Cloud-Native Threats in 2023

Last modified: September 10, 2023

Similarly to what I have done in 2022, 2021, and 2020, I am listing those cyber attacks, whose information is available via OSINT, which exploited the cloud in one or more stages of the attack chain.

The campaigns are classified in four categories: Delivery and Exploitation (the cloud service is exploited to deliver a malware strain or a phishing page), Actions on Objective (the cloud service is exploited to steal data, or launch other attacks), Command and Control (the cloud service is exploited as a command and control infrastructure), and Data Exfiltration (the cloud service is used as a drop zone for the exfiltrated data).

Below you will find some statistics and a table with detailed information on the attacks.

Cloud-Native Threats 2023 - Top Exploited Cloud Services

Cloud-Native Threats 2023 - Top Exploitation Purposes

Cloud-Native Threats 2023 - Motivations

Cloud-Native Threats 2023 - Top Exploited Services: Delivery

Cloud-Native Threats 2023 - Top Exploited Services: Command and Control

Cloud-Native Threats 2023 - Top Exploited Services: Actions on Objective

Cloud-Native Threats 2023 - Top Exploited Services: Data Exfiltration

Cloud-Native Threats 2023 - Top Exploited Services: Cyber Crime

Cloud-Native Threats 2023 - Top Exploited Services: Cyber Espionage

Date Reported	Date Occurred	Date Discovered	Author	Target	Description	Attack	Target Class	Attack Class	Geo	Link	Exploited Service	Motivation
05/01/2023	For the last few months''	-	APT-C-36 AKA Blind Eagle	Organizations in Colombia	Researchers from Check Point discover a new campaign using a modified version of QuasarRAT against Colombia based organizations.	Malware	Multiple Industries	Cyber Crime	CO		MediaFire	Delivery and Distribution
06/01/2023	Since early 2020	Recently'	Vidar	Multiple organizations	Researchers from Sekoia discover a massive campaign using over 1,300 domains to impersonate the official AnyDesk site for pushing the Vidar information-stealing malware.	Malware	Multiple Industries	Cyber Crime	>1		Dropbox, GitHub	Delivery and Distribution
06/01/2023	Since at least early December 2022	Early December 2022	?	Organizations in Italy	Researchers from Uptycs discover a new campaign targeting users in Italy, and delivering targeting phishing emails disguised as invoices, designed to deploy an information stealer on compromised Windows systems.	Malware	Multiple Industries	Cyber Crime	IT		Dropbox, GitHub	Delivery and Distribution
13/01/2022	Recently'	Recently'	?	Organizations in South Korea	Researchers at Ahnlab discover a campaign distributing the Orcus RAT on file-sharing sites disguised as a cracked version of Hangul Word Processor.	Malware	Multiple Industries	Cyber Crime	KR		Google Docs	Delivery and Distribution
17/01/2023	During November 2022	During November 2022	?	Undisclosed retailer	Researchers from IBM X-Force discover a PoS malware using Discord as the command and control infrastructure.	Malware	Wholesal and Retail	Cyber Crime	N/A		Discord	Command and Control
17/01/2023	-	-	Earth Boogle	Organizations across the Middle East and North Africa	Researchers from Trend Micro discover an active campaign using Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) has been spotted infecting victims across the Middle East and North Africa.	Targeted Attack	Multiple Industries	Cyber Espionage	>1		Discord, Microsoft OneDrive	Delivery and Distribution
19/01/2023	Since at last September 2022	During September 2022	Roaming Mantis (AKA Shaoye)	Multiple organizations	Researchers from Kaspersky reveal that Roaming Mantis malware distribution campaign has updated Wroba.o/XLoader, its Android malware to include a DNS changer that modifies DNS settings on vulnerable WiFi routers to spread the infection to other devices.	Malware	Multiple Industries	Cyber Crime	>1		Google Docs, YouTube	Command and Control
19/01/2023	'Recently'	'Recently'	8220	Multiple organizations	The for-profit Chinese threat group, 8220 Gang, is observed targeting cloud service providers and poorly secured apps. The group was observed using a cryptominer and IRC botnet to churn financial advantage out of public cloud infrastructure.	Misconfigurations	Multiple Industries	Cyber Crime	>1		Pastebin, Git	Delivery and Distribution
20/01/2023	Recently'	Recently'	Album stealer	Facebook users	Researchers from Zscaler discover Album stealer, targeting Facebook adult-only content seekers.	Malware	Individual	Cyber Crime	>1		Microsoft Onedrive	Delivery and Distribution
20/01/2023	Since February 2022	Since February 2022	Gamaredon (AKA Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa)	Military and law enforcement sectors in Ukraine	Researchers from Blackberry discover new attacks by the Gamaredon group leveraging the popular messaging app Telegram to strike military and law enforcement sectors in the country.	Targeted Attack	Public admin and defence, social security	Cyber Espionage	UA		Telegram	Command and Control
24/01/2023	'Recently'	'Recently'	DragonSpark	Organizations in East Asia	Researchers from SentinelOne discover a Chinese-speaking hacking group tracked as ‘DragonSpark’ employing SparkRAT and Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia.	Targeted Attack	Multiple Industries	Cyber Espionage	>1		AWS	Delivery and Distribution
24/01/2023	Since at least November 2021	During November 2021	GuLoader	e-commerce industry located in South Korea and the United States	Researchers at Trellix discover a GuLoader campaign targeting e-commerce industries located in South Korea and the United States, and distributing the malware via NSIS files.	Malware	Wholesale and retail	Cyber Crime	KR US		Google Drive	Delivery and Distribution
25/01/2023	Since August 2022	-	PY#RATION	Multiple organizations	Researchers from Securonix discover PY#RATION, a new Python-based malware featuring remote access trojan (RAT) capabilities.	Malware	Multiple Industries	Cyber Crime	>1		Google Drive, Dropbox	Delivery and Distribution
31/01/2023	Between 06/12/2024 and 27/12/2023	6/12/2022	?	Multiple organizations	Microsoft disables multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations' cloud environments to steal email.	Account Takeover	Multiple Industries	Cyber Crime	>1		Microsoft 365 Suite	Actions on Objective
31/01/2023	Recently'	Recently'	?	Multiple organizations	Researchers at Fortinet discover a new campaign aimed to cryptojack systems to mine for Monero (XMR) cryptocurrency.	Malware	Multiple Industries	Cyber Crime	>1		Microsoft Onedrive	Delivery and Distribution
01/02/2023	Since at least September 2022	During September 2022	?	Online gaming and gambling companies	Researchers at Security Joe discover that unknown attackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker.	Malware	Arts entertainment, recreation	Cyber Crime	N/A		Dropbox	Delivery and Distribution
02/02/2023	Since 26/02/2023	30/01/2023	Trexon	Multiple organizations	Researchers from Fortinet discover a new attack in a PyPI package (Python Package Index) called “web3-essential”.	Malware	Multiple Industries	Cyber Crime	>1		Discord	Delivery and Distribution
08/02/2023	Between 27/01/2023 and 29/01/2023	-	?	Multiple organizations	Researchers at Fortinet discover five malicious packages on the Python Package Index (PyPI) containing the W4SP Stealer, stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.	Malware	Multiple Industries	Cyber Crime	>1		Discord	Delivery and Distribution
09/02/2023	30/01/2023 and 31/01/2023	30/1/2023	?	Multiple organizations	Researchers from Sentinel One discover a new phishing campaign targeting Amazon Web Services (AWS) logins and abusing Google ads to inject phishing sites into Google Search.	Malvertising	Multiple Industries	Cyber Crime	>1		Blogger	Delivery and Distribution
16/02/2023	Since at lest May 2022	Between August 2022 and January 2023	?	Chinese-speaking individuals in Southeast and East Asia	Researchers from ESET discover a campaign targeting Chinese-speaking individuals in Southeast and East Asia via rogue Google Ads that deliver remote access trojans such as FatalRAT to compromised machines.	Malware	Individual	Cyber Crime	CN HK ID JP MY MM PH SG TH TW		Alibaba Cloud	Delivery and Distribution
16/02/2023	-	-	WIP26	Telecommunication providers in the Middle East	Researchers at Sentinel One discover a new threat cluster tracked as WIP26 targeting telecommunication providers in the Middle East.	Targeted Attack	Information and Communication	Cyber Espionage	>1		Azure, Dropbox, Google Firebase, Microsoft 365 Mail	Delivery and Distribution Command and Control
16/02/2023	Since January 2022	During January 2022	Earth Yako	Researchers in the academic sector and think tanks	Researchers at Trend Micro discover a new campaign of the Earth Yako group targeting researchers in the academic sector and think tanks in Japan.	Targeted Attack	Education	Cyber Espionage	JP		Dropbox, GitHub	Command and Control
20/02/2023	02/12/2022	04/12/2022	?	Activision	Activision confirms that it suffered a data breach in early December 2022 after hackers gained access to the company's internal systems by tricking an employee with an SMS phishing text.	Account Takeover	Arts entertainment, recreation	Cyber Crime	US		Slack	Actions on Objective
20/02/2023	27/01/2023	31/01/2023	‘Portugal’ and ‘Brazil’	Multiple organizations	Researcehers from Fortinet discover another 0-day attack in the PyPI packages (Python Package Index) by the malware authors ‘Portugal’ and ‘Brazil’ who published the packages ‘xhttpsp’ and ‘httpssp’.	Malware	Multiple Industries	Cyber Crime	>1		Discord, Telegram	Data Exfiltration
23/02/2023	-	-	?	Government entities	Researchers from Menlo Security uncover an unknown threat actor leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targeting government entities.	Malware	Public admin and defence, social security	Cyber Crime	N/A		Discord	Delivery and Distribution
26/02/2023	25/02/2023	25/02/2023	?	Multiple organizations	Researchers from Sonatype discover an open source malware campaign in which a threat actor is infiltrating the PyPI software registry with thousands of malicious packages.	Malware	Multiple Industries	Cyber Crime	>1		Dropbox	Delivery and Distribution
27/02/2023	Between 12/08/2022 and 26/10/2022	-	?	LastPass	LastPass discloses more information on a "coordinated second attack," where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months.	Account Takeover	Professional, scientific and technical	Cyber Crime	US		AWS	Actions on Objective
28/02/2023	'Recently'	'Recently'	SCARLETEEL	Undisclosed organization	Researchers from Sysdig discover an advanced hacking operation dubbed 'SCARLETEEL' targeting public-facing web apps running in containers to infiltrate cloud services and steal sensitive data.	Misconfiguration	Unknown	Cyber Crime	N/A		AWS	Actions on Objective
02/03/2023	-	-	?	Targets in the hospitality sector	Researchers from Trend Micro discover a campaign targeting the hospitality sector and using Dropbox to release the malicious file.	Malware	Accommodation and food service	Cyber Crime	>1		Dropbox	Delivery and Distribution
02/03/2023	Since January 2023	'Recently'	Mustang Panda	Government and political organizations in Europe and Asia, focusing on Taiwan and Ukraine.	Researchers from ESET reveal that the Chinese cyber espionage hacking group Mustang Panda was seen deploying a new custom backdoor named 'MQsTTang' in attacks starting this year.	Targeted Attack	Public admin and defence, social security	Cyber Espionage	TW UA		GitHub	Delivery and Distribution
06/03/2023	-	-	?	Eastern European institutions and businesses	Researchers from SentinelOne discover phishing campaigns that distribute the Remcos RAT using the DBatLoader malware loader to target predominantly Eastern European institutions and businesses.	Malware	Multiple Industries	Cyber Crime	>1		Microsoft OneDrive, Google Drive	Delivery and Distribution
08/03/2023	-	-	Exotic Lily, aka PROJECTOR LIBRA and TA580	Multiple organizations	Researchers from ReliaQuest discover a new campaign by the Initial Access Broker Exotic Lily.	Malware	Multiple Industries	Cyber Crime	>1		Microsoft OneDrive, WeTransfer	Delivery and Distribution
13/03/2023	Since November 2022	Since November 2022	?	Multiple organizations	Researchers from CloudSEK reveal that threat actors have been increasingly observed using AI-generated YouTube Videos to spread a variety of stealer malware such as Raccoon, RedLine, and Vidar.	Malware	Multiple Industries	Cyber Crime	>1		YouTube	Delivery And Distribution
15/03/2023	-	-	?	Multiple organizations	Researchers from Avast reveal that cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute the redline info-stealing malware to unsuspecting users.	Malware	Multiple Industries	Cyber Crime	>1		Adobe Acrobat Sign	Delivery and Distribution
17/03/2023	Since early March 2023	During March 2023	Ursnif	Italian Taxpayers	The Italian taxpayers are the targets of a campaign distributing the Ursnif malware via fake notificastions from the Italian Revenue Agency (Agenzia delle Entrate).	Malware	Individual	Cyber Crime	IT		Google Firebase	Delivery and Distribution
21/03/2023	Since at least September 2021	During October 2022	Bad Magic (State-sponsored threat actor)	Government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions	Researchers fron Kaspersky discover a campaign targeting government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions via a previously unseen malicious framework called CommonMagic and a new backdoor called PowerMagic.	Targeted Attack	Multiple Industries	Cyber Espionage	UA		Dropbox, OneDrive	Command and Control
22/03/2023	'Recently'	'Recently'	?	Municipal government organization	InQuest Labs analysts detect a phishing attack discovered by a municipal government organization, hosting the phishing pages on Raven and Microsoft Azure.	Account Takeover	Public admin and defence, social security	Cyber Crime	N/A		Microsoft Azure, Raven	Delivery and Distribution
23/03/2023	-	-	?	At least 1600 individuals across Europe, the US and other countries	Researchers from Kasepersky discover a novel phishing scam relying on legitimate servers from Microsoft’s collaborative platform SharePoint, targeting at least 1600 individuals across Europe, the US and other countries using a native notification mechanism.	Account Takeover	Individual	Cyber Crime	>1		Microsoft SharePoint	Delivery and Distributon
24/03/2023	Between 02/01/2022 and 10/01/2022	During January 2022	?	University of the People (UoPeople)	The University of the People (UoPeople) files a notice of data breach after learning that an unauthorized party was able to access confidential information stored on the school’s SharePoint platform.	Unknown	Education	Cyber Crime	US		Microsoft SharePoint	Actions on Objective
24/03/2023	-	-	?	Individuals	Researchers from Uptycs discover a new info-stealing malware named MacStealer, targeting Mac users, stealing their credentials stored in the iCloud KeyChain and web browsers, cryptocurrency wallets, and potentially sensitive files.	Malware	Individual	Cyber Crime	>1		Telegram	Command and Control
27/03/2023	22/12/2022	22/12/2022	?	Nonstop Administration and Insurance Services (NAIS)	Nonstop Administration and Insurance Services (NAIS) announces that the protected health information of employees of its clients has been exposed to an unknown party, who claimed to have accessed company data.	Account Takeover	Administration and support service	Cyber Crime	US		Unknown	Actions on Objective
29/03/2023	-	-	North Korean state-backed hacking group? (Labyrinth Collima AKA Lazarus Group, Covellite, UNC4034, Zinc, Nickel Academy)	Multiple organizations	A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company’s customers in an ongoing supply chain attack.	Targeted Attack	Multiple Industries	Cyber Espionage	>1		GitHub	Delivery and Distribution
30/03/2023	-	-	?	Multiple organizations	Researchers from Sentinel One reveal the details of 'AlienFox', a new modular toolkit allowing threat actors to scan for misconfigured servers to steal authentication secrets and credentials for cloud-based email services.	Misconfiguration	Multiple Industries	Cyber Crime	>1		>1	Actions on Objective
01/04/2023	During October 2022	During October 2022	APT41 AKA HOODOO	Taiwanese media organization	Researchers from Google discover a campaign carried out by the Chinese Threat Actor APT41 targeting a Taiwanese media organization.	Malware	Information and Communication	Cyber Espionage	TW		Google Drive	Delivery and Distribution
01/04/2023	During Q4 2022	During Q4 2022	Ursnif	Multiple organizations	Researchers from Google’s Mandiant observed a campaign distributing the URSNIF banking trojan from Google Drive	Malware	Multiple Industries	Cyber Crime	>1		Google Drive	Delivery and Distribution
01/04/2023	During Q4 2022	During Q4 2022	Diceloader	Multiple organizations	Researchers from Google’s Mandiant observed a campaign distributing the DICELOADER malware from Google Drive	Malware	Multiple Industries	Cyber Crime	>1		Google Drive	Delivery and Distribution
04/04/2023	Since at least 17/03/2023	17/03/2023	?	Taxpayers in the U.S.	eFile.com, an IRS-authorized e-file software service provider used by many for filing their tax returns, has been caught serving JavaScript malware.	Malicious Script Injection	Individual	Cyber Crime	US		AWS	Delivery and Distribution
05/04/2023	Since at least 03/04/2023	03/04/2023	?	YouTube users	YouTube warns users of a new phishing scam that has been using authentic email addresses to lure users into giving away their login credentials.	Account Takeover	Individual	Cyber Crime	>1		Google Drive	Delivery and Distribution
05/04/2023	During Late 2022	During Late 2022	ARCHIPELAGO	Government and military personnel, think thanks, policy makers, academics, and researchers in South Korea, and the U.S.	Researchers from Google warn of the North Korea-linked ARCHIPELAGO (subset of the APT43 group) targeting government and military personnel, think tanks, policy makers, academics, and researchers in South Korea, the US and elsewhere.	Targeted Attack	Individual	Cyber Espionage	KR US		Microsoft OneDrive	Delivery and Distribution
06/04/2023	-	-	?	Taxpayers in the U.S.	Researchers from Avanan discover a series of campaign exploiting Quickbooks to harvest credentials.	Account Takeover	Individual	Cyber Crime	US		Quickbooks	Delivery and Distribution
07/04/2023	-	-	MuddyWater (AKA MERCURY, Mango Sandstorm, Seedworm, and Static Kitten) and DEV-1084 (AKA Storm-1084)	Multiple organizations	Researchers from Microsoft reveal that Iranian advanced persistent threat (APT) actors MuddyWater and DEV-1084 have been observed launching destructive cyberattacks disguised as ransomware against on-prem and cloud infrastructures.	Multiple vulnerabilities	Multiple Industries	Cyber Crime	>1		Microsoft Azure	Actions on Objective
09/04/2023	Since November 2022	Since November 2022	FusionCore	Multiple organizations	Researchers from Cyfirma discover a new cybercrime group, dubbed FusionCore, specialized in offering Malware-as-a-Service (MaaS) and other hacking services.	Malware	Multiple Industries	Cyber Crime	>1		Telegram	Command and Control
11/04/2023	During March 2023	During March 2023	?	Multiple organizations in Spain	Researchers from Sonatype discover reverse-shell, a PyPI package malware-as-a-service for the Spanish market.	Malware	Multiple Industries	Cyber Crime	ES		GitHub	Delivery and Distribution
14/04/2023	From 14/09/2022 to 08/11/2022	09/11/2022	?	Two Rivers Public Health Department	Two Rivers Public Health Department confirms that the protected health information of 15,168 patients was stored in an employee Office365 account that was accessed by an unauthorized third party.	Account Takeover	Public admin and defence, social security	Cyber Crime	US		Microsoft Outlook	Actions on Objective
14/04/2023	-	-	?	Multiple organizations	Researchers from Uptycs identify a new variant of credential stealing malware, dubbed Zaraza (Russian word for infection), using Telegram as its command and control and targeting a large number of web browsers.	Malware	Multiple Industries	Cyber Crime	>1		Telegram	Command and Control
14/04/2023	Since the Summer 2022	Since the Summer 2022	?	Senior individuals	Researchers from Malwarebytes detect a specific malvertising campaign via Google ads aimed at seniors, where the actor creates hundreds of fake websites via the Weebly platform to host decoy content to fool search engines and crawlers while redirecting victims to a fake computer alert.	Scam	Individual	Cyber Crime	>1		Weebly	Delivery and Distribution
17/04/2023	-	-	RedLine Stealer	Multiple organizations	Researchers from ESET, temporarily disrupt the operations of the RedLine Stealer with the help of GitHub, used as a dead drop resolver.	Malware	Multiple Industries	Cyber Crime	>1		GitHub	Command and Control
18/04/2023	During March 2023	During March 2023	APT-C-36 AKA Blind Eagle	Multiple organizations	Researchers from ThreatMon discover a new campaign by the cyber espionage actor tracked as Blind Eagle using a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems.	Targeted Attack	Multiple Industries	Cyber Espionage	EC ES CL CO		Discord	Delivery and Distribution
18/04/2023	During fall of 2022	During fall of 2022	MuddyWater (AKA MERCURY, Mango Sandstorm, Seedworm, and Static Kitten) and DEV-1084 (AKA Storm-1084)	Multiple organizations	Researchers from Group-IB discover a new campaign by the Iranian government-sponsored threat actor known as MuddyWater, using the legitimate SimpleHelp remote support software tool to achieve persistence on victim devices.	Targeted Attack	Multiple Industries	Cyber Espionage	>1		Dropbox, OneDrive, OneHub	Delivery and Distribution
20/04/2023	Since at least March 2023	During March 2023	Lazarus Group AKA Labyrinth Collima, Covellite, UNC4034, Zinc, Nickel Academy)	People working in software or DeFi platforms	Researchers from ESET discover a new Lazarus campaign considered part of "Operation DreamJob" (AKA Nukesped), targeting Linux users with malware for the first time.	Targeted Attack	Professional, scientific and technical	Cyber Espionage	>1		OpenDrive	Delivery and Distribution
24/04/2023	'Recently'	'Recently'	DoNot APT	Individual residing in Kashmir	Researchers from Cyfirma discover a new campaign by the DoNot APT group targeting Individual residing in Kashmir via two malware strains delivered via fake WhatsApp applications.	Targeted Attack	Individual	Cyber Espionage	IN		Google Firebase	Command and Control
28/04/2023	Since 2022	'Recently'	AresLoader	Multiple organizations using Citrix	Researchers from Cyble discover a new loader called AresLoader that has been used to spread several types of malware families.	Malware	Multiple Industries	Cyber Crime	>1		GitLab	Delivery and Distribution
01/05/2023	During 2022	During 2022	ScarCruft APT group (aka APT37, Reaper, and Group123)	Korean-speaking individuals	Researchers from Check Point reveal the details of a new campaign by the Korea-linked ScarCruft APT group (aka APT37, Reaper, and Group123) delivering the ROKRAT and Amadey payloads.	Targeted Attack	Individual	Cyber Espionage	KR		Dropbox, pCloud, Yandex Cloud, and OneDrive	Command and Control
03/05/2023	SInce late January 2023	Late January 2023	Threat actors from Vietnam	Individuals	Researchers from Facebook discover a new information-stealing malware distributed on Meta called 'NodeStealer,' allowing threat actors to steal browser cookies to hijack accounts on the platform, as well as Gmail and Outlook accounts.	Malware	Individual	Cyber Crime	>1		Facebook	Delivery and Distribution
03/05/2023	-	-	DuckTail	Individuals	Researchers from Meta discover a new version of the DuckTail malware exploiting multiple cloud services to host the malicious payload.	Malware	Individual	Cyber Crime	>1		Discord, Dropbox, Google Drive, iCloud, MediaFire, Mega, Microsoft OneDrive, Trello	Delivery and Distribution
04/05/2023	-	-	Kimsuky	Think tanks, research universities, and government entities in the United States, Europe, and Asia	Researchers from Sentinel Labs reveal that the North Korean group Kimsuky has been observed employing a new version of its reconnaissance malware, now called 'ReconShark,' in an ongoing cyberespionage campaign with a global reach.	Targeted Attack	Multiple Industries	Cyber Espionage	>1		Microsoft OneDrive	Delivery and Distribution
10/05/2023	08/05/2023	08/05/2023	BlackBasta?	Dragos	Industrial cybersecurity company Dragos discloses what it describes as a "cybersecurity event" after a known cybercrime gang attempted to breach its defenses and infiltrate the internal network to encrypt devices.	Account Takeover	Professional, scientific and technical	Cyber Crime	US		Microsoft SharePoint	Actions on Objective
12/05/2023	Since 2019	-	?	Cryptocurrency Exchanges	Researchers from JPCERT/CC observe threat actors targeting cryptocurrency exchanges in an attack campaign called DangerousPassword, also referred to as CryptoMimic or SnatchCrypto.	Malware	Fintech	Cyber Crime	>1		LinkedIn	Delivery and Distribution
16/05/2023	Since at least May 2022	Since at least May 2022	UNC3944	Multiple organizations	Researchers from Mandiant discover UNC3944, a financially motivated cybergang using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines.	Account Takeover	Multiple Industries	Cyber Crime	>1		Microsoft Azure	Actions on Objective
16/05/2023	Since May 2022	Since May 2022	OilAlpha	Humanitarian groups, media outlets and nonprofits in the Arabian Peninsula	Researchers from Recorded Future reveal that a hacking group known as OilAlpha with likely ties to Yemen’s Houthi movement has targeted humanitarian groups, media outlets and nonprofits in the Arabian Peninsula via WhatsApp as part of a digital espionage campaign.	Targeted Attack	Multiple Industries	Cyber Espionage	>1		WhatsApp	Delivery and Distribution
18/05/2023	-	-	?	Individuals	Researchers from Avanan discover a phishing campaign exploiting Dropbox to deliver phishing pages.	Account Takeover	Individual	Cyber Crime	>1		Dropbox	Delivery and Distribution
19/05/2023	Since at least March 2023	Since at least March 2023	Unidentified advanced persistent threat	Individuals and organizations in Ukraine	Researchers from Kaspersky discover CloudWizard a new cluster of activities by an advanced persistent threat targeting individuals and organizations in Ukraine via the PowerMagic and CommonMagic malicious implants.	Targeted Attack	Multiple Industries	Cyber Espionage	UA		Dropbox, Google Drive, Microsoft OneDrive	Command and Control
19/05/2023	'Recently'	'Recently'	?	Individuals	Researchers from Trend Micro discover an infostealer masquerading as a popular computer game exploiting GitHub Codespaces to exfiltrate data.	Malware	Individual	Cyber Crime	>1		GitHub	Data Exfiltration
22/05/2023	Since at least November. 2021	Since at least November. 2021	p0-LUCR-1 AKA GUI-vil	Multiple organizations	Researchers from Permiso discover a financially motivated cyberthreat group traced to Indonesia, attacking organizations’ Amazon Web Services (AWS) accounts to set up illicit cryptomining operations.	Misconfiguration	Multiple Industries	Cyber Crime	>1		AWS	Actions on Objective
23/05/2023	End of April 2023	End of April 2023	DarkCloud	Multiple organizations	Researchers from AhnLab discover a campaign distributing the DarkCloud and ClipBanker infostealers via spam emails.	Malware	Multiple Industries	Cyber Crime	>1		Telegram	Command and Control
24/05/2023	Mid May 2023	Mid May 2023	?	Organizations using Microsoft 365	Researchers from Trustwave discover a phishing campaign using a combination of compromised Microsoft 365 accounts and .rpmsg (restricted permission message files) encrypted emails to deliver the phishing message.	Account Takeover	Multiple Industries	Cyber Crime	>1		Adobe InDesign	Delivery and Distribution
24/05/2023	-	-	?	Multiple organizations	Researchers from Cado Labs discover an updated version of the commodity malware Legion with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.	Malware	Multiple Industries	Cyber Crime	>1		AWS	Actions on Objective
26/05/2023	SInce at least April 2023	During April 2023	Bandit Stealer	Crypto investors	Researchers from Trend Micro reveal the details of Bandit Stealer, a new information-stealing malware that targets browsers and cryptocurrency wallets.	Malware	Fintech	Cyber Crime	>1		Pastebin (Command and Control) Telegram (Data Exfiltration)	Command and Control Data Exfiltration
31/05/2023	Since February 2022	During May 2023	Dark Pink	Organizations in Belgium, Brunei, Indonesia, Thailand, and Vietnam	Researchers from Group-IB discover a new campaign by the Dark Pink APT targeting organizations in Belgium, Brunei, Indonesia, Thailand, and Vietnam	Targeted Attack	Multiple Industries	Cyber Espionage	BE BN ID TH VN		GitHub	Delivery and Distribution
01/06/2023	Since at least November 2020	-	Horabot	Spanish-speaking users in Latin America	Researchers from Cisco Talos observe a threat actor deploying a previously unidentified botnet called “Horabot,” which delivers a banking trojan and spam tool onto victim machines targeting Spanish-speaking users in Latin America.	Malware	Finance and insurance	Cyber Crime	AR BR GT MX PA UY VE		AWS	Delivery and Distributon
01/06/2023	-	-	Kimsuky AKA Thallium, APT43, Velvet Chollima, and Black Banshee	Individuals employed by research centers and think tanks, academic institutions, and news media organizations	The FBI, the U.S. Department of State, and the National Security Agency (NSA), together with the Republic of Korea’s National Intelligence Service (NIS) issue a warning that describes the spying methods of Kimsuky, the notorious North Korean nation-state hacking group that targets think tanks, academia and news media. The same campaigns ia also unearthed by reasearchers at Sentinel One.	Targeted Attack	Multiple Industries	Cyber Espionage	KR US		Google Workspace	Actions on Objective
02/06/2023	19/02/2023	20/02/2023	?	EpiSource	EpiSource files a notice of data breach after learning that suspicious activity within the company’s Amazon Web Services environment resulted in an unauthorized party being able to access confidential consumer data.	Account Takeover	Professional, scientific and technical	Cyber Crime	US		AWS	Actions on Objective
09/06/2023	Since Early May 2023	Since Early May 2023	Pink Drainer	Discord and Twitter accounts for cryptocurrency-stealing attacks	Researchers from Scam Sniffer reveal that a hacking group tracked as 'Pink Drainer' is impersonating journalists in phishing attacks to compromise Discord and Twitter accounts for cryptocurrency-stealing attacks, compromising the accounts of 1,932 victims to steal roughly $3 M worth of digital assets	Account Takeover	Fintech	Cyber Crime	>1		Discord, Twitter	Actions on Objective
09/06/2023	-	-	Omega	Undisclosed organization	Researchers from Obsidian observe a successful ransomware attack against Sharepoint Online (Microsoft 365) via a Microsoft Global SaaS admin account rather than the more usual route of a compromised endpoint.	Account Takeover	Unknown	Cyber Crime	N/A		Microsoft SharePoint	Actions on Objective
13/06/2023	Since at least May 2023	During May 2023	Skuld	Organizations across Europe, Southeast Asia, and the U.S.	Researchers from Trellix discover a new Golang-based information stealer called Skuld, and able to steal Discord and Browser datas from the victims.	Malware	Multiple Industries	Cyber Crime	>1		Discord	Data Exfiltration
14/06/2023	Since at least early May 2023	During early May 2023	?	Cybersecurity researchers and firms involved in vulnerability research	Researchers from VulnCheck discover a campaign where attackers are impersonating cybersecurity researchers on Twitter and GitHub to publish fake proof-of-concept exploits for zero-day vulnerabilities that infect Windows and Linux with malware.	Malware	Individual	Cyber Crime	>1		GitHub	Delivery and Distribution
15/06/2023	-	24/05/2023	?	Multiple organizations	An NPM package called “bignum” is altered, by hijacking the S3 bucket serving binaries necessary for its function and replacing them with malicious ones distributing malware.	Malware	Multiple Industries	Cyber Crime	>1		AWS	Delivery and Distribution
15/06/2023	-	-	Diicot	Multiple organizations	Researchers from Cado Labs discover a new campaign from the Romanian threat actor Diicot deploying the off-the-shelf Mirai-based bot known as Cayosin, targeting routers running the Linux-based embedded devices operating system OpenWrt.	Malware	Multiple Industries	Cyber Crime	>1		Discord	Command and Control
21/06/2023	During May 2023	During May 2023	APT37 (AKA StarCruft, Reaper, or RedEyes)	Multiple organizations	Researchers from AhnLab reveal the details of the latest campaign from the North Korean threat actor APT37 using two new custom malware strains dubbed 'AblyGo backdoor' and 'FadeStealer'.	Targeted Attack	Multiple Industries	Cyber Espionage	N/A		GitHub	Command and Control
21/06/2023	Between late 2022 and early 2023	-	APT15 AKA Nickel, Flea, Ke3Chang, and Vixen Panda	Foreign affairs ministries in Central and South American countries	Researchers from Broadcom/Symantec unearth a new campaign by the Chinese state-sponsored group tracked as APT15, using a novel backdoor named 'Graphican'.	Targeted Attack	Public admin and defence, social security	Cyber Espionage	>1		Microsoft OneDrive	Command and Control
21/06/2023	'Recently'	'Recently'	MULTI#STORM	Organizations in India and the U.S	Researchers from Securonix discover a new phishing campaign codenamed MULTI#STORM targeting organizations in India and the U.S. by leveraging JavaScript files to deliver remote access trojans on compromised systems.	Malware	Multiple Industries	Cyber Crime	IN US		Microsoft OneDrive	Delivery and Distribution
21/06/2023	-	-	?	Seven different financial institutions across North, Central, and Latin America	Researchers from Netskope discover several phishing campaigns targeting customers of seven different financial institutions across North, Central, and Latin America.	Account Takeover	Finance and insurance	Cyber Crime	>1		Telegram	Data Exfiltration
21/06/2023	'Recently'	'Recently'	RedEnergy	Multiple organizations	Researchers from Zscaler discover a new malware variant, RedEnergy stealer that fits into the hybrid Stealer-as-a-Ransomware threat category.	Malware	Multiple Industries	Cyber Crime	>1		Discord	Delvery and Distribution
05/07/2023	Since at least end of May 2023	During June 2023	TeamTNT	Multiple organizations	Researchers from Aqua Security and Sentinel One discover a new campaign still in early stages linked to TeamTNT, a threat group known for targeting cloud and container environments to deploy cryptocurrency miners.	Account Takeover	Multiple Industries	Cyber Crime	>1		AWS, Microsoft Azure, Google Cloud Platform	Actions on Objective
07/07/2023	Since May 2023	Since May 2023	TOITOIN	Organizations in Latin America	Researchers from Zscaler discover a new Windows-based banking trojan called TOITOIN targeting organization in Latin America.	Malware	Finance and insurance	Cyber Crime	>1		AWS	Delivery and Distributon
09/07/2023	During January 2023	Mid-May 2023	Charming Kitten (AKA APT35, TA453, Mint Sandstorm, Yellow Garuda)	Experts in Middle Eastern affairs and nuclear security	Researchers from Proofpoint discover a new campaign by the Iranian Charming Kitten APT group using a new NokNok malware that targets macOS systems against experts in Middle Eastern affairs and nuclear security.	Targeted Attack	Individual	Cyber Espionage	>1		Dropbox	Delivery and Distribution
11/07/2023	-	-	Scarleteel	Multiple organizations	Researchers from Sysdig observe the financially motivated threat actor Scarleteel infiltrating Amazon Web Services (AWS) to steal credentials and intellectual property, plant crypto mining software, perform distributed denial-of-service (DDoS) attacks, and more.	Misconfiguration	Multiple Industries	Cyber Crime	>1		AWS	Actions on Objective
11/07/2023	'Recently'	'Recently'	?	Fans of rogue PUBG games	Researchers from Cyble discover a GitHub page that masquerades as a PUBG bypass hack project but distributes the information stealer called “Legion Stealer”.	Malware	Arts entertainment, recreation	Cyber Crime	>1		GitHub	Delivery and Distribution
11/07/2023	15/05/2023	16/06/2023	Storm-0558	25 organizations worldwide, including U.S. and Western European government agencies	Researchers from Microsoft reveal that a Chinese hacking group dubbed Storm-0558 has breached the email accounts of more than two dozen organizations worldwide, including U.S. and Western European government agencies, such as the U.S. State and Commerce Departments, orging authentication tokens.	Account Takeover	Public admin and defence, social security	Cyber Espionage	>1		Microsoft Outlook	Actions on Objective
11/07/2023	'Recently'	'Recently'	PyLoose	Multiple Organizations	Researchers from WIz discover a new fileless malware named PyLoose targeting cloud workloads to hijack their computational resources for Monero cryptocurrency mining.	Malware	Multiple Industries	Cyber Crime	>1		Unknown	Actions on Objective
12/07/2023	Mid-April 2023	Mid-April 2023	APT29 (AKA Cozy Bear, Cloaked Ursa, BlueBravo, Midnight Blizzard, and formerly Nobelium)	Foreign Embassies in Ukraine	Researchers from Palo Alto Networks discover a new campaign by the Russian threat actor APT29 targeting 22 foreign embassies in Ukraine, using a BMW car advertisement.	Targeted Attack	Public admin and defence, social security	Cyber Espionage	>1		Dropbox, Microsoft OneDrive	Command and Control
12/07/2023	'Recently'	'Recently'	?	Security Professionals	Researchers from Uptycs discover a fake proof-of-concept (PoC) for a vulnerability, hosted on GitHub, concealing a backdoor.	Malware	Professional, scientific and technical	Cyber Crime	>1		GitHub	Delivery and Distribution
12/07/2023	Early June 2023	Early June 2023	Vietnamese threat actors	Multiple organizations	Researchers at Malwarebytes discover a campaign using malicious Chrome extension for Meta Ad Manager to steal business credentials.	Malicious Browser Extension	Multiple Industries	Cyber Crime	>1		Google Drive, Trello	Delivery and Distribution
13/07/2023	During June 2023	During June 2023	?	Undiclosed manufacturing organization	Researchers from eSentire discover a campaign exploiting Sorillus RAT, and a phishing page being delivered using HTML smuggled files and links using Google’s Firebase Hosting service.	Malware	Manufacturing	Cyber Crime	N/A		Google Firebase	Delivery and Distribution
14/07/2023	-	-	?	Multiple organizations	Researchers from Netskope discover several phishing campaigns abusing AWS Amplify to host the malicious pages, and Telegram to collect users’ credentials.	Account Takeover	Multiple Industries	Cyber Crime	>1		AWS	Delivery and Distribution
19/07/2023	-	-	BundleBot	Multiple organizations	Researchers from Check Point discover a new malware strain known as BundleBot, abusing the dotnet bundle (single-file), self-contained format and commonly distributed via Facebook Ads and compromised accounts leading to websites masquerading as regular program utilities, AI tools, and games.	Malware	Multiple Industries	Cyber Crime	>1		Dropbox, Google Drive	Delivery and Distribution
21/07/2023	05/04/2023	-	?	Undisclosed Bank	Researchers from Checkmarx disclose the first example of a bank targeted by open-source software supply chain attacks.	Malware	Finance and insurance	Cyber Crime	N/A		Microsoft Azure	Delivery and Distribution
24/07/2023	During the past year	24/07/2023	Space Pirates	16 Government agencies, educational institutions, private security companies, aerospace manufacturers, agricultural producers, defense, energy, and healthcare firms in Russia and Serbia.	Researchers from Positive Technologies reveal that the threat actor known as Space Pirates has been linked to attacks against at least 16 organizations in Russia and Serbia over the past year by employing novel tactics and adding new cyber weapons to its arsenal.	Targeted Attack	Multiple Industries	Cyber Espionage	RU SR		GitHub	Command and Control
27/07/2023	Between March and May 2023	Between March and May 2023	APT29 (AKA Cozy Bear, Cloaked Ursa, BlueBravo, Midnight Blizzard, and formerly Nobelium)	Government entities in Europe with interest in Ukraine	Ssecurity researchers at Recorded Future unearth a cyber espionage campaign by the Russian threat actor APT29 targeting government-sector entities in Europe with interest in Ukraine.	Targeted Attack	Public admin and defence, social security	Cyber Espionage	>1		Dropbox, Microsoft OneDrive	Command and Control
30/07/2023	In recent months'	-	Threat actors from Iran	State employees and researchers in Israel	The Israeli Shin Bet security agency reveals to have uncovered an Iranian phishing campaign against Israeli civilians in recent months, mostly targeting state employees and researchers, in a bid to obtain intelligence on state policy.	Targeted Attack	Public admin and defence, social security	Cyber Espionage	IL		LinkedIn	Delivery and Distribution
31/07/2023	Since December 2022	Since December 2022	TA544 and TA551	Organizations in Italy	Researchers from Proofpoint discover WikiLoader, a new malware strain aimed at Italian organizations through several phishing campaigns.	Malware	Multiple Industries	Cyber Crime	IT		Discord	Delivery and Distribution
01/08/2023	Since December 2022	During March 2023	Vietnamese threat actors	Multiple organizations	Researchers from Palo Alto Networks uncover a previously unreported phishing campaign that uses new variants of the NodeStealer malware to compromise Facebook corporate accounts.	Malware	Multiple Industries	Cyber Crime	>1		Google Drive	Delivery and Distribution
02/08/2023	Since at least late May 2023	During May 2023	APT29 (AKA Cozy Bear, Cloaked Ursa, BlueBravo, Midnight Blizzard, and formerly Nobelium)	Fewer than 40 Government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors organizations	Microsoft reveals that the hacking group tracked as APT29 and linked to Russia's Foreign Intelligence Service (SVR) targeted dozens of organizations worldwide, including government agencies, in Microsoft Teams phishing attacks.	Account Takeover	Multiple Industries	Cyber Espionage	>1		Microsoft Teams	Delivery and Distribution
03/08/2023	-	-	Rilide	Multiple organizations	Researchers from Trustwave discover a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.	Malware	Multiple Industries	Cyber Crime	>1		Discord	Delivery and Distribution
09/08/2023	Over the last six months	H1 2023	?	Multiple organizations worldwide	Researchers from Proofpoint discover a campaign using 120,000 phishing emails sent to over a hundred organizations to steal Microsoft 365 accounts via the EvilProxy phishing-as-a-service platform.	Account Takeover	Multiple Industries	Cyber Crime	>1		Microsoft 365 Suite	Actions on Objective
10/08/2023	Since 19/11/2014	-	MoustachedBouncer	Foreign embassies in Belarus	Researchers from ESET discover a cyberespionage group named 'MoustachedBouncer', observed using adversary-in-the-middle (AitM) attacks at ISPs to hack foreign embassies in Belarus.	Targeted Attack	Public admin and defence, social security	Cyber Espionage	>1		Google Cloud Platform	Delivery and Distribution
14/08/2023	Since at least early August 2023	Early August 2023	?	Multiple organizations	Researchers from Uptycs discover a new malicious tool dubbed QwixxRAT (AKA Telegram RAT).	Malware	Multiple Industries	Cyber Crime	>1		Discord, Telegram	Delivery and Distributon
Date Reported	Date Occurred	Date Discovered	Author	Target	Description	Attack	Target Class	Attack Class	Geo	Link	Exploited Service	Motivation

Enjoy the interactive timeline, and thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, or Mastodon for the latest updates.

BE NOTIFIED OF NEW BLOG POSTS: SUSCRIBE!

SUPPORT MY WORK!

August 2016 Cyber Attacks Statistics
It's time to publish the statistics derived from the cyber attacks timelines of August (Part I and Part II), a month particularly active from an Information Security perspective, despite the Summer time. As always, let’s start from the Daily Trend Chart, which shows obviously an ...
The Biggest Data Breaches of 2023
Similarly to what I have done in 2022 and 2021, I am collecting the main mega breaches...
1-15 August 2023 Cyber Attacks Timeline
In the first timeline of August, I collected 169 events (corresponding to 11.27 events per day), a considerable decrease compared to the the second half of July...
Q2 2023 Cyber Attacks Statistics
I have aggregated the statistics created from the cyber attacks timelines published in the second quarter of 2023. In total I have collected 1040 events...
2020 Cyber Attacks Statistics
As promised, I have pulled together some statistics from the data collected in 2020. The master table is available at the end of the post after the charts.