JavaGhost

Also known as: JavaGhost

JavaGhost is a threat actor group that has targeted cloud environments, particularly AWS, for phishing campaigns without engaging in data theft for extortion. They exploit overly permissive IAM permissions and utilize long-term access keys to gain initial access, employing the GetFederationToken API to acquire temporary credentials for console access. JavaGhost has demonstrated advanced evasion techniques, avoiding common detection methods by not using the GetCallerIdentity API call. Their activities generate detectable logging footprints in CloudTrail, allowing organizations to identify and respond to their tactics.

Introduction

JavaGhost is a threat actor group that has targeted cloud environments, particularly AWS, for phishing campaigns without engaging in data theft for extortion. They exploit overly permissive IAM permissions and utilize long-term access keys to gain initial access, employing the GetFederationToken API to acquire temporary credentials for console access. JavaGhost has demonstrated advanced evasion techniques, avoiding common detection methods by not using the GetCallerIdentity API call. Their activities generate detectable logging footprints in CloudTrail, allowing organizations to identify and respond to their tactics.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • CloudDuke
  • Xploit
  • Ghost

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.