Attackers Weaponize Cloud Services for C2 Infrastructure and Malicious Traffic Camouflage
Cybercriminals are increasingly abusing major cloud platforms like AWS, Google Cloud, and Microsoft Azure to host command and control infrastructure and disguise malicious network traffic.
A recent analysis of threat intelligence data reveals a disturbing trend: attackers are actively weaponizing legitimate cloud services, including Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Cloudflare, and GitHub, to mask their malicious activities. This sophisticated approach allows threat actors to establish resilient Command and Control (C2) infrastructure, evade detection by security solutions, and sustain long-lived attack operations.
The investigation, leveraging ANY.RUN's Threat Intelligence (TI) Lookup, identified a specific Cobalt Strike JA3S TLS fingerprint (1af33e1657631357c73119488045302c) that is frequently associated with malicious beacons. This fingerprint was observed in over 1,000 system events, often involving the abuse of native Windows processes like slui.exe, svchost.exe, and PowerShell. Crucially, nearly all of this malicious communication was routed over port 443 (HTTPS), exploiting the protocol's ubiquity to blend seamlessly with normal enterprise network traffic.
The C2 infrastructure linked to this Cobalt Strike signature was found to be hosted across multiple reputable providers: Microsoft, GitHub, Google, Amazon, and Cloudflare. This deliberate distribution across trusted platforms renders traditional reputation-based blocking methods ineffective, as IP addresses and domains can be rapidly rotated while maintaining a connection through these legitimate services. The JA3S fingerprint, however, provides a persistent behavioral indicator that can help track C2 infrastructure continuity.
Beyond C2 operations, the abuse extends to other attack vectors. The research uncovered active phishing campaigns targeting organizations, particularly in Brazil, where attackers are using subdomains of globally recognized cloud services alongside malicious domains. This tactic lends an air of legitimacy to phishing attempts and complicates efforts to take down malicious infrastructure. Furthermore, Business Email Compromise (BEC) campaigns have been observed leveraging Amazon S3 buckets to host fake invoice PDFs, such as 'invoice.pdf' and 'pagamento.pdf,' which serve as vectors for financial fraud.
Behavioral analysis also highlighted malicious traffic being tunneled through HTTPS on port 443, disguised as routine encrypted web activity. This multi-layered strategy, utilizing various legitimate services and ports for communication and fallback mechanisms, demonstrates how attackers architect resilience directly into their infrastructure. The .top Top-Level Domain (TLD) was identified as a particularly hostile space, with many algorithm-generated domains classified as malicious and often using Cloudflare to conceal their true server locations.
For Security Operations Center (SOC) teams and threat hunters, these findings underscore the need for advanced, multi-parameter hunting queries that combine indicators like JA3S fingerprints, destination geolocation, and file path patterns. Detection rules should be deployed to target the identified JA3S hash, HTTPS-based C2 behavior, and high-risk TLDs. The extensive abuse of trusted cloud infrastructure emphasizes that brand reputation alone is no longer a guarantee of network safety.
Organizations must adopt a Zero Trust security posture, invest in advanced sandbox-based detection capabilities, and enhance user education, especially for financial teams, regarding BEC and phishing risks. In a threat landscape where attackers increasingly leverage the very platforms enterprises rely on, these measures are essential for maintaining resilience against sophisticated and evasive threats.