China-linked cloud credential heist runs on typos and SMTP
Summary
China-linked APT41 (Winnti) group is using a Linux-based backdoor to steal cloud credentials from major cloud providers like AWS, GCP, Azure, and Alibaba Cloud. The malware employs SMTP port 25 for covert command and control and uses typosquatted domains for exfiltration.
IFF Assessment
FOE
This campaign represents a sophisticated attack targeting cloud credentials, posing a direct threat to organizations' cloud infrastructure and data.
Defender Context
Defenders need to be vigilant about cloud credential security, implementing strong access controls and monitoring for suspicious outbound traffic, especially on non-standard ports like SMTP. The use of typosquatting highlights the importance of domain validation and user education against phishing and social engineering.