China-Linked Cloud Credential Heist Runs on Typos and SMTP

The theft of cloud credentials has become a cornerstone of nation‑state cyber‑espionage, and APT41’s latest campaign underscores how attackers are adapting to the multi‑cloud era. By embedding a Linux ELF backdoor in vulnerable workloads, the group taps directly into the metadata services that cloud providers expose for instance identity. Leveraging SMTP on port 25—a protocol often left unchecked in egress filtering—allows the malware to blend with legitimate outbound mail traffic, making network‑based detection exceedingly difficult. The use of three Alibaba‑styled typosquatted domains further obscures the exfiltration path, especially in environments where outbound DNS filtering is lax.

Technical analysis reveals a layered command‑and‑control architecture. After compromising a host, the implant queries the well‑known metadata endpoint (169.254.169.254) to pull IAM role credentials on AWS, service‑account tokens on GCP, managed‑identity tokens on Azure, and RAM role data on Alibaba Cloud. These tokens grant the same privileges as the compromised instance, effectively handing attackers unfettered access to cloud resources. A secondary UDP broadcast to 255.255.255.255:6006 serves as a peer‑to‑peer beacon, enabling lateral task distribution without generating additional C2 traffic. This dual‑channel approach—SMTP for exfiltration and UDP for coordination—sidesteps many traditional detection signatures and evades sandbox analysis that expects HTTP‑based callbacks.

Defenders must adopt a behavior‑driven detection model that goes beyond signature matching. Monitoring for anomalous outbound SMTP connections, especially to newly registered or look‑alike domains, can flag potential C2 activity. Equally important is scrutinizing metadata service calls that deviate from baseline patterns, such as unexpected token requests from non‑privileged instances. Implementing strict egress filtering on port 25, deploying DNS sinkholing for known typosquatted domains, and enforcing zero‑trust principles for cloud workloads will reduce the attack surface. As cloud adoption accelerates, organizations that integrate these controls into their security operations are better positioned to thwart sophisticated credential‑harvesting campaigns like APT41’s.