Cybercriminals are increasingly weaponizing trusted cloud infrastructure, including Amazon Web Services, Google Cloud, Microsoft Azure, Cloudflare, and GitHub, to camouflage malicious traffic, evade detection, and sustain long-lived Command and Control (C2) operations.<\/p>\n
A recent threat intelligence investigation using ANY.RUN\u2019s Threat Intelligence (TI) Lookup<\/a> reveals just how deeply this abuse has become embedded in modern attack chains.<\/p>\n The investigation by Threat Researcher Clandestine, spanning five targeted OSINT queries across ANY.RUN\u2019s dynamic threat intelligence database, which indexes over 50 million IOCs, IOBs, and IOAs derived from real-time sandbox analyses conducted by over 500,000 analysts globally, exposes a recurring pattern: legitimate services are being turned into shields for adversarial activity.<\/p>\n Accelerate\u00a0security\u00a0workflows for faster triage & response.\u00a0Integrate Threat Intelligence in your SOC or MSSP<\/u><\/a>.<\/strong><\/p>\n One of the most alarming findings emerged from a JA3S TLS fingerprint query targeting the hash Analysts querying this hash in TI Lookup uncovered more than 1,000 system events, predominantly involving native Windows processes such as More critically, the C2 infrastructure tied to this JA3S fingerprint was found hosted across Microsoft, GitHub, Google, Amazon, and Cloudflare. This deliberate use of reputable platforms makes traditional reputation-based blocking ineffective.<\/p>\n JA3S fingerprinting provides a behavioral anchor that persists even as adversaries rotate domains and IP addresses, a powerful technique for tracking C2 infrastructure continuity.<\/p>\n Detection of this JA3S hash in network telemetry should be treated as a strong indicator of Cobalt Strike infection, immediately triggering endpoint correlation and incident response workflows.<\/p>\n The investigation also uncovered active phishing campaigns targeting Brazilian organizations, where attackers are leveraging subdomains of globally recognized services alongside malicious domains.<\/p>\n The use of globally hosted infrastructure serves a dual purpose: it lends the attacks a veneer of legitimacy and actively hinders domain takedowns. Security teams in Brazil and similar regions should be especially alert to emails containing links hosted on subdomains of popular cloud services.<\/p>\n Compound this with the discovery of Business Email Compromise (BEC) campaigns deploying fake invoice PDFs files named These files serve as infection vectors for financial fraud operations. The finding reinforces that legitimate cloud storage is now a preferred staging ground for initial payload delivery, with file hashes from these samples providing actionable IOCs for blocking and detection.<\/p>\n A behavior-based hunting query combining Russian IP geolocation, Suricata trojan classifications, and port 443 communication surfaced a diverse ecosystem of malicious traffic deliberately disguised as routine encrypted web activity.<\/p>\n This multi-layered attack strategy, employing multiple legitimate services across various ports for communication and fallback, demonstrates how attackers architect resilience directly into their infrastructure.<\/p>\n The .top TLD emerged as a particularly hostile domain space, with algorithm-generated Domain Generation Algorithm (DGA)<\/a> domains classified as malicious at scale.<\/p>\n These domains routinely leverage WinRAR archives for payload delivery and use Cloudflare services to conceal true server locations. Given the extremely high volume of malicious activity tied to .top, many organizations are now blocking the entire TLD proactively at the perimeter.<\/p>\n Turn uncertain alerts into faster, defensible decisions.\u00a0Gain clearer evidence for response and reporting<\/u><\/a>.<\/strong><\/p>\n For SOC teams and threat hunters, this research underscores several critical imperatives. Multi-parameter hunting queries combining JA3S fingerprints, destination geolocation, Suricata classifications, and file path patterns will outperform single-IOC lookups significantly.<\/p>\n Detection rules targeting the identified JA3S hash, HTTPS-based C2 behavior, and high-risk TLDs like At an organizational level, the extensive abuse of trusted infrastructure from Microsoft, Google, and Amazon proves that brand reputation no longer guarantees network safety.<\/p>\n Adopting a Zero Trust posture, investing in advanced sandbox-based detection, and educating financial teams about BEC and phishing risks are no longer optional; they are baseline requirements for resilience in a threat landscape where the attacker\u2019s most reliable weapon is the cloud platform your enterprise already trusts.<\/p>\n Close blind spots and reduce exposure<\/strong><\/a>\u00a0to critical incidents with ANY.RUN\u2019s Threat Intelligence.<\/p>\n The post Attackers Abuse AWS, Google Cloud, Cloudflare, and Microsoft Services to Hide Malicious Traffic<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhO9e5fyfg8JVrkSObSXzGWJbeHT8E8a_T7_b-mbDLFvoqTviijuAtrOQDvfy0q92e4Y-svlfz_20sKFr2Sr6aTi5cDKO58z7zRO7YZAEoFNkJm0WKmtSF4o4N7WvshrJSvqUXg5ExT8cj9hDubXltID6vLqfQDC8ogp3SCMqkAptetZU33W3r1gksjV3Q\/s16000\/image6-1024x511.webp?resize=1024%2C511&ssl=1\")
Cobalt Strike Hides Behind Trusted Cloud Providers<\/strong><\/h2>\n
1af33e1657631357c73119488045302c<\/code>, a signature commonly associated with Cobalt Strike beacons.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjXOAhvqXa3JDBqUsd7PgAcAQ-fHfWVgbR1K6emX4hJ3OkHx_4YFrl1hCW26P6hOk4PolIVxG1Ye-jSQ6cCTL0LzCoIU-SO6GePHEAobpvCy99xgSveUMPRBK93EiKyRJb91hz5FWd5sIp_IGuGbYFDlMELMH359acrhi1tKNXcPAMpm4R5r-PJMhQFgSw\/s16000\/image2-1.webp?ssl=1\")
slui.exe<\/code>, svchost.exe<\/code>, and PowerShell classic Living-off-the-Land Binary (LOLBin) abuse. Nearly all communication was routed over port 443 (HTTPS), exploiting the protocol\u2019s ubiquity to blend into normal enterprise traffic.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis7c6XX1roYOPhNZsw71c91OpBiXmi0rV56g5TJ-O8qaxMK7syqtTFNP8kULbXokfSPqgyk9VrqRLF-R5AW6qqodIzZQ0TRQj_sUdvQfDp-AG9f0luCeu4K4X33TxH0Pw9emizHBSSW7uEnyt8-9bO2hzNu_Q9rW9ZFZH6xP0DqsctDsDpQPvyLeDwkUI\/s16000\/imagea-1536x882.webp?resize=1536%2C882&ssl=1\")
invoice.pdf<\/code> and pagamento.pdf<\/code> (Portuguese for \u201cpayment\u201d) hosted on Amazon S3 buckets.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjvhB37x2WRurHB742Bc9sooJ_cx_syiE6X7Hwm9VeC6B5Y4AYBwJ7i8xEwef3p8xbqKC93b71yeDgAmSQkz9SiM2KEcG8dlMdsI9ZKkmLY3cD1-3midW26WsnccnYMLKHPaocodsno0zECRZxAUlTYbVrb4gban6296E6eyV4fwasZUvLlDQZROzYS93c\/s16000\/image7-1024x578.webp?resize=1024%2C578&ssl=1\")
Trojan Traffic Tunneled Through HTTPS on Port 443<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjV80kMxovv5aJnjhCFzYlRxj4EUSkpQjvZnGXe70IHRL7G_C7xlqlu0-vFUADQZA2YC2pJfNPXh9cC1zfhdO2_UZ8odSMFcXLM9XIl6w4Gp4iX0CqSHeovABKJeOy9bjndRRplcNAjnPRKmvoMF2i22zp3_Mwg5FOfhmYr8znJsKAIR0x4_1FIpWvEtV4\/s16000\/image5-1024x622.webp?resize=1024%2C622&ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiv3iFRjLBQkhJEyUlvogUQdMhYQz1kDClFfdPrQLerKDHPmHtMvt0LWCdOApDbj6AAlmvOmbBi0D7qzY7R3t58S6TzFAXZSxAM4Uu3IrstaBx11WSRDuyNeCzTbwOh039OAOOiYpJVrdFNuurUPGHyil1HnuZ6SGyFozQiSCoD8xT7UO9E_6Nv13gTDto\/s16000\/image8-1024x634.webp?resize=1024%2C634&ssl=1\")
.top<\/code>, .shop<\/code>, and .cc<\/code> should be deployed immediately. Integration of ANY.RUN\u2019s TI Feeds and Lookup results into SIEM\/SOAR platforms can automate threat correlation and reduce analyst burden.<\/p>\n