As enterprises increasing depend on cloud services, living off the land has evolved into living off the cloud. As enterprises increasing depend on cloud services, living off the land has evolved into living off the cloud.

Below are some examples of how attackers are increasingly abusing cloud-based services to mount a variety of attacks.

Covert command-and-control via cloud-hosted productivity tools

Researchers from Google and Mandiant recently disrupted a suspected Chinese cyber-espionage operation (UNC2814) that was abusing legitimate Google Sheets functionality to evade detection.

The Gridtide malware at the center of the campaign connected to a threat actor–controlled Google spreadsheet for C2, effectively allowing it to blend in with normal network traffic.

The malware treats Google Sheets as a live C2 database, using a Service Account token to poll specific cells for instructions before writing results from tasks back into adjacent columns. This malware is primarily being used for surveillance, but its presence is widespread. It has been actively used in over 40 countries. Its use is part of an ongoing trend of actors increasingly finding success in abusing SaaS platforms as an alternative to creating and maintaining their own custom infrastructure.

Hiding command-and-control in trusted APIs

Attackers are also forging malware that will route command and control traffic through trusted services such as OpenAI APIs.

For example, the SesameOp backdoor routes traffic through OpenAI’s Assistants API, masking C2 communications look like legitimate AI development work. With traffic from SesameOp backdoor looking like normal AI development activity, it is becoming more difficult to for security tools to detect and block without breaking real workflows.

Another malware, VEILDrive, and its variants abuse the Microsoft Graph API. The malware authenticates to a legitimate corporate SharePoint or OneDrive tenant where it utilizes Graph API to read command files such as cmd.txt and write ‘output’ files (e.g., results.json) directly into a folder that looks like a user’s personal backup.

Malware staging in object storage

Attackers are increasingly storing second-stage payloads or configuration files in cloud storage services — for example, S3-compatible buckets — instead of their own servers.

This allows these files to be pulled down only when needed, reducing the malware footprint on disk and allowing attackers to swap payloads without redeploying malware.

Data exfiltration via trusted services

Attackers have also shifted from traditional FTP drops or risky pastebin (text storage) sites to exfiltrating massive troves of sensitive data via everyday cloud-based corporate communication tools such as Slack and Discord.

Recent attack campaigns have utilized compromised servers that are executing HTTPS POST requests to api.slack.com, hooks.slack.com, or discord.com. Using these endpoints to exfiltrate heavily guarded secrets such as AWS Access Keys, SSH keys, and internal API tokens directly into attacker-controlled chat channels.

Hybrid and multi-stage kill chains entirely inside the cloud

Several campaigns demonstrate full cloud-native attack chains, including one campaign linked to a Chinese cyberespionage group.

Since March 2024, the Genesis Panda malware has systematically weaponized cloud services across the full attack chain. It queries AWS Instance Metadata Service (IMDS) for credential harvesting, using cloud storage for payload hosting, routing command and control traffic through domains that impersonate legitimate cloud services, and using cloud computing for data exfiltration. The cloud isn’t a target. Instead it is acting as the entire operational backbone.

Phishing and social engineering via trusted platforms

Attackers are increasingly hosting lures and login pages on legitimate cloud infrastructure.

For example, Russia-nexus hacking group Cozy Bear (APT 29) delivered phishing links redirecting to authentic Microsoft login pages, removing the most common phishing red flag — suspicious domains. It these attacks the victims only saw legitimate Microsoft infrastructure, making traditional URL-based detection useless and this attack very dangerous.

Serverless and ephemeral infrastructure abuse

Attackers are abusing serverless services, such as AWS Lambda or Azure Functions, to conduct network reconnaissance and scanning. The tactic was utilized during the HazyBeacon campaign when it first targeted governmental entities in Southeast Asia.

Instead of scanning a target from a single compromised server, which gets its IP blocked immediately, the attacker spins up thousands of ephemeral Lambda functions. Each function scans a small slice of the target network and then dies.

This novel technique has all traffic originating from high-reputation Amazon IPs that rotate constantly. It is difficult for firewalls to protect against these attack without breaking their own access to legitimate AWS services. This allows attackers to effectively launder their traffic through Amazon’s reputation.

Cloud tunneling

Adversaries are bypassing inbound firewall rules by utilizing legitimate ‘tunneling’ services hosted on major cloud providers.

With these attacks, an attacker compromises an internal server but cannot open a port to listen for commands due to the corporate firewall. So instead, they install a Cloudflare Tunnel or ngrok agent. This agent initiates an outbound connection to the cloud provider, which is usually allowed.

To the security team, this looks legitimate, encrypted HTTPS traffic going to Cloudflare or AW, when in reality, it is a stable C2 channel that tunnels right through the perimeter defenses using trusted infrastructure as the carrier.

EBS snapshot sharing

Cybercrime groups such as Scattered Spider and Storm-0501 abuse the “snapshot sharing technique,” creating a high-impact IaaS attack vector in the process. This approach bypasses traditional network security by weaponizing the cloud’s management layer.

Rather than downloading malicious files, the adversary creates a snapshot of the victim server’s entire hard drive and simply shares it using the ModifySnapshotAttribute API with an external cloud account the attacker controls. Then the attacker restores the snapshot and then perform attacks such as offline credential dumping, etc.

Trust abuse via Entra ID tenant relationships

China-nexus actor Murky Panda compromised upstream IT service providers to silently pivot into downstream victims through trusted Entra ID (formerly Azure AD) tenant connections. Hacking into Entra ID tenant configurations to gain admin privileges is also a feature of ransomware group Storm-0501’s tradecraft.

Pulling secrets directly from cloud vaults

Groups such as Storm-0501 have abused cloud-native secrets stores such as AWS Secrets Manager to harvest credentials as part of its broader ransomware and extortion campaigns.

Instead of dumping credentials from endpoints, attackers query secrets directly through cloud APIs. This avoids endpoint detection and shifts the attack into places many security teams monitor less closely, if at all.

Touching the void

Malicious actors have even built cloud-native malware made up of custom loaders, implants, rootkits, and modular plugins, and designed to achieve persistence on compromised targets.

For example, the VoidLink malware is a highly advanced framework that is purpose-built to compromise major cloud infrastructures such as AWS, Azure, GCP, and Kubernetes clusters. The framework, apparently built and maintained by Chinese-affiliated developers, was first identified by researchers from Check Point.

Reasearches have said that VoidLink has been developed by a single person with assistance from an artificial intelligence (AI) model. It specifically targets linux/unix systems and it shows how AI has industrialized cybercrime. What once required skilled operators and time can now be bought, automated, and scaled globally withing as little as a few weeks.

Conclusions

Threat actors are clearly achieving the upper hand by utilizing cloud and AI to scale their operations. More security layers are required to stay ahead of this trend. If the enterprise has not augmented its security posture over the last few years, it is woefully behind. This is especially true with the hybrid and remote work, cloud first, culture that as spread throughout the workforce.