{"id":7803,"date":"2026-04-14T12:12:40","date_gmt":"2026-04-14T12:12:40","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7803"},"modified":"2026-04-14T12:12:40","modified_gmt":"2026-04-14T12:12:40","slug":"china-linked-cloud-credential-heist-runs-on-typos-and-smtp","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7803","title":{"rendered":"China-linked cloud credential heist runs on typos and SMTP"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>China-aligned hackers have deployed a Linux-based ELF backdoor to steal cloud credentials at scale from workloads across AWS, GCP, Azure, and Alibaba Cloud environments.<\/p>\n<p>According to Breakglass Intelligence findings, the backdoor uses a \u201czero-detection\u201d technique, employing SMTP port 25 as a covert command-and-control (C2) channel to harvest cloud provider credentials and metadata.<\/p>\n<p>\u201cA selective C2 handshake validation mechanism renders the server invisible to conventional scanning tools like Shodan and Censys,\u201d Breakglass researchers said in a blog <a href=\"https:\/\/intel.breakglass.tech\/post\/apt41-winnti-elf-cloud-credential-harvester-alibaba-typosquat\" target=\"_blank\" rel=\"noopener\">post<\/a>. Stolen credentials are sent to three Alibaba-themed typosquatted domains hosted on Alibaba Cloud infrastructure in Singapore.<\/p>\n<p>The campaign, attributed to the known <a href=\"https:\/\/www.csoonline.com\/article\/569145\/chinese-hacker-group-apt41-uses-recent-exploits-to-target-companies-worldwide.html\">APT41<\/a> (Winnti) group, targets sensitive cloud credentials, including IAM role credentials, service account tokens, managed identity tokens, and RAM role credentials.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Metadata made into the new password<\/h2>\n<p>Once executed, the malware queries the instance metadata service, commonly exposed at 169.254.169.254, to retrieve access tokens and configuration data belonging to the host environment.<\/p>\n<p>Queries vary depending on the environment. For AWS, they are made for IAM role credentials, for service account tokens in GCP, managed identity tokens from IMDS endpoints on Azure, and for RAM role credentials from ECS metadata in Alibaba Cloud.<\/p>\n<p>The researchers also pointed out a lateral movement beacon in the form of a <a href=\"https:\/\/www.csoonline.com\/article\/2071104\/udp-based-network-communications-face-critical-denial-of-service-attacks.html\">UDP<\/a> broadcast. \u201cThe implant periodically sends UDP broadcast packets to \u2018255.255.255.255:6006\u2019 within the local network segment,\u201d they said. \u201cThese broadcasts contain an encoded beacon that other compromised hosts can receive, enabling peer-to-peer coordination and lateral tasking distribution without additional C2 traffic.\u201d<\/p>\n<p>Researchers trace the Winnti activities back to 2020, making it a 6-year-old campaign, with the first documented variant \u201cPWNLNX\u201d using basic reverse shell and XOR encoding. Things have changed a lot since then.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Typosquatting for cloud-native espionage<\/h2>\n<p>The campaign relies heavily on deception, the researchers pointed out, using C2 domains closely resembling legitimate Alibaba Cloud services. The typosquatting approach allows malicious traffic to blend into routine cloud operations, specifically in environments where outbound filtering is absent.<\/p>\n<p>The implant used is an obfuscated ELF binary, with an executable designed for gaining and maintaining access within Linux cloud instances. The researchers said that the binary was not detected at all on ViruTotal at the time of analysis, supporting their \u201czero-detection\u201d claims.<\/p>\n<p>The malware also does not respond to unintentional probes, with the C2 infrastructure remaining silent unless a correct (malicious) handshake is established. This throws off automated scanning and sandboxing.<\/p>\n<p>Additionally, communication over SMTP (port 25) adds a layer of stealth. While conventional C2 traffic sticks to HTTP\/S, SMTP is used here to blend into legacy or misconfigured environments where Port 25 traffic is expected. \u201cMany cloud security tools do not deeply inspect SMTP traffic for C2 patterns,\u201c the researchers noted. \u201cEgress filtering on port 25 is inconsistent across cloud providers.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Indicators and detection<\/h2>\n<p>Despite the use of stealth, the researchers were able to connect the dots with the help of independent research by @Xlab_qax, who attributed the campaign and its lineage to APT41 with high confidence. Indicators shared by the researchers include files and network signatures (domain and ports). They also included a list of MITRE ATT&amp;CK tactics for a broader understanding of the years-long campaign. Breakglass disclosure pointed to a behavior-driven detection approach across layers. <\/p>\n<p>On the network side, defenders should look for unusual outbound SMTP traffic, connections to Alibaba Cloud-lookalike domains, and periodic UDP broadcasts to 255.255.255.255:6006. On the host, they should watch for obfuscated or unknown ELF binaries and unexpected process access to instance metadata endpoints.<\/p>\n<p>And finally, in the cloud, monitoring metadata service queries and anomalous use of role-based credentials, particularly where activity deviates from the instance\u2019s normal behavior, can help, the researchers said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>China-aligned hackers have deployed a Linux-based ELF backdoor to steal cloud credentials at scale from workloads across AWS, GCP, Azure, and Alibaba Cloud environments. According to Breakglass Intelligence findings, the backdoor uses a \u201czero-detection\u201d technique, employing SMTP port 25 as a covert command-and-control (C2) channel to harvest cloud provider credentials and metadata. \u201cA selective C2 [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7804,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7803","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7803"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7803"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7803\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7804"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7803"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7803"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}