{ "id": "85e7da43-b55c-4312-a933-701d1d951ef7", "created_at": "2026-04-06T00:20:20.672122Z", "updated_at": "2026-04-10T13:13:10.21323Z", "deleted_at": null, "sha1_hash": "12f59324adc5bd9c8ac41a3092db5f4a153f4c8c", "title": "JavaGhost’s Persistent Phishing Attacks From the Cloud", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 673906, "plain_text": "JavaGhost’s Persistent Phishing Attacks From the Cloud\r\nBy Margaret Kelley\r\nPublished: 2025-02-28 · Archived: 2026-04-05 16:51:48 UTC\r\nExecutive Summary\r\nUnit 42 researchers have observed phishing activity that we track as TGR-UNK-0011. We assess with high\r\nconfidence that this cluster overlaps with the threat actor group JavaGhost. The threat actor group JavaGhost has\r\nbeen active for over five years and continues to target cloud environments to send out phishing campaigns to\r\nunsuspecting targets.\r\nAccording to website defacement lists such as DefacerID, the group focused historically on defacing websites.\r\nHowever, according to our telemetry, in 2022, they pivoted to sending out phishing emails for financial gain.\r\nBetween 2022-24, Unit 42 has performed multiple investigations relating to the group JavaGhost, which targeted\r\norganizations’ AWS environments. The group focuses on sending phishing campaigns and has not been seen\r\nstealing data for extortion during their time in organizations’ AWS environments.\r\nThese attacks are not due to a vulnerability in AWS. This group takes advantage of misconfigurations in the victim\r\norganizations' environments that expose AWS credentials in the form of long-term access keys. They use these\r\nleaked keys to initiate all the actions discussed in this report.\r\nThis article covers common methodologies that JavaGhost uses to create their phishing infrastructure. We also\r\ncover other tactics employed within compromised cloud environments to establish long-term persistence.\r\nWe have recently observed JavaGhost using advanced evasion methods to cover their tracks. These methods have\r\ntypically only been used by Scattered Spider, which shows the level of sophistication of this threat actor group.\r\nAll JavaGhost activities have resulted in a detectable logging footprint, which forms the basis of the alerts at the\r\nend of the article.\r\nPalo Alto Networks customers are better protected through Cortex Cloud and Cortex XSIAM.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nJavaGhost History\r\nHistorically, JavaGhost participated in the website defacement of numerous entities, starting in 2019. Figure 1\r\nshows some of the websites the group defaced.\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 1 of 15\n\nFigure 1. Websites defaced by JavaGhost. Source: DefacerID.\r\nThe JavaGhost group also had two websites (shown in Figures 2 and 3). One contains the group’s slogan, “we are\r\nthere but not visible.” The other contains text in Indonesian that translates to “stop blaming everything,” which\r\nmatches with the language used to name some of the resources in their attacks. The site also lists the various group\r\nmember handles (shown in Figure 3).\r\nFigure 2. Historic JavaGhost website. Source: Wayback Machine.\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 2 of 15\n\nFigure 3. Historic JavaGhost website. Source: Wayback Machine.\r\nBased on our investigations, the group shifted in 2022 from website defacement to sending out phishing\r\ncampaigns to unsuspecting targets. Datadog reported on this activity shift back in 2023, but the group continues\r\ntheir work, which Unit 42 has seen as recently as December 2024.\r\nAttack Overview\r\nUnit 42 has handled numerous cases in 2022-24 associated with JavaGhost. The attack leveraged overly\r\npermissive IAM permissions allowing the victim’s Amazon Simple Email Service (SES) and WorkMail services\r\nto send out phishing messages. JavaGhost benefits from using other organizations’ AWS environments because\r\nthey do not have to pay for any of the created resources. They can also use preexisting SES infrastructure to send\r\nout phishing emails.\r\nUsing preexisting SES infrastructure allows the threat actor’s phishing emails to bypass email protections since\r\nthe emails originate from a known entity from which the target organization has previously received emails.\r\nInitial Access with Defense Evasion\r\nBetween 2022-24, the group evolved their tactics to more advanced defense evasion techniques that attempt to\r\nobfuscate identities in the CloudTrail logs. This tactic has historically been exploited by Scattered Spider. AWS\r\nCloudTrail records all management events occurring within an AWS account.\r\nJavaGhost obtained exposed long-term access keys associated with identity and access management (IAM) users\r\nthat allowed them to gain initial access to an AWS environment via the command-line interface (CLI). These long-term access keys come from various exposures, as discussed in a prior Unit 42 research article.\r\nUpon entry to an organization’s AWS environment with the compromised access key, the threat actors do not\r\nperform the application programming interface (API) call GetCallerIdentity. Other threat actors often use\r\nGetCallerIdentity as their first API call after compromising AWS credentials to enumerate basic information about\r\nthe compromised account, such as the account ID and user ID.\r\nBecause defenders frequently anticipate attackers using GetCallerIdentity during initial compromise, JavaGhost\r\nevades detection by not using this API call, thereby bypassing any alerts configured to trigger on its execution.\r\nInstead, the group performs different first API calls such as GetServiceQuota, GetSendQuota and GetAccount for\r\ntheir initial interaction with a compromised AWS account.\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 3 of 15\n\nGetServiceQuota returns the current quota limit for a specified AWS service while GetSendQuota returns the max\r\nnumber of emails that can be sent in 24 hours for SES. GetAccount returns information about the email-sending\r\nstatus of SES and other SES attributes.\r\nAfter confirming their access to an organization's AWS account with the long-term access key from the CLI, the\r\nthreat actors behind JavaGhost generate temporary credentials and a login URL to allow themselves console\r\naccess. Accessing the console via this methodology obfuscates their identity and allows them easier visibility into\r\nthe resources within an AWS account.\r\nSince attackers rarely create temporary credentials to access the AWS console URL, these methods often bypass\r\ndetection. The following section details these techniques, emphasizing how using the console allows attackers to\r\nsidestep the restrictions IAM imposes on temporary access keys generated through the CLI.\r\nGetFederationToken and GetSigninToken\r\nGenerating an AWS console login page from long-term access keys takes multiple steps but the entire process can\r\nbe scripted. NetSPI has created a GitHub repo with an example of how to perform this process and AWS has\r\ninstructions as well.\r\nThe first step in this process requires the creation of temporary credentials from the compromised long-term\r\naccess key. Long-term access keys start with the four letters AKIA, while temporary access keys begin with ASIA.\r\nTo acquire temporary AWS credentials, JavaGhost uses the GetFederationToken API within the AWS Security\r\nToken Service (STS). This API call requires the following parameters:\r\nA name for the federated user\r\nAn inline or managed session policy defining the desired permissions (as illustrated in Figure 4).\r\nJavaGhost purposefully utilizes an “allow all” inline policy to take advantage of the maximum permissions\r\nallowed to the underlying IAM user.\r\nThe duration for which the temporary credentials should be valid (specified in seconds)\r\nFigure 4. Example of an inline policy from the GetFederationToken event.\r\nWhile the AssumeRole API call can also retrieve temporary credentials for this process, JavaGhost opts to use the\r\nGetFederationToken option instead. Of note, the inline policy provided in the request does not override the\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 4 of 15\n\npermissions associated with the long-term access key.\r\nThe permissions granted to the short-term access key result in an intersection of the IAM user permissions\r\nassociated with the access key and the policies included in the GetFederationToken request. If the\r\nGetFederationToken permissions contain broader privileges than the IAM user, then the more limited permissions\r\nfrom the IAM user take effect. Therefore, the provided policy can only reduce and never increase the permissions\r\nalready granted to the principal represented by the compromised access key and secret key.\r\nOnce the GetFederationToken request returns the temporary credentials (i.e., sessionId, sessionKey and\r\nsessionToken), an encoded URL is required before generating the sign-in token. To generate the encoded URL, the\r\nthreat actor uses the Python urllib3 library.\r\nOnce the encoded URL is obtained, a GetSigninToken request returns the information needed to create the URL\r\nthat allows federated users to access the AWS console. Within the CloudTrail logs associated with the\r\nGetSigninToken events, the user agent shows Python-urllib/3.10, which is how Unit 42 inferred the Python library\r\nused by JavaGhost to perform these operations.\r\nThe generated URL grants access to the console for a default of 15 minutes, which is what the threat actor chose\r\nto do. After that, a threat actor must repeat this process to generate a new URL or specify a longer session duration\r\nduring the GetSigninToken request. The temporary access key generated by the GetFederationToken actions does\r\nnot need to be regenerated unless the session duration has expired.\r\nTo revoke the session associated with the compromised credentials, an IAM policy has to be attached directly to\r\nthe user. The process discussed above does not require the usage of any roles, so there is no built-in way to revoke\r\nthe session like AWS provides with an IAM role.\r\nTo stop an active threat actor using this console access method, attaching the AWS managed AWSDenyAll policy\r\ninvalidates all the permissions for the user. It does not stop an active session in the console, but all attempted\r\nactions are blocked.\r\nSetting Up the Phishing Infrastructure\r\nRegarding the SES logging configuration, none of the customer AWS environments from our engagements had\r\nSES data events enabled. Therefore, the following analysis focuses solely on CloudTrail Management Events.\r\nJavaGhost uses SES and WorkMail to configure their phishing infrastructure. The group starts by creating various\r\nSES email identities, followed by updating DomainKeys Identified Mail (DKIM) settings. DKIM uses public key\r\ncryptography to verify the authenticity of emails.\r\nThe threat actor group also modified the SES Virtual Delivery Manager (VDM) and Mail-from attributes.\r\nTo send emails, an SES email or domain identity must exist. The creation of new SES identities appears as\r\nCreateEmailIdentity events in the CloudTrail logs and the response elements provide additional details around\r\nwhether the identity type was a domain or an email address.\r\nJavaGhost creates multiple email and domain identities as well as modifying the following attributes. The DKIM\r\nsettings are configured during the user creation and generate the PutEmailIdentityDkimAttributes event in\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 5 of 15\n\nCloudTrail logs.\r\nWhile DKIM settings can be configured separately from the identity creation process, this group usually updates\r\nthem during the identity creation itself. The attackers also update the custom Mail-From domain configuration for\r\nthe email identities. This resulted in the PutEmailIdentityMailFromAttributes event showing the attribute update\r\nin the request parameters field within the CloudTrail logs.\r\nThe group makes various changes to the SES Virtual Delivery Manager (VDM) feature, which also results in the\r\nPutAccountVdmAttributes event appearing in the CloudTrail logs.\r\nIn addition to setting up various email identities, JavaGhost configures an AWS WorkMail Organization and adds\r\nWorkMail users. Creating a WorkMail Organization results in numerous SES and AWS Directory Service (DS)\r\nevents within the CloudTrail logs.\r\nUpon the creation of the WorkMail Organization seen as CreateOrganization in the CloudTrail logs, the following\r\nevents appear in the CloudTrail logs associated with SES:\r\nCreateReceiptRule\r\nCreateReceiptRuleSet\r\nPutIdentityPolicy\r\nSetActiveReceiptRuleSet\r\nVerifyDomainDkim\r\nVerifyDomainIdentity\r\nIn the console, within the advanced configuration of the WorkMail Organization creation, user directories can\r\neither be created from scratch or an existing directory can be used (shown in Figure 5).\r\nFigure 5. Selecting Create Amazon WorkMail directory generates three Directory Services events\r\nautomatically in the CloudTrail logs.\r\nSelecting the creation of a new WorkMail directory automatically generates the following DS CloudTrail events:\r\nAuthorizeApplication\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 6 of 15\n\nCreateAlias\r\nCreateIdentityPoolDirectory\r\nAfter completing the WorkMail Organization creation, the threat actors create various WorkMail users. Creating a\r\nWorkMail user generates a CreateUser event (with workmail.amazonaws[.]com as the event source) and the user\r\nautomatically gets registered to WorkMail with the event RegisterToWorkMail appearing in the CloudTrail logs.\r\nThe WorkMail registration requires no input from the user when performed through the console.\r\nFigure 6 shows how to create a new WorkMail user.\r\nFigure 6. Creating a new WorkMail user.\r\nBefore sending out the phishing emails, JavaGhosts creates new SMTP credentials. When creating the new SMTP\r\ncredentials, the threat actors do not change the default username so all the new SMTP usernames start with ses-smtp-user.* Figure 7 shows an example of this.\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 7 of 15\n\nFigure 7. Creation of default named SMTP user with default IAM group and permissions.\r\nCreating new SMTP credentials results in the generation of a new IAM user with the user’s name matching the\r\nSMTP username and not the SMTP display name. If the AWS account has not used SES historically, the SMTP\r\ncreator is prompted that a new IAM user group will be created.\r\nThis new IAM user group is called AWSSESSendingGroupDoNotRename by default, which also attaches an\r\ninline policy to the group allowing ses:SendRawEmail only. These operations appear as CreateGroup and\r\nPutGroupPolicy in the CloudTrail logs.\r\nIf the AWS account has used SMTP credentials historically, the IAM group will most likely already exist and\r\nappear in the Permissions list. Figure 8 shows an example of this.\r\nFigure 8. IAM group details once IAM group already exists.\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 8 of 15\n\nAfter finishing user creation, the system displays the new IAM username, along with the SMTP username and\r\nSMTP password.\r\nThe SMTP username displays an access key ID. When reviewing the user in IAM, the SMTP username appears as\r\nan access key there as well. Figure 9 shows an example of this.\r\nFigure 9. Example retrieval of SMTP credentials.\r\nThe SMTP username still resolves to the AWS account ID if decrypted. All these events appear in the CloudTrail\r\nlogs as IAM CreateUser, CreateAccessKey and AddUserToGroup events.\r\nWhen organizations already have SES infrastructure in their AWS environment, JavaGhost uses the preexisting\r\nresources to send phishing attacks. Unless dataplane logging is enabled, there are few to no events to review in the\r\nCloudTrail logs. The cost for the additional emails sent will appear in the Cost and Usage Reports, but otherwise,\r\nonly various reconnaissance events result in CloudTrail logs.\r\nIdentity and Access Management (IAM)\r\nThroughout the time frame of the attacks, JavaGhost creates various IAM users, some they use during their attacks\r\nand others that they never use. The unused IAM users seem to serve as long-term persistence mechanisms.\r\nAfter their creation, the threat actor only confirms access via console logins and performs no other actions. The\r\nIAM users have a variety of names. Some are meant to blend in with other IAM users that would be typical within\r\nan AWS account and others are more obviously named. The IoC section provides a full list of IAM usernames.\r\nAll the new IAM users have the AWS managed AdministratorAccess policy attached as well as access to the\r\nconsole. The AdministratorAccess policy allows any action against any resource within an AWS account.\r\nFigure 10 shows the permissions associated with this policy. All of these IAM events appear in the CloudTrail logs\r\nas CreateUser, AttachUserPolicy and CreateLoginProfile.\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 9 of 15\n\nFigure 10. AWS managed AdministratorAccess policy.\r\nThe creation of IAM users is a common cloud technique commonly seen within many of our other investigations.\r\nJavaGhost sets themselves apart by evolving to use unique methods to access an AWS account.\r\nIn the initial attacks, this group used the original compromised access key for most of their activity. In 2024, they\r\ntransitioned to using an IAM role to access the organization’s AWS account from a threat actor-compromised\r\nAWS account before proceeding with the attack.\r\nTo accomplish this, the threat actors created a new IAM role with a trust policy attached, allowing access from a\r\nthreat actor-controlled AWS account. A trust policy specifies what entities can assume the role.\r\nThis role creation appears in the CloudTrail logs as CreateRole with the trust policy written in the request\r\nparameters field. Figure 11 shows an example of a trust policy.\r\nFigure 11. Example of an inline trust policy from the CreateRole CloudTrail event.\r\nIn the case of JavaGhost, the trusted entity belongs to an AWS account. The new role also has unlimited\r\npermissions within the environment, with the attachment of the AdministratorAccess policy as seen by the\r\nCloudTrail event AttachRolePolicy.\r\nWith the successful creation of the new administrative role, the threat actor can log into the AWS account from the\r\ntrusted threat actor-owned AWS account. When the threat actor assumes their role that they created to access the\r\ncompromised AWS account, CloudTrail records this event as two separate events, AssumeRole and SwitchRole,\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 10 of 15\n\nwhich occur simultaneously. Unlike the creation of new IAM users, the role creation does not appear suspicious\r\nuntil the trust policy reveals the external access and the role is uncovered as a backdoor.\r\nSecurity Group\r\nThe group continues to leave the same calling card in the middle of their attack by creating new Amazon Elastic\r\nCloud Compute (EC2) security groups named Java_Ghost, with the group description “We Are There But Not\r\nVisible.” These security groups do not contain any security rules and the group typically makes no attempt to\r\nattach these security groups to any resources. The creation of the security groups appear in the CloudTrail logs in\r\nthe CreateSecurityGroup events.\r\nThis group description matches the group’s slogan on their old website, shown in Figure 12.\r\nFigure 12. JavaGhost website. Source: Wayback Machine.\r\nAdditional Suspicious Activity\r\nIn addition to the main components of its phishing attacks, the group attempts two other unique tactics within\r\nattacks:\r\nThe group attempts to leave an Organization Unit with the event LeaveOrganization. AWS Organizations\r\nhelp with the management of multiple AWS accounts. They consist of features such as Service Control\r\nPolicies (SCPs), which help manage IAM permissions at scale, and Organizational Units.\r\nOrganization Units help administrators manage multiple AWS accounts by grouping them together,\r\nand they allow for the application of SCPs at the Organization Unit level. Leaving an AWS\r\nOrganization Unit removes any SCPs that apply to the AWS account and changes the security\r\nguardrails that limit activities within an AWS account.\r\nThe group enables all AWS regions not enabled by default.\r\nAfter March 20, 2019, AWS no longer enables new regions by default and JavaGhost enables those\r\n13 disabled regions as part of their attacks to evade security controls. Enabling regions results in the\r\nEnableRegion event in the CloudTrail logs with the region name present in the request parameters\r\nfield.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 11 of 15\n\nUnit 42 has investigated multiple JavaGhost cases over the past few years and has observed the group\r\ncontinuously evolving its tactics. Initially, JavaGhost performed attacks using only a compromised access key, but\r\nhas now advanced to employing sophisticated evasion techniques. Luckily, all of the group’s activity results in\r\ndetectable events within the CloudTrail logs that organizations can hunt for and create new alerts to detect.\r\nPalo Alto Networks Protection and Mitigation\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts:\r\nCortex Cloud and Cortex XSIAM alert on the following activities related to AWS resources:\r\nIAM actions such as new user creations, attaching of AdministratorAccess Policy, getfederatedtoken, and\r\ngetsignintoken\r\nSuspicious sending of emails through Simple Email Service (SES)\r\nUse of getgroup and putgroup in CloudTrail\r\nXSIAM also detects behavioral actions from cloud and on-premises endpoints that suggest the collection of AWS\r\nIAM credentials.\r\nTo mitigate opportunities for attackers to use techniques discussed above, we recommend:\r\nLimiting access to administrative rights\r\nRotating IAM credentials regularly\r\nUsing short term/just-in-time (JIT) access tokens\r\nEnabling multi-factor authentication (MFA)\r\nCloud security posture management (CSPM) capabilities in Cortex Cloud can assist users with creating\r\nappropriate rules.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 00080005045107\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nHunting, Investigation and Detection Queries\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 12 of 15\n\nThe following queries are intended to assist Palo Alto Networks customers in hunting, investigating and detecting\r\npotentially malicious operations within their Cortex XDR. The results of these queries should not be taken as\r\nmalicious on face value. The queries require careful examination of the resulting events before they can be found\r\nmalicious.\r\nCortex XQL Queries\r\nAuthentication\r\ndataset = amazon_aws_raw\r\n| filter (eventSource = \"sts.amazonaws.com\" and eventName = \"GetFederationToken\") or (eventSource =\r\n\"signin.amazonaws.com\" and eventName = \"GetSigninToken\")\r\ndataset = amazon_aws_raw\r\n| filter (eventSource = \"sts.amazonaws.com\" and eventName = \"AssumeRole\") or (eventSource =\r\n\"signin.amazonaws.com\" and eventName = \"SwitchRole\")\r\nSES\r\ndataset = amazon_aws_raw\r\n| filter (eventSource = \"ses.amazonaws.com\" and eventName = \"CreateEmailIdentity\") or (eventSource =\r\n\"iam.amazonaws.com\" and eventName in (\"CreateUser\", \"CreateAccessKey\", \"AddUserToGroup\"))\r\nWorkMail\r\ndataset = amazon_aws_raw\r\n| filter eventSource = \"workmail.amazonaws.com\" and eventName in (\"CreateUser\",\r\n\"CreateOrganization\")\r\nEC2 Security Group\r\ndataset = amazon_aws_raw\r\n| alter groupName = json_extract_scalar(requestParameters, \"$.groupName\")\r\n| alter groupDescription = json_extract_scalar(requestParameters, \"$.groupDescription\")\r\n| filter eventSource = \"ec2.amazonaws.com\" and eventName = \"CreateSecurityGroup\"\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 13 of 15\n\n| filter groupName = \"Java_Ghost\" and groupDescription = \"We Are There But Not Visible\"\r\nIoCs\r\nIP Addresses\r\nUnit 42 has consolidated the IP addresses of the referenced group in this report and stored them in our GitHub\r\nrepository.\r\nUser Agents\r\naws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-113-generic botocore/1.16.19\r\naws-cli/1.19.112 Python/2.7.18 Linux/5.4.0-42-generic botocore/1.20.112\r\naws-cli/1.22.23 Python/3.6.0 Windows/10 botocore/1.23.23\r\naws-cli/1.22.97 Python/3.6.0 Windows/10 botocore/1.24.42\r\naws-cli/1.25.62 Python/3.8.13 Linux/5.15.0-46-generic botocore/1.27.61\r\naws-cli/1.34.14 md/Botocore#1.35.14 ua/2.0 os/windows#10 md/arch#amd64 lang/python#3.10.8\r\nmd/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.14\r\naws-cli/1.34.28 md/Botocore#1.35.28 ua/2.0 os/linux#5.15.153.1-microsoft-standard-WSL2\r\nmd/arch#x86_64 lang/python#3.12.3 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.28\r\naws-cli/2.13.18 Python/3.11.5 Linux/5.4.0-163-generic exe/x86_64.ubuntu.20 prompt/off command/*\r\naws-cli/2.17.18 md/awscrt#0.20.11 ua/2.0 os/linux#6.8.0-36-generic md/arch#x86_64 lang/python#3.11.9\r\nmd/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off\r\nmd/command#*\r\naws-cli/2.22.2 md/awscrt#0.22.0 ua/2.0 os/windows#2019Server md/arch#amd64 lang/python#3.12.6\r\nmd/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#*\r\naws-cli/2.2.16 Python/3.8.8 Linux/3.10.0-1160.31.1.el7.x86_64 exe/x86_64.centos.7 prompt/off\r\ncommand/*\r\naws-internal/3 aws-sdk-java/1.12.769 Linux/5.10.224-190.876.amzn2int.x86_64 OpenJDK_64-\r\nBit_Server_VM/17.0.12+8-LTS java/1.8.0_422 vendor/N/A cfg/retry-mode/standard\r\naws-internal/3 aws-sdk-java/1.12.769 Linux/5.10.225-191.878.amzn2int.x86_64 OpenJDK_64-\r\nBit_Server_VM/17.0.12+8-LTS java/1.8.0_422 vendor/N/A cfg/retry-mode/standard\r\nBoto3/1.24.61 Python/3.8.10 Linux/5.4.0-42-generic Botocore/1.27.61\r\nBoto3/1.35.28 md/Botocore#1.35.28 ua/2.0 os/linux#5.15.153.1-microsoft-standard-WSL2\r\nmd/arch#x86_64 lang/python#3.12.3 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.28\r\nBoto3/1.35.3 md/Botocore#1.35.14 ua/2.0 os/windows#10 md/arch#amd64 lang/python#3.10.8\r\nmd/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.14\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/128.0.0.0 Safari/537.36\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/129.0.0.0 Safari/537.36\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 14 of 15\n\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/128.0.0.0 Safari/537.36\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/128.0.0.0 Safari/537.36 Edg/128.0.0.0\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/129.0.0.0 Safari/537.36\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0\r\nPython-urllib/3.10\r\nIAM Usernames\r\nadminuserdevs\r\ndevelops\r\nGh0st_808\r\nGh0st_365\r\nrootdev\r\nses2\r\nwarkopi\r\nSource: https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nhttps://unit42.paloaltonetworks.com/javaghost-cloud-phishing/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/" ], "report_names": [ "javaghost-cloud-phishing" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "ec338220-86d2-4286-805e-84aeef086645", "created_at": "2025-03-07T02:00:03.788876Z", "updated_at": "2026-04-10T02:00:03.817385Z", "deleted_at": null, "main_name": "JavaGhost", "aliases": [], "source_name": "MISPGALAXY:JavaGhost", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434820, "ts_updated_at": 1775826790, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12f59324adc5bd9c8ac41a3092db5f4a153f4c8c.pdf", "text": "https://archive.orkl.eu/12f59324adc5bd9c8ac41a3092db5f4a153f4c8c.txt", "img": "https://archive.orkl.eu/12f59324adc5bd9c8ac41a3092db5f4a153f4c8c.jpg" } }