CP
cyberpings

China-linked Hackers Steal Cloud Credentials Using SMTP

China-aligned hackers are stealing cloud credentials using a Linux backdoor. This attack affects major cloud providers and could lead to significant data breaches. Security measures are urgently needed to combat this threat.

Threat IntelHIGHUpdated: Published:
Featured image for China-linked Hackers Steal Cloud Credentials Using SMTP

Original Reporting

CSCSO Online

AI Summary

CyberPings AIΒ·Reviewed by Rohit Rana

🎯Basically, hackers are using a sneaky method to steal passwords from cloud services.

What Happened

China-aligned hackers are executing a cloud credential heist using a sophisticated Linux-based ELF backdoor. This malware targets workloads across major cloud providers including AWS, GCP, Azure, and Alibaba Cloud. According to findings from Breakglass Intelligence, the backdoor operates using a unique zero-detection technique, employing SMTP port 25 for covert command-and-control (C2) communications.

Who's Behind It

This campaign is attributed to the APT41 (Winnti) group, known for its long-standing cyber espionage activities. The group has been active since at least 2020, with tactics evolving significantly over the years. Their latest campaign leverages deception, using typosquatted domains that closely resemble legitimate Alibaba Cloud services to blend malicious traffic into regular operations.

How It Works

Once the backdoor is executed, it queries the instance metadata service, commonly accessed at 169.254.169.254. This allows the malware to retrieve sensitive access tokens and configuration data specific to the cloud environment. For instance:

  • AWS: IAM role credentials
  • GCP: Service account tokens
  • Azure: Managed identity tokens
  • Alibaba Cloud: RAM role credentials

The malware also utilizes a UDP broadcast to communicate with other compromised hosts, enabling lateral movement without additional C2 traffic. This method allows for peer-to-peer coordination, enhancing the stealth of the operation.

Indicators and Detection

Despite its stealthy nature, researchers have identified key indicators of compromise (IoCs). These include:

  • Unusual outbound SMTP traffic
  • Connections to typosquatted domains resembling Alibaba Cloud
  • Periodic UDP broadcasts to 255.255.255.255:6006

Defenders are advised to monitor for obfuscated ELF binaries and unexpected access to instance metadata endpoints. Additionally, tracking anomalous use of role-based credentials can help detect this ongoing threat.

What You Should Do

Organizations should enhance their cloud security posture by implementing strict egress filtering on port 25 and monitoring for any unusual activity. Regular audits of cloud configurations and credential usage can also mitigate risks associated with this type of attack. Awareness and training for staff about the risks of typosquatting and phishing can further strengthen defenses against such sophisticated threats.

πŸ”’ Pro Insight

πŸ”’ Pro insight: The use of typosquatting and SMTP for C2 highlights the need for advanced detection mechanisms in cloud environments.

CSCSO Online
Read Original

Share

Related Pings

Threat Intel
HIGH

Brute-Force Cyberattacks Surge in Middle East - Q1 Report

A surge in brute-force cyberattacks from the Middle East has been reported, primarily targeting SonicWall and Fortinet devices. This trend raises serious security concerns for affected organizations. Immediate action is needed to protect sensitive data and systems.

CSCybersecurity Dive
Read PingRead Source
Preview image for State-Sponsored Threats - Insights from 2025 Year in Review
Threat Intel
HIGH

State-Sponsored Threats - Insights from 2025 Year in Review

In 2025, state-sponsored threats from China, Russia, North Korea, and Iran showcased similar tactics despite differing objectives. Understanding these patterns is crucial for defense.

TACisco Talos Intelligence
Read PingRead Source
Preview image for Hackers Target Okta Identity Systems Using Vishing Attacks
Threat Intel
HIGH

Hackers Target Okta Identity Systems Using Vishing Attacks

Cybercriminals are now using voice calls to target Okta identity systems, bypassing traditional phishing methods. This shift poses serious risks to corporate data security. Organizations must adapt their defenses to combat these evolving tactics.

CSCyber Security News
Read PingRead Source
Preview image for Hybrid Attacks - Rising Threats to Germany's Infrastructure
Threat Intel
HIGH

Hybrid Attacks - Rising Threats to Germany's Infrastructure

Hybrid attacks targeting Germany's critical infrastructure are increasing. Military and civilian sectors face heightened risks from state-sponsored hackers. NATO exercises aim to strengthen defenses.

CSCSO Online
Read PingRead Source
Preview image for Mailbox Rule Abuse - Stealthy Threat After Account Compromise
Threat Intel
HIGH

Mailbox Rule Abuse - Stealthy Threat After Account Compromise

Researchers highlight the dangers of Microsoft 365 mailbox rules being exploited by attackers to maintain access and exfiltrate data, emphasizing the need for vigilance and proactive security measures.

IMInfosecurity Magazine+1 more
Read PingRead Source
Preview image for APT41 Delivers 'Zero-Detection' Backdoor to Harvest Cloud Credentials
Threat Intel
HIGH

APT41 Delivers 'Zero-Detection' Backdoor to Harvest Cloud Credentials

APT41 has escalated its cyber operations, deploying a sophisticated backdoor targeting cloud services to harvest credentials without detection. This latest campaign emphasizes stealth and long-term access.

DRDark Reading+1 more
Read PingRead Source