Veriti Research has identified a growing trend – attackers leveraging cloud infrastructure to facilitate malware distribution and command-and-control (C2) operations. This evolving tactic not only makes detection more challenging but also exposes organizations to significant security risks.
Malware Hosted on Cloud Services
One of the most alarming findings from our research is that over 40% of networks allow “any/any” communication with at least one major cloud provider. This misconfiguration creates an open gateway for cybercriminals, allowing:
- Unrestricted data exfiltration to attacker controlled cloud instances.
- Deployment of malicious payloads from trusted cloud services, tricking users into downloading malware.
40% of networks allow “any/any” communication with at least one major cloud provider
Case Studies: Malwares Leveraging Cloud Storage for Payload Delivery
Our research has identified multiple malware campaigns abusing cloud storage to host and deliver their payloads. Two such examples include:
1. XWorm
A well-known malware campaign used Amazon Web Services (AWS) S3 storage to distribute its malicious executable:
- Payload location example: hxxps://dctdownload.s3.amazonaws[.]com/grabs/s3_n[.]exe
- VirusTotal analysis: View report
2. Remcos Campaign
Another observed campaign used malicious RTF files leveraging CVE-2017-11882 and CVE-2017-0199 vulnerabilities to target victims, particularly in Egypt:
- Payload example hosted on AWS S3: f8a076dcf0384e1f93bded36c8a9646c.s3.amazonaws./com
- VirusTotal analysis: View report
Cloud as a Command-and-Control Hub
Beyond malware hosting, our research found that cloud platforms are frequently exploited as C2 servers, allowing adversaries to control infected systems remotely.
The following malware campaigns were observed utilizing cloud infrastructure for C2 communications:
| Cloud Provider | Malware Family | C2 IP / Domain |
| AWS (Amazon) | Havoc Malware | 3.136.231[.]230 as C&C, using the domains: www.fortinet./app, avina./cloud |
| AWS (Amazon) | NetSupportManager | 3.123.27[.]44 |
| Google Cloud | Unam Miner | 34.125.225[.]70 |
| Google Cloud | Caldera | 34.160.47.42:443 |
| Microsoft Azure | HookBot | 52.140.39[.]118 |
| Microsoft Azure | Mythic | 172.211.76[.]248 |
| Alibaba Cloud | Pupy RAT | 8.210.107./120 35[.]241[.]106[.]118 |
| Alibaba Cloud | Brutal Ratel | 8.212.128[.]240 |
Malware Payloads Found in Cloud Based Attacks
Veriti Research has also documented malware strains commonly observed in cloud based attack campaigns, further reinforcing the growing abuse of cloud environments by cybercriminals.
| Malware Name | Hash |
| Mirai | 1045447b3a83e357c2048bc2ea283fa2 |
| NJRAT | 194f17553dc3daf9c7975a26d1cf908e1557ab5debca1cc79e2815dc9266c8de |
A New Trend: Sliver C2 in Cloud-Based Attacks
One of the most concerning developments is the growing use of Sliver C2 in cloud-based attacks.
Sliver C2 is an open-source command-and-control framework initially developed for penetration testing but increasingly weaponized by threat actors. Originally seen as an alternative to Cobalt Strike and Metasploit, it is now actively being exploited to facilitate persistent access and post-exploitation tactics.
Why is Sliver C2 a Threat?
- Adopted by Advanced Persistent Threat (APT) groups for stealthy C2 operations.
- Often used with Rust-based malware (e.g., KrustyLoader) to establish backdoors.
- Exploits zero-day vulnerabilities, including recent Ivanti Connect Secure and Policy Secure vulnerabilities.
For more details on Sliver C2, see Darktrace’s analysis.
Cloud Infrastructure Vulnerabilities
Beyond serving as malware distribution hubs and C2 infrastructure, cloud services themselves are often vulnerable. Our research identified several critical vulnerabilities affecting cloud hosted services, including:
- AWS:
- 13.247.77[.]82
- 51.20.151[.]255
- Vulnerabilities: CVE-2024-38476, CVE-2024-38474, CVE-2023-25690, CVE-2022-36760, CVE-2022-31813, CVE-2022-28615, CVE-2022-23943, CVE-2022-22721, CVE-2022-22720
- Azure:
- 20.163.168[.]13
- 4.145.106[.]87
- Alibaba Cloud:
- 8.222.153[.]61
- 101.132.164[.]172
The Need for Proactive Cloud Security
Veriti Research’s findings emphasize the critical need for organizations to rethink cloud security strategies. The increasing abuse of cloud services for malware hosting, C2 operations, and exploitation calls for a proactive, security first approach:
- Restrict “any | any” network rules – Define explicit rules for cloud communications.
- Monitor cloud based threats – Deploy cloud-native security solutions to detect malicious activities.
- Enforce cloud security policies – Ensure continuous exposure management and security control assessments.
Veriti remains committed to helping organizations secure their cloud environments. Learn more about our latest research and how Veriti can help defend against cloud based threats.
