Similarly to what I have done in 2022, 2021, and 2020, I am listing those cyber attacks, whose information is available via OSINT, which exploited the cloud in one or more stages of the attack chain.
The campaigns are classified in four categories: Delivery and Exploitation (the cloud service is exploited to deliver a malware strain or a phishing page), Actions on Objective (the cloud service is exploited to steal data, or launch other attacks), Command and Control (the cloud service is exploited as a command and control infrastructure), and Data Exfiltration (the cloud service is used as a drop zone for the exfiltrated data).
Below you will find some statistics and a table with detailed information on the attacks.
Cloud-Native Threats 2023 - Top Exploited Cloud Services
No Data Found
Cloud-Native Threats 2023 - Top Exploitation Purposes
No Data Found
Cloud-Native Threats 2023 - Motivations
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Delivery
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Command and Control
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Actions on Objective
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Data Exfiltration
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Cyber Crime
No Data Found
Cloud-Native Threats 2023 - Top Exploited Services: Cyber Espionage
No Data Found
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Geo
Link
Exploited Service
Motivation
05/01/2023
For the last few months''
-
APT-C-36 AKA Blind Eagle
Organizations in Colombia
Researchers from Check Point discover a new campaign using a modified version of QuasarRAT against Colombia based organizations.
Malware
Multiple Industries
Cyber Crime
CO
MediaFire
Delivery and Distribution
06/01/2023
Since early 2020
Recently'
Vidar
Multiple organizations
Researchers from Sekoia discover a massive campaign using over 1,300 domains to impersonate the official AnyDesk site for pushing the Vidar information-stealing malware.
Malware
Multiple Industries
Cyber Crime
>1
Dropbox, GitHub
Delivery and Distribution
06/01/2023
Since at least early December 2022
Early December 2022
?
Organizations in Italy
Researchers from Uptycs discover a new campaign targeting users in Italy, and delivering targeting phishing emails disguised as invoices, designed to deploy an information stealer on compromised Windows systems.
Malware
Multiple Industries
Cyber Crime
IT
Dropbox, GitHub
Delivery and Distribution
13/01/2022
Recently'
Recently'
?
Organizations in South Korea
Researchers at Ahnlab discover a campaign distributing the Orcus RAT on file-sharing sites disguised as a cracked version of Hangul Word Processor.
Malware
Multiple Industries
Cyber Crime
KR
Google Docs
Delivery and Distribution
17/01/2023
During November 2022
During November 2022
?
Undisclosed retailer
Researchers from IBM X-Force discover a PoS malware using Discord as the command and control infrastructure.
Malware
Wholesal and Retail
Cyber Crime
N/A
Discord
Command and Control
17/01/2023
-
-
Earth Boogle
Organizations across the Middle East and North Africa
Researchers from Trend Micro discover an active campaign using Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) has been spotted infecting victims across the Middle East and North Africa.
Targeted Attack
Multiple Industries
Cyber Espionage
>1
Discord, Microsoft OneDrive
Delivery and Distribution
19/01/2023
Since at last September 2022
During September 2022
Roaming Mantis (AKA Shaoye)
Multiple organizations
Researchers from Kaspersky reveal that Roaming Mantis malware distribution campaign has updated Wroba.o/XLoader, its Android malware to include a DNS changer that modifies DNS settings on vulnerable WiFi routers to spread the infection to other devices.
Malware
Multiple Industries
Cyber Crime
>1
Google Docs, YouTube
Command and Control
19/01/2023
'Recently'
'Recently'
8220
Multiple organizations
The for-profit Chinese threat group, 8220 Gang, is observed targeting cloud service providers and poorly secured apps. The group was observed using a cryptominer and IRC botnet to churn financial advantage out of public cloud infrastructure.
Misconfigurations
Multiple Industries
Cyber Crime
>1
Pastebin, Git
Delivery and Distribution
20/01/2023
Recently'
Recently'
Album stealer
Facebook users
Researchers from Zscaler discover Album stealer, targeting Facebook adult-only content seekers.
Researchers from Blackberry discover new attacks by the Gamaredon group leveraging the popular messaging app Telegram to strike military and law enforcement sectors in the country.
Targeted Attack
Public admin and defence, social security
Cyber Espionage
UA
Telegram
Command and Control
24/01/2023
'Recently'
'Recently'
DragonSpark
Organizations in East Asia
Researchers from SentinelOne discover a Chinese-speaking hacking group tracked as ‘DragonSpark’ employing SparkRAT and Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia.
Targeted Attack
Multiple Industries
Cyber Espionage
>1
AWS
Delivery and Distribution
24/01/2023
Since at least November 2021
During November 2021
GuLoader
e-commerce industry located in South Korea and the United States
Researchers at Trellix discover a GuLoader campaign targeting e-commerce industries located in South Korea and the United States, and distributing the malware via NSIS files.
Malware
Wholesale and retail
Cyber Crime
KR
US
Google Drive
Delivery and Distribution
25/01/2023
Since August 2022
-
PY#RATION
Multiple organizations
Researchers from Securonix discover PY#RATION, a new Python-based malware featuring remote access trojan (RAT) capabilities.
Malware
Multiple Industries
Cyber Crime
>1
Google Drive, Dropbox
Delivery and Distribution
31/01/2023
Between 06/12/2024 and 27/12/2023
6/12/2022
?
Multiple organizations
Microsoft disables multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations' cloud environments to steal email.
Account Takeover
Multiple Industries
Cyber Crime
>1
Microsoft 365 Suite
Actions on Objective
31/01/2023
Recently'
Recently'
?
Multiple organizations
Researchers at Fortinet discover a new campaign aimed to cryptojack systems to mine for Monero (XMR) cryptocurrency.
Malware
Multiple Industries
Cyber Crime
>1
Microsoft Onedrive
Delivery and Distribution
01/02/2023
Since at least September 2022
During September 2022
?
Online gaming and gambling companies
Researchers at Security Joe discover that unknown attackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker.
Malware
Arts entertainment, recreation
Cyber Crime
N/A
Dropbox
Delivery and Distribution
02/02/2023
Since 26/02/2023
30/01/2023
Trexon
Multiple organizations
Researchers from Fortinet discover a new attack in a PyPI package (Python Package Index) called “web3-essential”.
Malware
Multiple Industries
Cyber Crime
>1
Discord
Delivery and Distribution
08/02/2023
Between 27/01/2023 and 29/01/2023
-
?
Multiple organizations
Researchers at Fortinet discover five malicious packages on the Python Package Index (PyPI) containing the W4SP Stealer, stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.
Malware
Multiple Industries
Cyber Crime
>1
Discord
Delivery and Distribution
09/02/2023
30/01/2023 and 31/01/2023
30/1/2023
?
Multiple organizations
Researchers from Sentinel One discover a new phishing campaign targeting Amazon Web Services (AWS) logins and abusing Google ads to inject phishing sites into Google Search.
Malvertising
Multiple Industries
Cyber Crime
>1
Blogger
Delivery and Distribution
16/02/2023
Since at lest May 2022
Between August 2022 and January 2023
?
Chinese-speaking individuals in Southeast and East Asia
Researchers from ESET discover a campaign targeting Chinese-speaking individuals in Southeast and East Asia via rogue Google Ads that deliver remote access trojans such as FatalRAT to compromised machines.
Malware
Individual
Cyber Crime
CN
HK
ID
JP
MY
MM
PH
SG
TH
TW
Alibaba Cloud
Delivery and Distribution
16/02/2023
-
-
WIP26
Telecommunication providers in the Middle East
Researchers at Sentinel One discover a new threat cluster tracked as WIP26 targeting telecommunication providers in the Middle East.
Targeted Attack
Information and Communication
Cyber Espionage
>1
Azure, Dropbox, Google Firebase, Microsoft 365 Mail
Delivery and Distribution
Command and Control
16/02/2023
Since January 2022
During January 2022
Earth Yako
Researchers in the academic sector and think tanks
Researchers at Trend Micro discover a new campaign of the Earth Yako group targeting researchers in the academic sector and think tanks in Japan.
Targeted Attack
Education
Cyber Espionage
JP
Dropbox, GitHub
Command and Control
20/02/2023
02/12/2022
04/12/2022
?
Activision
Activision confirms that it suffered a data breach in early December 2022 after hackers gained access to the company's internal systems by tricking an employee with an SMS phishing text.
Account Takeover
Arts entertainment, recreation
Cyber Crime
US
Slack
Actions on Objective
20/02/2023
27/01/2023
31/01/2023
‘Portugal’ and ‘Brazil’
Multiple organizations
Researcehers from Fortinet discover another 0-day attack in the PyPI packages (Python Package Index) by the malware authors ‘Portugal’ and ‘Brazil’ who published the packages ‘xhttpsp’ and ‘httpssp’.
Malware
Multiple Industries
Cyber Crime
>1
Discord, Telegram
Data Exfiltration
23/02/2023
-
-
?
Government entities
Researchers from Menlo Security uncover an unknown threat actor leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targeting government entities.
Malware
Public admin and defence, social security
Cyber Crime
N/A
Discord
Delivery and Distribution
26/02/2023
25/02/2023
25/02/2023
?
Multiple organizations
Researchers from Sonatype discover an open source malware campaign in which a threat actor is infiltrating the PyPI software registry with thousands of malicious packages.
Malware
Multiple Industries
Cyber Crime
>1
Dropbox
Delivery and Distribution
27/02/2023
Between 12/08/2022 and 26/10/2022
-
?
LastPass
LastPass discloses more information on a "coordinated second attack," where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months.
Account Takeover
Professional, scientific and technical
Cyber Crime
US
AWS
Actions on Objective
28/02/2023
'Recently'
'Recently'
SCARLETEEL
Undisclosed organization
Researchers from Sysdig discover an advanced hacking operation dubbed 'SCARLETEEL' targeting public-facing web apps running in containers to infiltrate cloud services and steal sensitive data.
Misconfiguration
Unknown
Cyber Crime
N/A
AWS
Actions on Objective
02/03/2023
-
-
?
Targets in the hospitality sector
Researchers from Trend Micro discover a campaign targeting the hospitality sector and using Dropbox to release the malicious file.
Malware
Accommodation and food service
Cyber Crime
>1
Dropbox
Delivery and Distribution
02/03/2023
Since January 2023
'Recently'
Mustang Panda
Government and political organizations in Europe and Asia, focusing on Taiwan and Ukraine.
Researchers from ESET reveal that the Chinese cyber espionage hacking group Mustang Panda was seen deploying a new custom backdoor named 'MQsTTang' in attacks starting this year.
Targeted Attack
Public admin and defence, social security
Cyber Espionage
TW
UA
GitHub
Delivery and Distribution
06/03/2023
-
-
?
Eastern European institutions and businesses
Researchers from SentinelOne discover phishing campaigns that distribute the Remcos RAT using the DBatLoader malware loader to target predominantly Eastern European institutions and businesses.
Malware
Multiple Industries
Cyber Crime
>1
Microsoft OneDrive, Google Drive
Delivery and Distribution
08/03/2023
-
-
Exotic Lily, aka PROJECTOR LIBRA and TA580
Multiple organizations
Researchers from ReliaQuest discover a new campaign by the Initial Access Broker Exotic Lily.
Malware
Multiple Industries
Cyber Crime
>1
Microsoft OneDrive, WeTransfer
Delivery and Distribution
13/03/2023
Since November 2022
Since November 2022
?
Multiple organizations
Researchers from CloudSEK reveal that threat actors have been increasingly observed using AI-generated YouTube Videos to spread a variety of stealer malware such as Raccoon, RedLine, and Vidar.
Malware
Multiple Industries
Cyber Crime
>1
YouTube
Delivery And Distribution
15/03/2023
-
-
?
Multiple organizations
Researchers from Avast reveal that cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute the redline info-stealing malware to unsuspecting users.
Malware
Multiple Industries
Cyber Crime
>1
Adobe Acrobat Sign
Delivery and Distribution
17/03/2023
Since early March 2023
During March 2023
Ursnif
Italian Taxpayers
The Italian taxpayers are the targets of a campaign distributing the Ursnif malware via fake notificastions from the Italian Revenue Agency (Agenzia delle Entrate).
Malware
Individual
Cyber Crime
IT
Google Firebase
Delivery and Distribution
21/03/2023
Since at least September 2021
During October 2022
Bad Magic (State-sponsored threat actor)
Government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions
Researchers fron Kaspersky discover a campaign targeting government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions via a previously unseen malicious framework called CommonMagic and a new backdoor called PowerMagic.
Targeted Attack
Multiple Industries
Cyber Espionage
UA
Dropbox, OneDrive
Command and Control
22/03/2023
'Recently'
'Recently'
?
Municipal government organization
InQuest Labs analysts detect a phishing attack discovered by a municipal government organization, hosting the phishing pages on Raven and Microsoft Azure.
Account Takeover
Public admin and defence, social security
Cyber Crime
N/A
Microsoft Azure, Raven
Delivery and Distribution
23/03/2023
-
-
?
At least 1600 individuals across Europe, the US and other countries
Researchers from Kasepersky discover a novel phishing scam relying on legitimate servers from Microsoft’s collaborative platform SharePoint, targeting at least 1600 individuals across Europe, the US and other countries using a native notification mechanism.
Account Takeover
Individual
Cyber Crime
>1
Microsoft SharePoint
Delivery and Distributon
24/03/2023
Between 02/01/2022 and 10/01/2022
During January 2022
?
University of the People (UoPeople)
The University of the People (UoPeople) files a notice of data breach after learning that an unauthorized party was able to access confidential information stored on the school’s SharePoint platform.
Unknown
Education
Cyber Crime
US
Microsoft SharePoint
Actions on Objective
24/03/2023
-
-
?
Individuals
Researchers from Uptycs discover a new info-stealing malware named MacStealer, targeting Mac users, stealing their credentials stored in the iCloud KeyChain and web browsers, cryptocurrency wallets, and potentially sensitive files.
Malware
Individual
Cyber Crime
>1
Telegram
Command and Control
27/03/2023
22/12/2022
22/12/2022
?
Nonstop Administration and Insurance Services (NAIS)
Nonstop Administration and Insurance Services (NAIS) announces that the protected health information of employees of its clients has been exposed to an unknown party, who claimed to have accessed company data.
Account Takeover
Administration and support service
Cyber Crime
US
Unknown
Actions on Objective
29/03/2023
-
-
North Korean state-backed hacking group? (Labyrinth Collima AKA Lazarus Group, Covellite, UNC4034, Zinc, Nickel Academy)
Multiple organizations
A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company’s customers in an ongoing supply chain attack.
Targeted Attack
Multiple Industries
Cyber Espionage
>1
GitHub
Delivery and Distribution
30/03/2023
-
-
?
Multiple organizations
Researchers from Sentinel One reveal the details of 'AlienFox', a new modular toolkit allowing threat actors to scan for misconfigured servers to steal authentication secrets and credentials for cloud-based email services.
Misconfiguration
Multiple Industries
Cyber Crime
>1
>1
Actions on Objective
01/04/2023
During October 2022
During October 2022
APT41 AKA HOODOO
Taiwanese media organization
Researchers from Google discover a campaign carried out by the Chinese Threat Actor APT41 targeting a Taiwanese media organization.
Malware
Information and Communication
Cyber Espionage
TW
Google Drive
Delivery and Distribution
01/04/2023
During Q4 2022
During Q4 2022
Ursnif
Multiple organizations
Researchers from Google’s Mandiant observed a campaign distributing the URSNIF banking trojan from Google Drive
Malware
Multiple Industries
Cyber Crime
>1
Google Drive
Delivery and Distribution
01/04/2023
During Q4 2022
During Q4 2022
Diceloader
Multiple organizations
Researchers from Google’s Mandiant observed a campaign distributing the DICELOADER malware from Google Drive
Malware
Multiple Industries
Cyber Crime
>1
Google Drive
Delivery and Distribution
04/04/2023
Since at least 17/03/2023
17/03/2023
?
Taxpayers in the U.S.
eFile.com, an IRS-authorized e-file software service provider used by many for filing their tax returns, has been caught serving JavaScript malware.
Malicious Script Injection
Individual
Cyber Crime
US
AWS
Delivery and Distribution
05/04/2023
Since at least 03/04/2023
03/04/2023
?
YouTube users
YouTube warns users of a new phishing scam that has been using authentic email addresses to lure users into giving away their login credentials.
Account Takeover
Individual
Cyber Crime
>1
Google Drive
Delivery and Distribution
05/04/2023
During Late 2022
During Late 2022
ARCHIPELAGO
Government and military personnel, think thanks, policy makers, academics, and researchers in South Korea, and the U.S.
Researchers from Google warn of the North Korea-linked ARCHIPELAGO (subset of the APT43 group) targeting government and military personnel, think tanks, policy makers, academics, and researchers in South Korea, the US and elsewhere.
Targeted Attack
Individual
Cyber Espionage
KR
US
Microsoft OneDrive
Delivery and Distribution
06/04/2023
-
-
?
Taxpayers in the U.S.
Researchers from Avanan discover a series of campaign exploiting Quickbooks to harvest credentials.
Account Takeover
Individual
Cyber Crime
US
Quickbooks
Delivery and Distribution
07/04/2023
-
-
MuddyWater (AKA MERCURY, Mango Sandstorm, Seedworm, and Static Kitten) and DEV-1084 (AKA Storm-1084)
Multiple organizations
Researchers from Microsoft reveal that Iranian advanced persistent threat (APT) actors MuddyWater and DEV-1084 have been observed launching destructive cyberattacks disguised as ransomware against on-prem and cloud infrastructures.
Multiple vulnerabilities
Multiple Industries
Cyber Crime
>1
Microsoft Azure
Actions on Objective
09/04/2023
Since November 2022
Since November 2022
FusionCore
Multiple organizations
Researchers from Cyfirma discover a new cybercrime group, dubbed FusionCore, specialized in offering Malware-as-a-Service (MaaS) and other hacking services.
Malware
Multiple Industries
Cyber Crime
>1
Telegram
Command and Control
11/04/2023
During March 2023
During March 2023
?
Multiple organizations in Spain
Researchers from Sonatype discover reverse-shell, a PyPI package malware-as-a-service for the Spanish market.
Malware
Multiple Industries
Cyber Crime
ES
GitHub
Delivery and Distribution
14/04/2023
From 14/09/2022 to 08/11/2022
09/11/2022
?
Two Rivers Public Health Department
Two Rivers Public Health Department confirms that the protected health information of 15,168 patients was stored in an employee Office365 account that was accessed by an unauthorized third party.
Account Takeover
Public admin and defence, social security
Cyber Crime
US
Microsoft Outlook
Actions on Objective
14/04/2023
-
-
?
Multiple organizations
Researchers from Uptycs identify a new variant of credential stealing malware, dubbed Zaraza (Russian word for infection), using Telegram as its command and control and targeting a large number of web browsers.
Malware
Multiple Industries
Cyber Crime
>1
Telegram
Command and Control
14/04/2023
Since the Summer 2022
Since the Summer 2022
?
Senior individuals
Researchers from Malwarebytes detect a specific malvertising campaign via Google ads aimed at seniors, where the actor creates hundreds of fake websites via the Weebly platform to host decoy content to fool search engines and crawlers while redirecting victims to a fake computer alert.
Scam
Individual
Cyber Crime
>1
Weebly
Delivery and Distribution
17/04/2023
-
-
RedLine Stealer
Multiple organizations
Researchers from ESET, temporarily disrupt the operations of the RedLine Stealer with the help of GitHub, used as a dead drop resolver.
Malware
Multiple Industries
Cyber Crime
>1
GitHub
Command and Control
18/04/2023
During March 2023
During March 2023
APT-C-36 AKA Blind Eagle
Multiple organizations
Researchers from ThreatMon discover a new campaign by the cyber espionage actor tracked as Blind Eagle using a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems.
Targeted Attack
Multiple Industries
Cyber Espionage
EC
ES
CL
CO
Discord
Delivery and Distribution
18/04/2023
During fall of 2022
During fall of 2022
MuddyWater (AKA MERCURY, Mango Sandstorm, Seedworm, and Static Kitten) and DEV-1084 (AKA Storm-1084)
Multiple organizations
Researchers from Group-IB discover a new campaign by the Iranian government-sponsored threat actor known as MuddyWater, using the legitimate SimpleHelp remote support software tool to achieve persistence on victim devices.
Targeted Attack
Multiple Industries
Cyber Espionage
>1
Dropbox, OneDrive, OneHub
Delivery and Distribution
20/04/2023
Since at least March 2023
During March 2023
Lazarus Group AKA Labyrinth Collima, Covellite, UNC4034, Zinc, Nickel Academy)
People working in software or DeFi platforms
Researchers from ESET discover a new Lazarus campaign considered part of "Operation DreamJob" (AKA Nukesped), targeting Linux users with malware for the first time.
Targeted Attack
Professional, scientific and technical
Cyber Espionage
>1
OpenDrive
Delivery and Distribution
24/04/2023
'Recently'
'Recently'
DoNot APT
Individual residing in Kashmir
Researchers from Cyfirma discover a new campaign by the DoNot APT group targeting Individual residing in Kashmir via two malware strains delivered via fake WhatsApp applications.
Targeted Attack
Individual
Cyber Espionage
IN
Google Firebase
Command and Control
28/04/2023
Since 2022
'Recently'
AresLoader
Multiple organizations using Citrix
Researchers from Cyble discover a new loader called AresLoader that has been used to spread several types of malware families.
Malware
Multiple Industries
Cyber Crime
>1
GitLab
Delivery and Distribution
01/05/2023
During 2022
During 2022
ScarCruft APT group (aka APT37, Reaper, and Group123)
Korean-speaking individuals
Researchers from Check Point reveal the details of a new campaign by the Korea-linked ScarCruft APT group (aka APT37, Reaper, and Group123) delivering the ROKRAT and Amadey payloads.
Targeted Attack
Individual
Cyber Espionage
KR
Dropbox, pCloud, Yandex Cloud, and OneDrive
Command and Control
03/05/2023
SInce late January 2023
Late January 2023
Threat actors from Vietnam
Individuals
Researchers from Facebook discover a new information-stealing malware distributed on Meta called 'NodeStealer,' allowing threat actors to steal browser cookies to hijack accounts on the platform, as well as Gmail and Outlook accounts.
Malware
Individual
Cyber Crime
>1
Facebook
Delivery and Distribution
03/05/2023
-
-
DuckTail
Individuals
Researchers from Meta discover a new version of the DuckTail malware exploiting multiple cloud services to host the malicious payload.
Malware
Individual
Cyber Crime
>1
Discord, Dropbox, Google Drive, iCloud, MediaFire, Mega, Microsoft OneDrive, Trello
Delivery and Distribution
04/05/2023
-
-
Kimsuky
Think tanks, research universities, and government entities in the United States, Europe, and Asia
Researchers from Sentinel Labs reveal that the North Korean group Kimsuky has been observed employing a new version of its reconnaissance malware, now called 'ReconShark,' in an ongoing cyberespionage campaign with a global reach.
Targeted Attack
Multiple Industries
Cyber Espionage
>1
Microsoft OneDrive
Delivery and Distribution
10/05/2023
08/05/2023
08/05/2023
BlackBasta?
Dragos
Industrial cybersecurity company Dragos discloses what it describes as a "cybersecurity event" after a known cybercrime gang attempted to breach its defenses and infiltrate the internal network to encrypt devices.
Account Takeover
Professional, scientific and technical
Cyber Crime
US
Microsoft SharePoint
Actions on Objective
12/05/2023
Since 2019
-
?
Cryptocurrency Exchanges
Researchers from JPCERT/CC observe threat actors targeting cryptocurrency exchanges in an attack campaign called DangerousPassword, also referred to as CryptoMimic or SnatchCrypto.
Malware
Fintech
Cyber Crime
>1
LinkedIn
Delivery and Distribution
16/05/2023
Since at least May 2022
Since at least May 2022
UNC3944
Multiple organizations
Researchers from Mandiant discover UNC3944, a financially motivated cybergang using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines.
Account Takeover
Multiple Industries
Cyber Crime
>1
Microsoft Azure
Actions on Objective
16/05/2023
Since May 2022
Since May 2022
OilAlpha
Humanitarian groups, media outlets and nonprofits in the Arabian Peninsula
Researchers from Recorded Future reveal that a hacking group known as OilAlpha with likely ties to Yemen’s Houthi movement has targeted humanitarian groups, media outlets and nonprofits in the Arabian Peninsula via WhatsApp as part of a digital espionage campaign.
Targeted Attack
Multiple Industries
Cyber Espionage
>1
WhatsApp
Delivery and Distribution
18/05/2023
-
-
?
Individuals
Researchers from Avanan discover a phishing campaign exploiting Dropbox to deliver phishing pages.
Account Takeover
Individual
Cyber Crime
>1
Dropbox
Delivery and Distribution
19/05/2023
Since at least March 2023
Since at least March 2023
Unidentified advanced persistent threat
Individuals and organizations in Ukraine
Researchers from Kaspersky discover CloudWizard a new cluster of activities by an advanced persistent threat targeting individuals and organizations in Ukraine via the PowerMagic and CommonMagic malicious implants.
Targeted Attack
Multiple Industries
Cyber Espionage
UA
Dropbox, Google Drive, Microsoft OneDrive
Command and Control
19/05/2023
'Recently'
'Recently'
?
Individuals
Researchers from Trend Micro discover an infostealer masquerading as a popular computer game exploiting GitHub Codespaces to exfiltrate data.
Malware
Individual
Cyber Crime
>1
GitHub
Data Exfiltration
22/05/2023
Since at least November. 2021
Since at least November. 2021
p0-LUCR-1 AKA GUI-vil
Multiple organizations
Researchers from Permiso discover a financially motivated cyberthreat group traced to Indonesia, attacking organizations’ Amazon Web Services (AWS) accounts to set up illicit cryptomining operations.
Misconfiguration
Multiple Industries
Cyber Crime
>1
AWS
Actions on Objective
23/05/2023
End of April 2023
End of April 2023
DarkCloud
Multiple organizations
Researchers from AhnLab discover a campaign distributing the DarkCloud and ClipBanker infostealers via spam emails.
Malware
Multiple Industries
Cyber Crime
>1
Telegram
Command and Control
24/05/2023
Mid May 2023
Mid May 2023
?
Organizations using Microsoft 365
Researchers from Trustwave discover a phishing campaign using a combination of compromised Microsoft 365 accounts and .rpmsg (restricted permission message files) encrypted emails to deliver the phishing message.
Account Takeover
Multiple Industries
Cyber Crime
>1
Adobe InDesign
Delivery and Distribution
24/05/2023
-
-
?
Multiple organizations
Researchers from Cado Labs discover an updated version of the commodity malware Legion with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.
Malware
Multiple Industries
Cyber Crime
>1
AWS
Actions on Objective
26/05/2023
SInce at least April 2023
During April 2023
Bandit Stealer
Crypto investors
Researchers from Trend Micro reveal the details of Bandit Stealer, a new information-stealing malware that targets browsers and cryptocurrency wallets.
Malware
Fintech
Cyber Crime
>1
Pastebin (Command and Control)
Telegram (Data Exfiltration)
Command and Control
Data Exfiltration
31/05/2023
Since February 2022
During May 2023
Dark Pink
Organizations in Belgium, Brunei, Indonesia, Thailand, and Vietnam
Researchers from Group-IB discover a new campaign by the Dark Pink APT targeting organizations in Belgium, Brunei, Indonesia, Thailand, and Vietnam
Targeted Attack
Multiple Industries
Cyber Espionage
BE
BN
ID
TH
VN
GitHub
Delivery and Distribution
01/06/2023
Since at least November 2020
-
Horabot
Spanish-speaking users in Latin America
Researchers from Cisco Talos observe a threat actor deploying a previously unidentified botnet called “Horabot,” which delivers a banking trojan and spam tool onto victim machines targeting Spanish-speaking users in Latin America.
Malware
Finance and insurance
Cyber Crime
AR
BR
GT
MX
PA
UY
VE
AWS
Delivery and Distributon
01/06/2023
-
-
Kimsuky AKA Thallium, APT43, Velvet Chollima, and Black Banshee
Individuals employed by research centers and think tanks, academic institutions, and news media
organizations
The FBI, the U.S. Department of State, and the National Security Agency (NSA), together with the Republic of Korea’s National Intelligence Service (NIS) issue a warning that describes the spying methods of Kimsuky, the notorious North Korean nation-state hacking group that targets think tanks, academia and news media. The same campaigns ia also unearthed by reasearchers at Sentinel One.
Targeted Attack
Multiple Industries
Cyber Espionage
KR
US
Google Workspace
Actions on Objective
02/06/2023
19/02/2023
20/02/2023
?
EpiSource
EpiSource files a notice of data breach after learning that suspicious activity within the company’s Amazon Web Services environment resulted in an unauthorized party being able to access confidential consumer data.
Account Takeover
Professional, scientific and technical
Cyber Crime
US
AWS
Actions on Objective
09/06/2023
Since Early May 2023
Since Early May 2023
Pink Drainer
Discord and Twitter accounts for cryptocurrency-stealing attacks
Researchers from Scam Sniffer reveal that a hacking group tracked as 'Pink Drainer' is impersonating journalists in phishing attacks to compromise Discord and Twitter accounts for cryptocurrency-stealing attacks, compromising the accounts of 1,932 victims to steal roughly $3 M worth of digital assets
Account Takeover
Fintech
Cyber Crime
>1
Discord, Twitter
Actions on Objective
09/06/2023
-
-
Omega
Undisclosed organization
Researchers from Obsidian observe a successful ransomware attack against Sharepoint Online (Microsoft 365) via a Microsoft Global SaaS admin account rather than the more usual route of a compromised endpoint.
Account Takeover
Unknown
Cyber Crime
N/A
Microsoft SharePoint
Actions on Objective
13/06/2023
Since at least May 2023
During May 2023
Skuld
Organizations across Europe, Southeast Asia, and the U.S.
Researchers from Trellix discover a new Golang-based information stealer called Skuld, and able to steal Discord and Browser datas from the victims.
Malware
Multiple Industries
Cyber Crime
>1
Discord
Data Exfiltration
14/06/2023
Since at least early May 2023
During early May 2023
?
Cybersecurity researchers and firms involved in vulnerability research
Researchers from VulnCheck discover a campaign where attackers are impersonating cybersecurity researchers on Twitter and GitHub to publish fake proof-of-concept exploits for zero-day vulnerabilities that infect Windows and Linux with malware.
Malware
Individual
Cyber Crime
>1
GitHub
Delivery and Distribution
15/06/2023
-
24/05/2023
?
Multiple organizations
An NPM package called “bignum” is altered, by hijacking the S3 bucket serving binaries necessary for its function and replacing them with malicious ones distributing malware.
Malware
Multiple Industries
Cyber Crime
>1
AWS
Delivery and Distribution
15/06/2023
-
-
Diicot
Multiple organizations
Researchers from Cado Labs discover a new campaign from the Romanian threat actor Diicot deploying the off-the-shelf Mirai-based bot known as Cayosin, targeting routers running the Linux-based embedded devices operating system OpenWrt.
Malware
Multiple Industries
Cyber Crime
>1
Discord
Command and Control
21/06/2023
During May 2023
During May 2023
APT37 (AKA StarCruft, Reaper, or RedEyes)
Multiple organizations
Researchers from AhnLab reveal the details of the latest campaign from the North Korean threat actor APT37 using two new custom malware strains dubbed 'AblyGo backdoor' and 'FadeStealer'.
Targeted Attack
Multiple Industries
Cyber Espionage
N/A
GitHub
Command and Control
21/06/2023
Between late 2022 and early 2023
-
APT15 AKA Nickel, Flea, Ke3Chang, and Vixen Panda
Foreign affairs ministries in Central and South American countries
Researchers from Broadcom/Symantec unearth a new campaign by the Chinese state-sponsored group tracked as APT15, using a novel backdoor named 'Graphican'.
Targeted Attack
Public admin and defence, social security
Cyber Espionage
>1
Microsoft OneDrive
Command and Control
21/06/2023
'Recently'
'Recently'
MULTI#STORM
Organizations in India and the U.S
Researchers from Securonix discover a new phishing campaign codenamed MULTI#STORM targeting organizations in India and the U.S. by leveraging JavaScript files to deliver remote access trojans on compromised systems.
Malware
Multiple Industries
Cyber Crime
IN
US
Microsoft OneDrive
Delivery and Distribution
21/06/2023
-
-
?
Seven different financial institutions across North, Central, and Latin America
Researchers from Netskope discover several phishing campaigns targeting customers of seven different financial institutions across North, Central, and Latin America.
Account Takeover
Finance and insurance
Cyber Crime
>1
Telegram
Data Exfiltration
21/06/2023
'Recently'
'Recently'
RedEnergy
Multiple organizations
Researchers from Zscaler discover a new malware variant, RedEnergy stealer that fits into the hybrid Stealer-as-a-Ransomware threat category.
Malware
Multiple Industries
Cyber Crime
>1
Discord
Delvery and Distribution
05/07/2023
Since at least end of May 2023
During June 2023
TeamTNT
Multiple organizations
Researchers from Aqua Security and Sentinel One discover a new campaign still in early stages linked to TeamTNT, a threat group known for targeting cloud and container environments to deploy cryptocurrency miners.
Account Takeover
Multiple Industries
Cyber Crime
>1
AWS, Microsoft Azure, Google Cloud Platform
Actions on Objective
07/07/2023
Since May 2023
Since May 2023
TOITOIN
Organizations in Latin America
Researchers from Zscaler discover a new Windows-based banking trojan called TOITOIN targeting organization in Latin America.
Malware
Finance and insurance
Cyber Crime
>1
AWS
Delivery and Distributon
09/07/2023
During January 2023
Mid-May 2023
Charming Kitten (AKA APT35, TA453, Mint Sandstorm, Yellow Garuda)
Experts in Middle Eastern affairs and nuclear security
Researchers from Proofpoint discover a new campaign by the Iranian Charming Kitten APT group using a new NokNok malware that targets macOS systems against experts in Middle Eastern affairs and nuclear security.
Targeted Attack
Individual
Cyber Espionage
>1
Dropbox
Delivery and Distribution
11/07/2023
-
-
Scarleteel
Multiple organizations
Researchers from Sysdig observe the financially motivated threat actor Scarleteel infiltrating Amazon Web Services (AWS) to steal credentials and intellectual property, plant crypto mining software, perform distributed denial-of-service (DDoS) attacks, and more.
Misconfiguration
Multiple Industries
Cyber Crime
>1
AWS
Actions on Objective
11/07/2023
'Recently'
'Recently'
?
Fans of rogue PUBG games
Researchers from Cyble discover a GitHub page that masquerades as a PUBG bypass hack project but distributes the information stealer called “Legion Stealer”.
Malware
Arts entertainment, recreation
Cyber Crime
>1
GitHub
Delivery and Distribution
11/07/2023
15/05/2023
16/06/2023
Storm-0558
25 organizations worldwide, including U.S. and Western European government agencies
Researchers from Microsoft reveal that a Chinese hacking group dubbed Storm-0558 has breached the email accounts of more than two dozen organizations worldwide, including U.S. and Western European government agencies, such as the U.S. State and Commerce Departments, orging authentication tokens.
Account Takeover
Public admin and defence, social security
Cyber Espionage
>1
Microsoft Outlook
Actions on Objective
11/07/2023
'Recently'
'Recently'
PyLoose
Multiple Organizations
Researchers from WIz discover a new fileless malware named PyLoose targeting cloud workloads to hijack their computational resources for Monero cryptocurrency mining.
Researchers from Palo Alto Networks discover a new campaign by the Russian threat actor APT29 targeting 22 foreign embassies in Ukraine, using a BMW car advertisement.
Targeted Attack
Public admin and defence, social security
Cyber Espionage
>1
Dropbox, Microsoft OneDrive
Command and Control
12/07/2023
'Recently'
'Recently'
?
Security Professionals
Researchers from Uptycs discover a fake proof-of-concept (PoC) for a vulnerability, hosted on GitHub, concealing a backdoor.
Malware
Professional, scientific and technical
Cyber Crime
>1
GitHub
Delivery and Distribution
12/07/2023
Early June 2023
Early June 2023
Vietnamese threat actors
Multiple organizations
Researchers at Malwarebytes discover a campaign using malicious Chrome extension for Meta Ad Manager to steal business credentials.
Malicious Browser Extension
Multiple Industries
Cyber Crime
>1
Google Drive, Trello
Delivery and Distribution
13/07/2023
During June 2023
During June 2023
?
Undiclosed manufacturing organization
Researchers from eSentire discover a campaign exploiting Sorillus RAT, and a phishing page being delivered using HTML smuggled files and links using Google’s Firebase Hosting service.
Malware
Manufacturing
Cyber Crime
N/A
Google Firebase
Delivery and Distribution
14/07/2023
-
-
?
Multiple organizations
Researchers from Netskope discover several phishing campaigns abusing AWS Amplify to host the malicious pages, and Telegram to collect users’ credentials.
Account Takeover
Multiple Industries
Cyber Crime
>1
AWS
Delivery and Distribution
19/07/2023
-
-
BundleBot
Multiple organizations
Researchers from Check Point discover a new malware strain known as BundleBot, abusing the dotnet bundle (single-file), self-contained format and commonly distributed via Facebook Ads and compromised accounts leading to websites masquerading as regular program utilities, AI tools, and games.
Malware
Multiple Industries
Cyber Crime
>1
Dropbox, Google Drive
Delivery and Distribution
21/07/2023
05/04/2023
-
?
Undisclosed Bank
Researchers from Checkmarx disclose the first example of a bank targeted by open-source software supply chain attacks.
Malware
Finance and insurance
Cyber Crime
N/A
Microsoft Azure
Delivery and Distribution
24/07/2023
During the past year
24/07/2023
Space Pirates
16 Government agencies, educational institutions, private security companies, aerospace manufacturers, agricultural producers, defense, energy, and healthcare firms in Russia and Serbia.
Researchers from Positive Technologies reveal that the threat actor known as Space Pirates has been linked to attacks against at least 16 organizations in Russia and Serbia over the past year by employing novel tactics and adding new cyber weapons to its arsenal.
Government entities in Europe with interest in Ukraine
Ssecurity researchers at Recorded Future unearth a cyber espionage campaign by the Russian threat actor APT29 targeting government-sector entities in Europe with interest in Ukraine.
Targeted Attack
Public admin and defence, social security
Cyber Espionage
>1
Dropbox, Microsoft OneDrive
Command and Control
30/07/2023
In recent months'
-
Threat actors from Iran
State employees and researchers in Israel
The Israeli Shin Bet security agency reveals to have uncovered an Iranian phishing campaign against Israeli civilians in recent months, mostly targeting state employees and researchers, in a bid to obtain intelligence on state policy.
Targeted Attack
Public admin and defence, social security
Cyber Espionage
IL
LinkedIn
Delivery and Distribution
31/07/2023
Since December 2022
Since December 2022
TA544 and TA551
Organizations in Italy
Researchers from Proofpoint discover WikiLoader, a new malware strain aimed at Italian organizations through several phishing campaigns.
Malware
Multiple Industries
Cyber Crime
IT
Discord
Delivery and Distribution
01/08/2023
Since December 2022
During March 2023
Vietnamese threat actors
Multiple organizations
Researchers from Palo Alto Networks uncover a previously unreported phishing campaign that uses new variants of the NodeStealer malware to compromise Facebook corporate accounts.
Fewer than 40 Government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors organizations
Microsoft reveals that the hacking group tracked as APT29 and linked to Russia's Foreign Intelligence Service (SVR) targeted dozens of organizations worldwide, including government agencies, in Microsoft Teams phishing attacks.
Account Takeover
Multiple Industries
Cyber Espionage
>1
Microsoft Teams
Delivery and Distribution
03/08/2023
-
-
Rilide
Multiple organizations
Researchers from Trustwave discover a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.
Malware
Multiple Industries
Cyber Crime
>1
Discord
Delivery and Distribution
09/08/2023
Over the last six months
H1 2023
?
Multiple organizations worldwide
Researchers from Proofpoint discover a campaign using 120,000 phishing emails sent to over a hundred organizations to steal Microsoft 365 accounts via the EvilProxy phishing-as-a-service platform.
Account Takeover
Multiple Industries
Cyber Crime
>1
Microsoft 365 Suite
Actions on Objective
10/08/2023
Since 19/11/2014
-
MoustachedBouncer
Foreign embassies in Belarus
Researchers from ESET discover a cyberespionage group named 'MoustachedBouncer', observed using adversary-in-the-middle (AitM) attacks at ISPs to hack foreign embassies in Belarus.
Targeted Attack
Public admin and defence, social security
Cyber Espionage
>1
Google Cloud Platform
Delivery and Distribution
14/08/2023
Since at least early August 2023
Early August 2023
?
Multiple organizations
Researchers from Uptycs discover a new malicious tool dubbed QwixxRAT (AKA Telegram RAT).
Malware
Multiple Industries
Cyber Crime
>1
Discord, Telegram
Delivery and Distributon
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Geo
Link
Exploited Service
Motivation
Enjoy the interactive timeline, and thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, or Mastodon for the latest updates.
This blog post lists the main cloud-native threats, that is those cyber events exploiting the cloud in one or more stage of the kill chain. I have collected…
I am starting a new project to track cloud-native threats, similarly to what I have done in 2020, with an interactive timeline. As soon as I collect more data I will start to generate some statistics.
Among the various things that I have done in 2020, there is the collection of the main cyber attacks that have exploited cloud services in the kill chain. I have built…
It's time to publish the statistics derived from the cyber attacks timelines of August (Part I and Part II), a month particularly active from an Information Security perspective, despite the Summer time. As always, let’s start from the Daily Trend Chart, which shows obviously an ...
In the first timeline of August, I collected 169 events (corresponding to 11.27 events per day), a considerable decrease compared to the the second half of July...
I have aggregated the statistics created from the cyber attacks timelines published in the second quarter of 2023. In total I have collected 1040 events...
As promised, I have pulled together some statistics from the data collected in 2020. The master table is available at the end of the post after the charts.