Cloud Threat Landscape
Tools
Tools

Tools

Tools observed in various incidents or known to be utilized against cloud environments

All Tools

4 views

All Tools

Cryptominers

Ransomware

Toolkits

Name
Tags
Incidents
Techniques
CommercialDual-use
9hits Docker campaign
Proxyjacking
EnumerationActive Directory
Scattered Spider SaaS targeting (2024)
RAT
8820 Gang targeting WebLogic
Ransomware
Veeam Vulnerability Exploited by Akira and Fog Ransomware
Attacker-sideToolkit
AlienFox campaign
Toolkit
AndroxGh0st usage (2024)Mozi Botnet Using AndroxGh0st Toolkit to Target Cloud Environments
Toolkit
RedJuliett Exploiting VPN and Firewall Vulnerabilities
TrojanMalware
CommercialDual-use
Peach Sandstorm targeting AzureMagnet Goblin campaign (2024)TargetCompany Abusing MSSQL Servers for RansomwareStorm-0501 Targeting Hybrid Environments with Ransomware
OffSecDual-use
CRYSTALRAY: threat actors exploiting OSS tools
Webshell
DragonRank Targeting IIS Web Servers
Webshell deployment
OffSecK8sAttacker-sideDual-use
EC2 Grouper campaign
CryptominerCloud
OffSecToolkitAttacker-sideDual-use
OffSecToolkitAttacker-sideCloudDual-use
Peach Sandstorm targeting Azure
Ransomware
ESXiArgs ransomware campaign
MalwareBackdoor
DragonRank Targeting IIS Web Servers
Webshell
RevivalStone Campaign by Winnti
Webshell deploymentReverse shell
Ransomware
Ransomware operators exploit ESXi vulnerabilityBlack Basta Exploiting Vulnerabilities in Multiple Products
Toolkit
OffSecDual-use
JavaGhost SES abuse
Malware
Malware
Dual-use
Malware
Ivanti Connect Secure targeting campaign
Cryptominer
RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto
Cryptominer
C3Pool mining via Confluence vulnerabilityExposed Jupyter Notebooks Targeted for Cryptomining
RansomwareMalware
Confluence targeting by C3RB3R
Vulnerability exploitation
OffSecK8sDual-use
Abusing exposed Docker socketExploiting host mount to escape to host
BackdoorLinux
Cdorked campaign
WormCryptominer
Cetus campaign
Backdoor
Ivanti Connect Secure targeting campaign
RAT
Ransomware
Webshell
Storm-0558 phishing campaignsRedJuliett Exploiting VPN and Firewall VulnerabilitiesRevivalStone Campaign by Winnti
Proxy
From web app exploitation to Chisel tunnelingSeashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data Exfiltration
Trojan
Storm-0558 phishing campaigns
DLL search order hijacking
Ransomware
Cleo Vulnerabilities Targeted by Cl0p Ransomware
OffSecCloudDual-use
OffSecAttacker-sideCloudDual-use
Rootkit
Cyberoam breach (2018)
In-band signaling
OffSecDual-use
Reverse shellMalware
Mimic used by Trigona operators
OffSecDual-use
Apache server Cryptojacking with Cobalt StrikeWidespread TeamCity exploitation (March ‘24)Agenda Ransomware Targets ESXi and vCenter ServersRansomware operators exploit ESXi vulnerabilityStorm-0501 Targeting Hybrid Environments with RansomwareEarth Kasha’s Campaign Exploiting Fortinet VulnerabilityCleo Vulnerabilities Targeted by Cl0p RansomwarePHP-CGI Vulnerability Exploited in Attacks Targeting JapanOperation LongFang
Cryptominer
CoinStomp campaign
OffSecDual-use
Ivanti Connect Secure targeting campaign
Dual-use
BackdoorMalware
RevivalStone Campaign by Winnti
Ransomware
Phishing
Webshell
Dama webshell deployment via ThinkPHP exploitation
MalwareRAT
Microsoft Smartscreen Vulnerability Exploited by Water Hydra
Malware
Campaign targeting exposed FortiGate firewall management interfaces
DDoS
Backdoor
RevivalStone Campaign by Winnti
MalwareWindows
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials
Credential theft
Malware
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials
Cryptominer
Denonia campaign
Serverless execution
ToolkitOffSecCloudDual-use
Cryptominer
Dero cryptojacking targeting K8s
Webshell
RedJuliett Exploiting VPN and Firewall Vulnerabilities
Rootkit
Qubitstrike Crypto Mining and Rootkit Campaign
RAT
Backdoor
Ivanti Connect Secure targeting campaign
Vulnerability exploitation
Proxy
Peach Sandstorm targeting Azure
Botnet
Operation Windigo
ToolkitWindowsLinuxMalware
CRYSTALRAY: threat actors exploiting OSS tools
OffSecDual-use
Ivanti Connect Secure targeting campaign
ToolkitOffSecCloudDual-use
Windows
SharePoint Vulnerability Exploited in-the-Wild
Dropper
UNC2165 Targets Hybrid Environments with Ransomware
ToolkitMalwareAttacker-side
FBot toolkit targets cloud environments
Commercial
Sports Piracy Exploiting Misconfigured Jupyter Servers
ProxyCloud
BackdoorLinuxRootkit
Gelsemium’s Shift to Linux Malware with WolfsBane and FireWood
Commercial
Scattered Spider Abuses Cloud Management Agent
Ransomware
Veeam Vulnerability Exploited by Akira and Fog Ransomware
Webshell
Ivanti Connect Secure targeting campaign
Proxy
z0Miner targeting WebLogic serversMauri Ransomware Exploiting Apache ActiveMQ
OffSecDual-use
From WSO2 RCE to SSH lateral movement
Rootkit
Bring Your Own Vulnerable DriverDirect Kernel object manipulation
Silent Skimmer Attacks Exploiting Telerik UI to Steal Payment Data
Gafgyt Malware Targeting Cloud EnvironmentsGafgyt Malware Targeting Misconfigured Docker Servers
ToolkitCI/CDDual-use
CI/CD system enumeration
MalwareRAT
Apache server Cryptojacking with Cobalt StrikeCyberoam breach (2018)
Malware
SharePoint Vulnerability Exploited in-the-Wild
EMERALDWHALE Attacks Targeting Exposed Git Config Files
PHP Targeted with Glutton backdoor
Cryptominer
Botnet
GoBruteforcer campaign
Password bruteforcing
Volkswagen data leak through Spring Boot Actuator misconfiguration
DragonRank Targeting IIS Web Servers
Webshell
From WSO2 RCE to SSH lateral movementFrom ActiveMQ to Godzilla webshellRedJuliett Exploiting VPN and Firewall VulnerabilitiesEarth Baku campaignGodzilla Backdoor Exploiting Confluence VulnerabilityDragonRank Targeting IIS Web ServersCode Injection Attacks Exploiting Publicly Disclosed ASP.NET Keys
UNC5174 ScreenConnect and F5 BIG-IP exploitation
APT28 Targeting Print Spooler Vulnerability for GooseEgg Deployment
Botnet
GoTitan ActiveMQ campaign
WormCryptominer
Graboid campaign
ToolkitAttacker-side
OffSecDual-use
SilentBob cryptomining campaignLabrat GitLab campaignCampaign targeting Selenium Grid for cryptominingREF6138 campaign
HeadCrab campaign
Cryptominer
Bring Your Own Vulnerable Driver
Cryptominer
TeamTNT campaigns
DDoSBotnet
Ransomware
SharePoint Vulnerability Exploited in-the-Wild
Phishing campaign leading to Azure account takeover
Ransomware
IceFire Aspera Faspex campaign
OffSecDual-use
Ivanti Connect Secure targeting campaignScattered Spider SaaS targeting (2024)SharePoint Vulnerability Exploited in-the-Wild
OffSecToolkitDual-use
OffSecDual-use
Ivanti Connect Secure targeting campaign
CommercialDual-useProxy
Labrat GitLab campaignCampaign targeting Selenium Grid for cryptomining
Proxyjacking
Widespread TeamCity exploitation (March ‘24)
DDoS
REF6138 campaign
SharePoint Vulnerability Exploited in-the-Wild
Cloud
Horde Panda targeting South Asian telecommunications provider
Kinsing campaigns (2020)
RAT
Krasue Thailand campaign
OffSecK8sDual-use
K8sOffSecDual-use
OffSecK8sDual-use
OffSecK8sDual-use
OffSecDual-use
Abcbot Huawei Cloud targeting campaign
OffSecMalware
ToolkitAttacker-side
OffSecToolkitCloudDual-use
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials
Ivanti Connect Secure targeting campaign
Magnet Goblin campaign (2024)
MalwareRATReverse shell
ArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0day
Disable loggingExfiltration via AWS Transfer
MalwareBackdoor
ArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0day
OffSecDual-use
Use of linPEAS for cloud enumeration
OffSecDual-use
Seashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data Exfiltration
Ransomware
Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
Cryptominer
Loggerminer campaign
TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
Horde Panda targeting South Asian telecommunications provider
Botnet
Lucifer Botnet targeting Hadoop
Vulnerability exploitationMisconfigured Apache Hadoop abuse
TargetCompany Abusing MSSQL Servers for RansomwareHadooken Malware Targeting Weblogic Servers
OffSecDual-use
SilentBob cryptomining campaignDocker Swarm and K8s cryptojacking campaign
Ransomware
Mauri Ransomware Exploiting Apache ActiveMQ
Malware
Meson Network cryptojacking campaign
OffSecDual-use
Andariel exploiting Apache ActiveMQFrom code commit to production takeover
OffSecDual-use
Ransomware
RE#TURGENCE MSSQL Server RansomOpMimic used by Trigona operators
Password bruteforcingVulnerability exploitation
Dual-use
RE#TURGENCE MSSQL Server RansomOpScattered Spider SaaS targeting (2024)DragonRank Targeting IIS Web ServersSharePoint Vulnerability Exploited in-the-WildState-Sponsored APT Abuse Visual Studio Code in AttacksStorm-0501 attacking hybrid environments with ransomwarePHP-CGI Vulnerability Exploited in Attacks Targeting JapanOperation LongFang
OffSecMalwareDual-use
OffSecDual-use
Cryptominer
Mimo cryptomining campaign
Ransomware
Mimo cryptomining campaign
Panamorfi campaign
Magnet Goblin campaign (2024)
Mirai campaign targeting Ivanti productsMirai Botnet Exploiting Apache OFBiz Vulnerability
Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
MalwareTrojanRATBackdoor
Windows SmartScreen vulnerability exploited by Mispadu trojan
PhishingMalvertisingMisconfigured Wordpress abuse
EMERALDWHALE Attacks Targeting Exposed Git Config Files
Lucifer Botnet targeting Hadoop
Msupedge Backdoor Targeting Taiwanese University
Muhstik campaign
Magnet Goblin campaign (2024)
Dual-use
z0Miner targeting WebLogic serversK8s targeted via OpenMetadata exploitation
Ransomware
OffSecDual-use
SilentBob cryptomining campaignngrok cryptojacking campaignEarth Simnavaz (APT34) Targeting UAE and Gulf Regions
Reverse shell
Mimo cryptomining campaign
BotnetCryptominer
SSH propagation
Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
CRYSTALRAY: threat actors exploiting OSS tools
RAT
Andariel exploiting Apache ActiveMQ
Cyberoam breach (2018)
DDoSBotnet
OracleIV campaign
OffSecDual-use
SilentBob cryptomining campaignSugarCRM as initial access to AWS envs
ProxyDual-use
Mimo cryptomining campaignEMERALDWHALE Attacks Targeting Exposed Git Config Files
OffSecK8sDual-use
SilentBob cryptomining campaignTeamTNT campaigns
perfctl campaign targeting Docker APIperfctl Malware Targeting Linux
TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
CRYSTALRAY: threat actors exploiting OSS tools
DragonRank Targeting IIS Web Servers
ToolkitCloudDual-use
OffSecDual-use
DragonRank Targeting IIS Web Servers
RevivalStone Campaign by Winnti
Botnet
Prometei campaign
OffSecDual-use
LLM Hijacking Targeting AWS
CommercialDual-useProxy
Labrat GitLab campaign
Proxyjacking
Dual-use
Agenda Ransomware Targets ESXi and vCenter Servers
8220 Gang Exploiting WebLogic Vulnerabilities for Cryptojacking
Cryptominer
Ransomware operators exploit ESXi vulnerability
OffSecProxyDual-use
Ivanti Connect Secure targeting campaign
Ransomware operators exploit ESXi vulnerability
TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
Earth Baku campaign
Ransomware
UNC2165 Targets Hybrid Environments with Ransomware
Snowflake compromised creds abuse campaign
Storm-0501 Targeting Hybrid Environments with Ransomware
TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
OffSecK8sDual-use
Redigo campaign
RedTail Cryptomining campaign
Malware
APT31 Rekoobe campaign
TargetCompany Abusing MSSQL Servers for Ransomware
Rootkit
UNC3886 campaigns
Silent Skimmer Attacks Exploiting Telerik UI to Steal Payment Data
Cloud
OffSecDual-use
Peach Sandstorm targeting Azure
RomCom exploiting Word vulnerability in campaign targeting government entities
Seashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data Exfiltration
Cryptominer
REF6138 campaign
ShinyHunters Ransomware Targeting Cloud Environments
OffSecDual-use
UNC1860 Attacks Targeting the Middle East
OffSecDual-use
SugarCRM as initial access to AWS envs
Dual-use
Magnet Goblin campaign (2024)
Dual-use
Agenda Ransomware Targets ESXi and vCenter Servers
Linux
Persistence via udev
RevivalStone Campaign by Winnti
Botnet
RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto
Misconfigured SSH abuse
MalwareCryptominer
Malware
Siloscape campaign
CRYSTALRAY: threat actors exploiting OSS tools
CryptominerMalware
SkidMap targeting Redis
OffSecDual-use
OffSecDual-use
From PHP exploitation to AWS lateral movementFrom PHP vuln to Sliver execution via cronCloudflare incident following Okta breachSliver deployment via Confluence vulnerabilityTeamTNT’s Docker Gatling Gun Campaign
LinuxRootkit
Earth Baku campaign
UNC5174 ScreenConnect and F5 BIG-IP exploitation
ToolkitAttacker-side
SNS abuse for spam or phishingSmishing (SMS phishing)
ProxyDual-use
Microsoft signing key compromise
Widespread TeamCity exploitation (March ‘24)
State-Sponsored APT Abuse Visual Studio Code in Attacks
Cryptominer
OffSecWormDual-use
SSH-Snake Confluence targeting campaignCRYSTALRAY: threat actors exploiting OSS tools
UNC1860 Attacks Targeting the Middle East
Earth Baku campaign
Earth Baku campaign
OffSecToolkitCloudDual-use
OffSecK8sCloudDual-use
Volkswagen data leak through Spring Boot Actuator misconfiguration
Backdoor
Solarigate: Solarwinds supply chain attack
BackdoorOffSec
UNC5174 ScreenConnect and F5 BIG-IP exploitation
CryptominerBotnet
Ransomware operators exploit ESXi vulnerability
Malware
Earth Baku campaign
Dropper
Solarigate: Solarwinds supply chain attack
Ransomware
RCE Vulnerability in PHP CGI Exploited by TellYouThePass
Vulnerability exploitation
UNC1860 Attacks Targeting the Middle East
Ivanti Connect Secure targeting campaign
Commando Cat campaign
OffSecDual-use
SilentBob cryptomining campaign
ToolkitAttacker-side
Password bruteforcing
Earth Preta’s Campaign Abusing MAVInject to Bypass Detection
Extortion Campaign Exploiting Exposed Environment VariableAPT29 Targeting Zimbra and TeamCity Servers
Ransomware
Trigona targeting MSSQL serversMimic used by Trigona operators
Password bruteforcingVulnerability exploitation
OffSecDual-use
Backdoor
SilentBob cryptomining campaignTsunami targeting Jenkins and WeblogicHadooken Malware Targeting Weblogic ServersTeamTNT’s Docker Gatling Gun Campaign
RevivalStone Campaign by Winnti
Cryptominer
TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
UNC2165 Targets Hybrid Environments with Ransomware
UNC1860 Attacks Targeting the Middle East
Ivanti Connect Secure targeting campaignMagnet Goblin campaign (2024)
RevivalStone Campaign by Winnti
RevivalStone Campaign by Winnti
ShinyHunters Ransomware Targeting Cloud Environments
Ivanti Connect Secure targeting campaign
8220 Gang Exploiting WebLogic Vulnerabilities for Cryptojacking
Gelsemium’s Shift to Linux Malware with WolfsBane and FireWood
Cryptominer
SilentBob cryptomining campaignApache server Cryptojacking with Cobalt StrikeDreambus campaign (2021)ScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)Denonia campaignDreambus campaign (2023)9hits Docker campaignMimo cryptomining campaignCommando Cat campaignECS Fargate cryptojackingMigo cryptominer targeting RedisLucifer Botnet targeting HadoopSliver deployment via Confluence vulnerabilityz0Miner targeting WebLogic serversWidespread TeamCity exploitation (March ‘24)RUBYCARP: Botnet Exploiting Vulnerabilities for CryptoCryptojacking via Azure BatchKinsing targeting cloud serversMexals cryptojacking campaignRedTail Cryptomining campaign PG_MEM Malware Exploiting Misconfigured PostreSQL InstancesConfluence exploited for cryptojackingperfctl Malware Targeting LinuxDiicot Campaign Targeting Exposed SSHCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for Cryptomining
BotnetDDoS
Backdoor
XZ Utils backdoor incident
OffSecDual-use
SilentBob cryptomining campaignDocker Swarm and K8s cryptojacking campaign
Ivanti Connect Secure targeting campaign
CRYSTALRAY: threat actors exploiting OSS toolsDiicot Campaign Targeting Exposed SSH