{
	"id": "d1ba2539-c1f5-4fe8-99d2-b9f5e7b6c0e7",
	"created_at": "2026-04-06T00:21:24.902759Z",
	"updated_at": "2026-04-10T03:30:57.439171Z",
	"deleted_at": null,
	"sha1_hash": "45b5c1611076866d38c148113d721ddbcf9de497",
	"title": "AndroxGh0st - the python malware exploiting your AWS keys",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3950042,
	"plain_text": "AndroxGh0st - the python malware exploiting your AWS keys\r\nArchived: 2026-04-05 15:30:29 UTC\r\nHackers may hijack AWS infrastructure for a number of reasons. However, the most common motives are to facilitate illicit\r\ncryptomining or spamming. While cryptomining is more profitable on infrastructure owned by somebody else, the same can\r\nalso be said for SMTP abuse and spam.\r\nOver the past year, nearly a third of compromised key incidents observed by Lacework are believed to be for the purposes of\r\nspamming or malicious email campaigns. And the majority of this activity has been linked to the same python malware\r\ndubbed AndroxGh0st with at least one incident tied to an actor known as Xcatze. Note that the abuse actions leveraging\r\ncompromised keys require the third party to already have the keys with the required privileges to take the malicious actions.\r\nFigure 1. AndroxGh0st options\r\nAndroxGh0st is a “SMTP cracker” which is primarily intended to scan for and parse Laravel application secrets from\r\nexposed .env files. Note: Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various\r\nconfiguration data including AWS, SendGrid and Twilio. AndroxGh0st has multiple features to enable SMTP abuse\r\nincluding scanning, exploitation of exposed creds and APIs, and even deployment of webshells. For AWS specifically, the\r\nmalware scans for and parses AWS keys but also has the ability to generate keys for brute force attacks. However, the brute\r\nforce capability is likely a novelty and is a statistically unlikely attack vector.\r\nLacework Labs recently identified several variants of this malware in the wild. One specimen was hard coded with the\r\nusername ses_xcatze which was a user created during one incident. Other versions of AndroxGhost were found on Github\r\nand have alternate names and references to different handles. To avoid confusion in this blog, all related malware will be\r\nhttps://web.archive.org/web/20240715165609/https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys\r\nPage 1 of 6\n\nreferred to as AndroxGh0st. Regardless, it can be difficult to attribute source code as it may easily be modified and adapted\r\nby multiple entities.\r\nFigure 2. AWS key generator/brute force\r\nDepending on the usage, AndroxGh0st can perform one of two primary functions against acquired credentials. The most\r\ncommonly observed of these is to check the email sending limit for the account to assess if it can be leveraged for\r\nspamming. This is performed with a call to GetSendQuota. AndroxGh0st does not perform any further recon following this\r\nAPI call. This is important to note because much of the activity observed by Lacework simply involves this API only so the\r\nabsence of other API calls is a strong indicator of a functionally similar malware. Also, in calling the GetSendQuota API, no\r\ndistinction is made between valid or invalid credentials regardless of whether the API call fails. For example, an\r\nAccessDenied response to the GetSendQuota request actually validates the credentials because invalid credentials result in a\r\ntoken error and are not logged to CloudTrail.\r\nThe other primary function is to escalate to the AWS management console. This is performed with the following automated\r\ntasks:\r\n1. CreateUser- attempts to create user with compromised credentials - username is hardcoded in malware\r\n2. CreateLoginProfile- creates a login profile for the new user to access the management console. Password\r\n3. AttachUserPolicy- attempts to assign admin privileges to new user\r\na. arn:aws:iam::aws:policy/AdministratorAccess\r\n4. If previous steps are successful, the malware writes login data to a configuration file for later use\r\n5. DeleteAccessKey- deletes original compromised key if management console access is achieved\r\nhttps://web.archive.org/web/20240715165609/https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys\r\nPage 2 of 6\n\nFigure 3. AndroxGh0st high level functionality\r\nFigure 4 – .env parsing functions\r\nIn the Wild (ITW)\r\nInteresting trends emerged in source traffic involving these tactics. Lacework Labs found that approximately 68% of\r\nobserved AWS activity involving SMTP abuse originated from Windows systems. Python also accounted for the vast\r\nmajority of attacks with 87% of user agents specifying a python version. This is in contrast to incidents where cryptojacking\r\nis the suspected motive. Based on ITW activity observed by Lacework, AWS attacks for the purposes of cryptojacking\r\nhttps://web.archive.org/web/20240715165609/https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys\r\nPage 3 of 6\n\ninvolve only 20% Windows systems and 50% python applications. The following are examples of observed user agents from\r\nthe majority of AWS API requests.\r\nBoto3/1.24.13 Python/3.10.5 Windows/10 Botocore/1.27.1\r\nBoto3/1.24.40 Python/3.10.5 Windows/2012ServerR2 Botocore/1.27.40\r\nBoto3/1.24.8 Python/3.10.5 Windows/10 exec-env/EC2 Botocore/1.27.8\r\nBoto3/1.24.80 Python/3.7.0 Windows/10 Botocore/1.27.80\r\nScanning of Laravel .env configs, which is the primary credential acquisition method for AndroxGh0st, comprises a large\r\nchunk of incoming traffic observed by Lacework. From a week’s worth of web logs, we found that nearly 40% of all\r\ndetections were the result of Laravel .env recon. This scanning even dwarfed other common traffic. For example, over the\r\nsame period of time there were 50 times more .env requests than there were for OAST (out-of-band application security\r\ntesting) which is another common traffic source.\r\nEven more interesting was the vast majority of .env scanning (83%) used a single user agent, which was also a hardcoded\r\nuser agent used for scanning by AndroxGh0st variants.\r\n Another user agent leveraged by a different AndroxGh0st variant was observed in 3% of scans. In both cases, more than\r\n95% of the traffic seen with these user-agents involved .env scanning. This means the user-agents are not coincidentally\r\nassociated with the activity and are almost exclusive to the .env scans and the python malware.\r\nFigure 5 – hardcoded UA in .env scanning function \u0026 androxgh0st POST\r\nAn additional indicator of scanning activity consists of POST data containing the string androxgh0st. If the malware is\r\nunable to fetch an .env file with a GET request, then it will also attempt to do so with a POST request, using the androxgh0st\r\nas the POST data placeholder (also shown in Figure 5). As such this artifact makes a good network indicator for\r\nidentification of activity originating from AndroxGh0st variants.\r\nXcatze\r\nAs mentioned earlier, there were indications of AndroxGh0st activity performed by an actor known as Xcatze. For this\r\nactivity, Lacework identified additional Windows malware by pivoting off of one of the Xcatze attack IPs- 107.182.128.11.\r\nVirusTotal reported two Windows malware binaries communicating with this host. Both of these files have detections for the\r\nRedLine stealer malware however these were later confirmed as variants of hack tools created by Xcatze. Xcatze tools are\r\navailable on the actor’s website and are functionally similar to AndroxGh0st. Despite this, it is unclear if the python malware\r\ncan also be attributed to Xcatze. However, the prevalence of Windows based hack tools, especially for the purposes of\r\nhttps://web.archive.org/web/20240715165609/https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys\r\nPage 4 of 6\n\ninformation stealing and SMTP abuse, may contribute to the high volume of observed attacks originating from Windows\r\nsystems.\r\nHow can I detect AndroxGh0st?\r\nAndroxGh0st is an attacker tool and will likely be customized so there may be limited success with hash based detections.\r\nHashes for deployed webshell payloads have been listed below. AndroxGhost .env scans may be detected by looking for the\r\nscanning user-agents in combination with GETs for /.env or the artifact androxgh0st in POST data.\r\nFor CloudTrail identification of AndroxGhost and functionally similar malware then look for anomalous calls using the\r\nfollowing APIs:\r\nGetSendQuota\r\nCreateUser\r\nCreateLoginProfile\r\nAttachUserPolicy\r\nDeleteAccessKey\r\nDetection of compromised credentials can be difficult as there is often no one specific artifact that indicates a compromised\r\nkey, with the exception of threat intelligence. However, threat intel is not always accurate or timely. This necessitates a\r\ndifferent approach similar to anomaly detection. For example, the usage of APIs described in this blog may or may not be\r\nanomalous for a given environment. In consideration of other factors such as the novelty of an API, source IP, or user agent\r\n– we can provide higher severity alerts.\r\nFigure 6 – Lacework alert – Anomalous usage of GetSendQuota\r\nTo see more content like this, follow Lacework Labs on LinkedIn, Twitter, and Youtube and stay up to date on our latest\r\nresearch. Indicators for this blog are also available on Github.\r\nIOC’s:\r\nIndicator Description\r\n70f35dfd9650437229453570f53969fb1644b1d07f282645c27a3877752a68bd\r\nAndroxGh0st python variant – hardcoded with Xcatze use\r\nemail\r\nf6f240dc2d32bfd83b49025382dc0a1cf86dba587018de4cd96df16197f05d88 AndroxGh0st python variant\r\n3b04f3ae4796d77e5a458fe702612228b773bbdefbb64f20d52c574790b5c81a AndroxGh0st python variant\r\n107.182.128.11 Xcatze attack IP\r\nhttps://web.archive.org/web/20240715165609/https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys\r\nPage 5 of 6\n\n319e572856a098f7beb8a07a4955e2ba823e24e31b84dfdd714bfcd5acf47a28 Windows malware – Xcatze hacktool\r\n45e051313272899973f16f5e79bf9ebe0a7f303b9dbeca13af9d65b97c59beae Windows malware – Xcatze hacktool\r\nandroxgh0st Network artifact – seen in POST requests\r\n94f98c908743b75f578002abe6eae36c36673924f66a5a594b1928e7cc757260\r\nPrimary webshell payload – downloaded from\r\nhttps://pastebin.com/raw/ZKfXSuBX\r\n61b44259ef97fd64d081f1b95f8cd140c52c73e95dadf62980c4dff78b146e5f\r\nAlternate webshell payload, download from\r\nhttps://raw.githubusercontent.com/rintod/toolol/master/pa\r\nSource: https://web.archive.org/web/20240715165609/https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys\r\nhttps://web.archive.org/web/20240715165609/https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20240715165609/https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys"
	],
	"report_names": [
		"androxghost-the-python-malware-exploiting-your-aws-keys"
	],
	"threat_actors": [
		{
			"id": "7586aed3-222e-4332-aee6-ffcb28e74f01",
			"created_at": "2023-11-08T02:00:07.169945Z",
			"updated_at": "2026-04-10T02:00:03.433087Z",
			"deleted_at": null,
			"main_name": "Xcatze",
			"aliases": [],
			"source_name": "MISPGALAXY:Xcatze",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434884,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45b5c1611076866d38c148113d721ddbcf9de497.pdf",
		"text": "https://archive.orkl.eu/45b5c1611076866d38c148113d721ddbcf9de497.txt",
		"img": "https://archive.orkl.eu/45b5c1611076866d38c148113d721ddbcf9de497.jpg"
	}
}