A sophisticated new cyber campaign linked to APT41, also known as Winnti, is raising serious concerns as it shifts focus toward Linux-based cloud environments. This latest operation introduces a stealthy backdoor designed specifically to harvest sensitive credentials from widely used cloud platforms, marking a significant evolution in attacker tactics.
Security researchers identified a previously unknown malware sample actively targeting major cloud providers, including Amazon Web Services, Google Cloud, Microsoft Azure, and Alibaba Cloud. What makes this threat particularly dangerous is its ability to evade detection. The malware is delivered as a stripped, statically linked ELF binary, meaning it contains minimal identifiable information and is harder for security tools to analyze or flag.
Once inside a compromised system, the malware quietly begins collecting credentials and system metadata. It specifically targets internal cloud metadata services, which are typically used to manage authentication and permissions. By accessing these services, attackers can retrieve access tokens and identity data that grant deeper control over cloud resources. In addition, the malware scans local configuration files where credentials are often stored, expanding its reach even further.
To avoid detection, the attackers use an unusual communication method. Instead of relying on standard web protocols like HTTP or HTTPS, the malware communicates through SMTP, the protocol commonly used for email. This allows malicious traffic to blend in with legitimate network activity. Commands from attackers are hidden within SMTP responses, while stolen data is exfiltrated in disguised email-like messages, making it harder for traditional security tools to detect suspicious behavior.
Another layer of stealth is added through a selective authentication mechanism. The command-and-control server only responds to infected systems that present a valid token, effectively hiding itself from scanners and security researchers. This makes the attacker infrastructure difficult to identify and track.
The campaign also demonstrates a high level of coordination. Attackers use typosquatting domains that closely resemble legitimate cloud service providers to host their infrastructure, further increasing the chances of evasion. Additionally, the malware can spread laterally within a network using UDP broadcasts, enabling compromised systems to communicate internally without relying solely on external servers.
According to research from Breakglass, this campaign reflects a long-term evolution of Winnti malware, now optimized for cloud environments. It highlights a growing trend where attackers are no longer just targeting endpoints but are focusing on cloud infrastructure itself.
As cloud adoption continues to grow, this attack serves as a reminder that securing cloud environments requires more than basic defenses. Organizations must closely monitor unusual network activity, restrict access to metadata services, and enforce strict identity and access controls to stay ahead of increasingly advanced threats.
Recommended Cyber Technology News:
- GitHub, Jira Emails Exploited for Stealth Phishing Attacks
- Oracle Enhances Aconex to Boost Project Visibility and Compliance
- MSBuild Abuse Enables Stealthy Fileless Windows Attacks
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
