2024)SharePoint Vulnerability Exploited in-the-WildStorm-0501 Deploys Cloud-Based Ransomware
Infection Monkey
OffSecToolkitDual-use
INMemory webshell
Weaver Ant data exfiltration campaign
iodine
OffSecDual-use
Ivanti Connect Secure targeting campaign
IPRoyal
CommercialDual-useProxy
Labrat GitLab campaignCampaign targeting Selenium Grid for cryptominingMimo Exploits Craft CMS RCE to Deploy Cryptominer and Proxyware in Coordinated Campaign
Proxyjacking
Jasmin
Widespread TeamCity exploitation (March ‘24)
JSFuck
JSFireTruck: Malicious JavaScript Campaign Using Obfuscation
JuicyPotato
Earth Lamia Custom Toolkit Targets Multiple Sectors via Web VulnerabilitiesUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
KAIJI
DDoS
REF6138 campaign
kerbrute
SharePoint Vulnerability Exploited in-the-Wild
KeyChecker
Cloud
KEYPLUG
Horde Panda targeting South Asian telecommunications provider
Kinsing
Kinsing campaigns (2020)
Krasue
RAT
Krasue Thailand campaign
kube-hunter
OffSecK8sDual-use
kubescape
K8sOffSecDual-use
Kubesploit
OffSecK8sDual-use
Kubestroyer
OffSecK8sDual-use
Kunpeng
OffSecDual-use
Abcbot Huawei Cloud targeting campaign
LaZagne
OffSecMalware
Legion
ToolkitAttacker-side
Leonidas
OffSecToolkitCloudDual-use
LIGHTSPY
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials
LIGHTWIRE
Ivanti Connect Secure targeting campaign
Ligolo
Magnet Goblin campaign (2024)
Line Dancer
MalwareRATReverse shell
ArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0day
Disable loggingExfiltration via AWS Transfer
Line Runner
MalwareBackdoor
ArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0day
LINE VIPER
Renewed "ArcaneDoor" Campaign Targeting 0-day Vulnerabilities in Cisco ASA
LinkPro
eBPF Rootkit Targeting AWS and Linux Environments
linPEAS
OffSecDual-use
Use of linPEAS for cloud enumeration
Linux Exploit Suggester
OffSecDual-use
Linuxsys coinminer
Linuxsys Cryptominer Campaign
LocalOlive shell
Seashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data Exfiltration
LockBit
Ransomware
LODEINFO
Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
Loggerminer
Cryptominer
Loggerminer campaign
LokiLocker
TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
LuaPlug
Horde Panda targeting South Asian telecommunications provider
Lucifer
Botnet
Lucifer Botnet targeting Hadoop
Vulnerability exploitationMisconfigured Apache Hadoop abuse
Mallox ransomware
TargetCompany Abusing MSSQL Servers for RansomwareHadooken Malware Targeting Weblogic Servers
Masscan
OffSecDual-use
SilentBob cryptomining campaignDocker Swarm and K8s cryptojacking campaign
Mauri ransomware
Ransomware
Mauri Ransomware Exploiting Apache ActiveMQ
Mélofée
Malware
Meson CDN
Meson Network cryptojacking campaign
Metasploit
OffSecDual-use
Andariel exploiting Apache ActiveMQFrom code commit to production takeover
Meterpreter
MicroBurst
OffSecDual-use
Mimic ransomware
Ransomware
RE#TURGENCE MSSQL Server RansomOpMimic used by Trigona operators
Password bruteforcingVulnerability exploitation
Mimikatz
Dual-use
RE#TURGENCE MSSQL Server RansomOpScattered Spider SaaS targeting (2024)DragonRank Targeting IIS Web ServersSharePoint Vulnerability Exploited in-the-WildState-Sponsored APT Abuse Visual Studio Code in AttacksStorm-0501 attacking hybrid environments with ransomwarePHP-CGI Vulnerability Exploited in Attacks Targeting JapanOperation LongFangUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source ToolsWarlock Ransomware Exploiting Sharepoint Vulnerabilities IIS Backdoor Exploiting Exposed ASP.NET Machine Keys
Mimipenguin
OffSecMalwareDual-use
Mimipy
OffSecDual-use
Mimo
Cryptominer
Mimo cryptomining campaignMimo Exploits Craft CMS RCE to Deploy Cryptominer and Proxyware in Coordinated Campaign
Mimus
Ransomware
Mimo cryptomining campaign
Mineping
Panamorfi campaign
MiniNerbian
Magnet Goblin campaign (2024)
Mirai
Mirai campaign targeting Ivanti productsMirai Botnet Exploiting Apache OFBiz Vulnerability
MirrorStealer
Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
Mispadu stealer
MalwareTrojanRATBackdoor
Windows SmartScreen vulnerability exploited by Mispadu trojan
PhishingMalvertisingMisconfigured Wordpress abuse
MIZARU
EMERALDWHALE Attacks Targeting Exposed Git Config Files
Monero miner
Lucifer Botnet targeting Hadoop
Msupedge backdoor
Msupedge Backdoor Targeting Taiwanese University
Muhstik
Muhstik campaign
Neo-reGeorg
UNC5174 Exploits Ivanti CSA Zero-Days in “Houken” CampaignSilk Typhoon Exploiting Trusted Relationships for Cloud Environments Compromise
NerbianRAT
Magnet Goblin campaign (2024)
netcat
Dual-use
z0Miner targeting WebLogic serversK8s targeted via OpenMetadata exploitation
NeuralExecutor
PassiveNeuron Campaign: Espionage Campaign Targeting Windows Server Environments
Neursite
PassiveNeuron Campaign: Espionage Campaign Targeting Windows Server Environments
nevada
Ransomware
ngrok
OffSecDual-use
SilentBob cryptomining campaignngrok cryptojacking campaignEarth Simnavaz (APT34) Targeting UAE and Gulf Regions
NHAS reverse_ssh
Reverse shell
Mimo cryptomining campaign
NoaBot
BotnetCryptominer
SSH propagation
NOOPDOOR
Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
nuclei
CRYSTALRAY: threat actors exploiting OSS tools
NukeSped
RAT
Andariel exploiting Apache ActiveMQ
Onderon
Cyberoam breach (2018)
OracleIV
DDoSBotnet
OracleIV campaign
Outlaw malware
Cryptominer
SSH bruteforcingUPX packing
Pacu
OffSecDual-use
SilentBob cryptomining campaignSugarCRM as initial access to AWS envs
Peer2Profit
ProxyDual-use
Mimo cryptomining campaignEMERALDWHALE Attacks Targeting Exposed Git Config Files
Peirates
OffSecK8sDual-use
SilentBob cryptomining campaignTeamTNT campaigns
perfctl
perfctl campaign targeting Docker APIperfctl Malware Targeting Linux
Phobos
TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
Plague backdoor
Plague PAM-Based Backdoor for Linux
Platypus
CRYSTALRAY: threat actors exploiting OSS tools
PlugX
DragonRank Targeting IIS Web Servers
PMapper
ToolkitCloudDual-use
PowerZure
OffSecDual-use
Prince ransomware
CrazyHunter Ransomware Group Targets Critical Sectors in Taiwan
PrintNotifyPotato
DragonRank Targeting IIS Web Servers
PRIVATELOG
RevivalStone Campaign by Winnti
Prometei
Botnet
Prometei campaign
proot
OffSecDual-use
ProtonVPN
LLM Hijacking Targeting AWS
ProxyLite
CommercialDual-useProxy
Labrat GitLab campaign
Proxyjacking
PsExec
Dual-use
Agenda Ransomware Targets ESXi and vCenter Servers
PureCrypter
8220 Gang Exploiting WebLogic Vulnerabilities for Cryptojacking
pwnRig
Cryptominer
Pypikatz
Ransomware operators exploit ESXi vulnerability
PySoxy
OffSecProxyDual-use
Ivanti Connect Secure targeting campaign
Qakbot
Ransomware operators exploit ESXi vulnerability
Raccoon stealer
TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
Rakshasa
Earth Baku campaign
RansomEXX
Ransomware
RANSOMHUB
UNC2165 Targets Hybrid Environments with Ransomware
rapeflake
Snowflake compromised creds abuse campaign
RayInitiator
Renewed "ArcaneDoor" Campaign Targeting 0-day Vulnerabilities in Cisco ASA
Rclone
Storm-0501 Targeting Hybrid Environments with Ransomware
RCRU64
TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
Red-kube
OffSecK8sDual-use
Redigo
Redigo campaign
RedTail
RedTail Cryptomining campaign
Rekoobe
Malware
APT31 Rekoobe campaign
Remcos RAT
TargetCompany Abusing MSSQL Servers for Ransomware
Reptile
Rootkit
UNC3886 campaigns
Rigel
Cryptomining Campaign Exploiting Exposed Ray AI Infrastructure
RingQ loader
Silent Skimmer Attacks Exploiting Telerik UI to Steal Payment Data
ROADtoken
Cloud
ROADtools
OffSecDual-use
Peach Sandstorm targeting Azure
RomCom backdoor
RomCom exploiting Word vulnerability in campaign targeting government entities
rsockstun
Seashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data Exfiltration
RUDEDEVIL
Cryptominer
REF6138 campaign
S3 Browser
ShinyHunters Ransomware Targeting Cloud Environments
s3-account-search
OffSecDual-use
SASHEYAWAY
UNC1860 Attacks Targeting the Middle East
ScanBox Framework
ScoutSuite
OffSecDual-use
SugarCRM as initial access to AWS envs
ScreenConnect
Dual-use
Magnet Goblin campaign (2024)
SecureShell
Dual-use
Agenda Ransomware Targets ESXi and vCenter Servers
sedexp
Linux
Persistence via udev
SHADOWGAZE
RevivalStone Campaign by Winnti
SharpWMI
UAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
ShellBot / PerlBot
Botnet
RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto
Misconfigured SSH abuse
Shikitega
MalwareCryptominer
ShroudedSnooper
Siloscape
Malware
Siloscape campaign
Silver
CRYSTALRAY: threat actors exploiting OSS tools
SkidMap
CryptominerMalware
SkidMap targeting Redis
SkyArk
OffSecDual-use
Sliver
OffSecDual-use
From PHP exploitation to AWS lateral movementFrom PHP vuln to Sliver execution via cronCloudflare incident following Okta breachSliver deployment via Confluence vulnerabilityTeamTNT’s Docker Gatling Gun CampaignUNC5174 Linux Espionage CampaignIvanti EPMM RCE Vulnerability Chain Exploited in the WildDripDropper Malware Exploits Patched Apache ActiveMQ for Persistence on Cloud Linux SystemsTeamPCP Cloud-Native Campaign Targeting Exposed Control Planes
Snapekit
LinuxRootkit
SneakCross
Earth Baku campaign
SNOWLIGHT
UNC5174 ScreenConnect and F5 BIG-IP exploitationUNC5174 Linux Espionage Campaign
SNS Sender
ToolkitAttacker-side
SNS abuse for spam or phishingSmishing (SMS phishing)
sockstress
Cryptomining Campaign Exploiting Exposed Ray AI Infrastructure
SoftEther proxy
ProxyDual-use
Microsoft signing key compromiseUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
SoundBill
UAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
SparkRAT
Widespread TeamCity exploitation (March ‘24)
SPAWNSLOTH
Critical Ivanti Connect Secure Vulnerability Exploited by China-linked Actor
SPAWNSNARE
Critical Ivanti Connect Secure Vulnerability Exploited by China-linked Actor
SPAWNWAVE
Critical Ivanti Connect Secure Vulnerability Exploited by China-linked Actor
spinstall0 webshell
0day Vulnerability in Microsoft Sharepoint Exploited in-the-Wild
sqlmap
State-Sponsored APT Abuse Visual Studio Code in Attacks
SRBMiner
Cryptominer
SSH-Snake
OffSecWormDual-use
SSH-Snake Confluence targeting campaignCRYSTALRAY: threat actors exploiting OSS tools
STAYSHANTE
UNC1860 Attacks Targeting the Middle East
StealC
Amadey Loader Abuses Compromised Self-Hosted GitLab to Deliver StealC Infostealer
StealthReacher
Earth Baku campaign
StealthVector
Earth Baku campaign
Stormspotter
OffSecToolkitCloudDual-use
Stratus Red Team
OffSecK8sCloudDual-use
Subfinder
Volkswagen data leak through Spring Boot Actuator misconfiguration
SUNBURST
Backdoor
Solarigate: Solarwinds supply chain attack
SUPERSHELL
BackdoorOffSec
UNC5174 ScreenConnect and F5 BIG-IP exploitationAttacks on Korean IIS & Linux ServersAuto-Color Malware Exploits SAP Vulnerability for Linux Backdoor

Made with 💙 by Wiz

Last Updated: April 3, 2025