{
	"id": "02bb1def-273b-4ef7-ae02-35b367d50516",
	"created_at": "2026-04-06T02:13:07.452421Z",
	"updated_at": "2026-04-10T03:31:36.027166Z",
	"deleted_at": null,
	"sha1_hash": "f40ca99d8d15a80c00182a6290098008eb64e780",
	"title": "Tales from the cloud trenches: The Attacker doth persist too much, methinks | Datadog Security Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 624325,
	"plain_text": "Tales from the cloud trenches: The Attacker doth persist too much,\r\nmethinks | Datadog Security Labs\r\nBy Martin McCloskey\r\nPublished: 2025-05-13 · Archived: 2026-04-06 01:56:20 UTC\r\nAs a result of a recent threat hunt, we observed attacker activity originating from a leaked long-term AWS access\r\nkey ( AKIA* ). Within a 150-minute period, we detected five distinct IP addresses attempting to leverage this\r\naccess key to perform malicious techniques, tactics, and procedures (TTPs). This post presents several techniques\r\nthat, to our knowledge, have never been reported in the wild.\r\nKey points and observations\r\nA long-term AWS access key associated with an IAM user in an AWS organization management account\r\nwas exposed.\r\nWe observed follow-up activity from this access key for a number of tactics, including both common and\r\ninnovative ones.\r\nPreviously unreported tactics involve creating \"persistence-as-a-service\" infrastructure, creating AWS\r\nIdentity Center users, and disabling organization-level services.\r\nRoutine attacker tactics\r\nWe observed several tactics that attackers commonly use in cloud intrusions. We list them below for the sake of\r\ncompleteness but don't analyze them in further detail:\r\nSES enumeration through API calls such as GetAccount, ListIdentities, and GetSendQuota.\r\nAttempt to create an EC2 security group called Administratorsz with the description We Are There But\r\nNot Visible , which has been attributed to the JavaGhost group.\r\nCreation of several IAM users, subsequently granted administrative permissions either directly through\r\nAttachUserPolicy or indirectly through AttachGroupPolicy . The attacker sometimes attempted to\r\ncreate a login profile on the IAM user to facilitate using the AWS console.\r\nGenerating temporary STS credentials from long-lived access keys, which allows an attacker to\r\nauthenticate to the AWS console even from long-lived credentials.\r\nNotable tactics\r\nBesides the common techniques listed above, we observed new tactics that have never been reported before (to the\r\nbest of our knowledge).\r\nPersistence as a service with API Gateways and Lamba function\r\nhttps://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-the-attacker-doth-persist-too-much/\r\nPage 1 of 6\n\nIn one case, the attacker created a Lambda function named buckets555 and attached its execution role to a new\r\npolicy AWSLambdaBasicExecutionRole-b69e3024-5a7f-4fff-a576-cf54fc986b93 . They then created an HTTP API\r\nGateway, and a Lambda function trigger so the function would automatically get invoked when an HTTP request\r\nto a specific URL is sent. We later determined that this Lambda function ran code with the capability to create\r\nIAM users dynamically, on demand.\r\nThis effectively creates a \"persistence-as-a-service\" mechanism: The attacker, even after the compromised\r\ncredentials are revoked, is able to perform external HTTP requests to the API Gateway and dynamically create\r\nfurther malicious IAM users.\r\nConsoleLogin events from Telegram IP addresses\r\nAs part of this attack, we identified several ConsoleLogin events in a short amount of time from the IP address\r\n149.154.161[.]235 , which belongs to the ASN Telegram Messenger Inc . This indicates that part of the\r\nattacker's operations are based on Telegram.\r\nAt first sight, it may seem unusual that the ConsoleLogin events themselves would originate from the Telegram IP\r\nspace. We believe that after compromising long-lived credentials, the attacker may have a Telegram bot\r\nautomatically generating sign-in URLs for the AWS console. The Telegram preview service would then follow\r\nthis link and generate ConsoleLogin events.\r\nDisabling trusted access for organization-level services\r\nIn one case, the attacker authenticated to the AWS Console and navigated to the Services tab under the AWS\r\nOrganizations service and began to disable the integration of six AWS services.\r\nhttps://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-the-attacker-doth-persist-too-much/\r\nPage 2 of 6\n\nIn CloudTrail, this is recorded with the API call DisableAWSServiceAccess. The attacker disabled trusted access\r\nfor the following services:\r\naccess-analyzer.amazonaws.com (IAM Access Analyzer)\r\naccount.amazonaws.com and am.amazonaws.com (AWS Account Management)\r\nmember.org.stacksets.cloudformation.amazonaws.com (CloudFormation StackSets)\r\nssm.amazonaws.com (AWS Systems Manager)\r\ntagpolicies.tag.amazonaws.com (Tag Policies)\r\nWe were unable to discern what the attacker’s intent was with this action, as this only affects new AWS accounts,\r\nand the order in which the attacker disabled these services is the way they are presented in the AWS console. One\r\ntheory is that the attacker intended to eventually add a new AWS account to the organization, which may have\r\nallowed them to evade some security controls so they could act on their objective.\r\nPersistence through AWS Identity Center (AWS SSO)\r\nAWS Identity Center is a cloud-based identity and access management solution that enables centralized user\r\naccess control across AWS accounts and integrated applications. Actions taken in Identity Center require access to\r\nan organization’s management AWS account.\r\nWe observed the attacker enumerating the SSO instance to look at SSO configurations, users, groups, and\r\napplications. Afterward, they created a group called secure and a user called Secret , which the attacker added\r\nto their group, and assigned a new permission set to that group.\r\nFollowing this, the attacker updated two configuration options within the SSO instance. First, they modified the\r\nMFA configuration of the SSO instance to allow themselves to sign in without MFA. They then extended the\r\nhttps://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-the-attacker-doth-persist-too-much/\r\nPage 3 of 6\n\nsession duration for Amazon Q Developer to 90 days, indicating a likely intent to leverage this service in the\r\nfuture.\r\nLater, we observed a successful sign-in event associated with a password-only sign-in flow for the newly created\r\nuser Secret .\r\nSummary of attacker activity\r\nTA0001 - Initial Access\r\n- T1078.004 - Valid Accounts\r\nTA0007 - Discovery\r\n- T1078.004 - Valid Accounts\r\n- T1526 - Cloud Service Discovery\r\nTA0003 - Persistence\r\n- T1098.001- Additional Cloud Credentials\r\n- T1098.003- Additional Cloud Roles\r\n- T1036.003 - Cloud Account\r\nTA0006 - Credential Access\r\n- T1556.006 - Multi-Factor Authentication\r\nTA0040 - Impact\r\n- T1485 - Data Destruction\r\nDetection opportunities\r\nHere are some suggestions to help to identify this type of activity:\r\nIdentify creation/modification actions of a login profile.\r\nIdentify the attachment of the managed policy arn:aws:iam::aws:policy/AdministratorAccess and\r\narn:aws:iam::aws:policy/AmazonSESFullAccess .\r\nIdentify unusual console logins from unexpected networks like Telegram.\r\nIdentify attempts to enumerate AWS SES settings and configurations.\r\nActivity from a long-term access key is generally rare.\r\nIdentify attempts to create a new IAM user from Lambda.\r\nThe user agent will contain the string exec-env/AWS_Lambda .\r\nIdentify updates to your AWS IAM Identity Center configuration.\r\nLook for changes to MFA settings\r\nrequestParameters.configurationType:APP_AUTHENTICATION_CONFIGURATION .\r\nIdentify GetFederationToken API calls with a highly privileged policy attached.\r\nIdentify DisableAWSServiceAccess API calls disabling the integration of AWS services.\r\nIdentify the deletion of a high number of Lambda functions.\r\nhttps://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-the-attacker-doth-persist-too-much/\r\nPage 4 of 6\n\nIdentify EC2 security group creations with the name Java_Ghost or description We Are There But Not\r\nVisible .\r\nAll of these detection ideas should be assessed within the context of your environment.\r\nHow Datadog can help\r\nDatadog Cloud SIEM and Cloud Security Management (CSM) come with the following out-of-the-box rules to\r\nidentify suspicious activity relevant to these attacks in an AWS environment. The Cloud SIEM rules help identify\r\npotential threats, while the CSM rules help identify overprivileged identities. Long-lived access keys tend to carry\r\na higher risk of being associated with a compromise.\r\nAWS SES discovery attempt by long-term access key\r\nPossible privilege escalation via AWS login profile manipulation\r\nAWS IAM Identity Center SSO configuration updated\r\nAnomalous number of AWS Lambda functions deleted\r\nTemporary AWS security credentials generated for user\r\nAWS IAM AdministratorAccess policy was applied to a user\r\nAWS console login without MFA\r\nAWS Java_Ghost security group creation attempt\r\nAWS IAM AmazonSESFullAccess policy was applied to a user\r\nAWS IAM AdministratorAccess policy was applied to a group\r\nAWS IAM User created with AdministratorAccess policy attached\r\nAmazon SES enumeration attempt by previously unseen user\r\nIAM users should not have both Console access and Access Keys\r\nIAM users should not have the 'AdministratorAccess' policy attached\r\nMulti-factor authentication should be enabled for all IAM users with console access\r\nIndicators of compromise\r\nIP Addresses used\r\n129.146.24[.]173\r\n134.199.148[.]132\r\n103.131.213[.]89\r\n80.85.141[.]238\r\n54.95.125[.]167\r\n149.154.161[.]235\r\n103.131.213[.]89\r\n182.185.156[.]45\r\nCreated IAM user names:\r\nhttps://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-the-attacker-doth-persist-too-much/\r\nPage 5 of 6\n\nadminslabs\r\nbuckets488\r\ns3s684\r\ngit-lab965\r\ngit-lab555\r\nCreated IAM role names:\r\nLambdaExecutionRole\r\nbuckets555-role-c6s4hhdi\r\ncurdfunctionsme-role-zw1zxamc\r\nCreated IAM group name:\r\nAdministrators\r\nCreated Lambda function names:\r\nbuckets555\r\ncurdfunctionsme\r\nLambda function SHA256:\r\nHAPq9EReJVEC5gLavtc/gyd5vZtd9eiUGF932t0jBxY= (1c03eaf4445e255102e602dabed73f832779bd9b5df5e894185f77dadd230716)\r\nHXGHpm9uGbfTRsBh2YwHKSlF5xxwrAggliHsuoD3OGY= (1d7187a66f6e19b7d346c061d98c07292945e71c70ac08209621ecba80f73866)\r\nCreated IAM Identity Center user name:\r\nSecret\r\nCreated IAM Identity Center group name:\r\nsecure\r\nSource: https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-the-attacker-doth-persist-too-much/\r\nhttps://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-the-attacker-doth-persist-too-much/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-the-attacker-doth-persist-too-much/"
	],
	"report_names": [
		"tales-from-the-cloud-trenches-the-attacker-doth-persist-too-much"
	],
	"threat_actors": [
		{
			"id": "93b7776d-9b37-496d-94a5-30bc36fd8800",
			"created_at": "2023-11-07T02:00:07.10019Z",
			"updated_at": "2026-04-10T02:00:03.407781Z",
			"deleted_at": null,
			"main_name": "GhostSec",
			"aliases": [
				"Ghost Security"
			],
			"source_name": "MISPGALAXY:GhostSec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ec338220-86d2-4286-805e-84aeef086645",
			"created_at": "2025-03-07T02:00:03.788876Z",
			"updated_at": "2026-04-10T02:00:03.817385Z",
			"deleted_at": null,
			"main_name": "JavaGhost",
			"aliases": [],
			"source_name": "MISPGALAXY:JavaGhost",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441587,
	"ts_updated_at": 1775791896,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f40ca99d8d15a80c00182a6290098008eb64e780.pdf",
		"text": "https://archive.orkl.eu/f40ca99d8d15a80c00182a6290098008eb64e780.txt",
		"img": "https://archive.orkl.eu/f40ca99d8d15a80c00182a6290098008eb64e780.jpg"
	}
}