"We Are There But Not Visible" – Hackers Leave a Chilling Message in AWS Breaches

Recently the Hackernews reported that threat actors are hijacking Amazon Web Services (AWS) environments to orchestrate large-scale phishing campaigns, according to new findings from Palo Alto Networks Unit 42. The cybersecurity firm is tracking this group under the name TGR-UNK-0011, an unidentified threat cluster that overlaps with the notorious JavaGhost group. Active since 2019, these attackers initially focused on defacing websites but have since evolved into a financially motivated operation.

"In 2022, they pivoted to sending out phishing emails for financial gain," said security researcher Margaret Kelley. However, these attacks aren’t exploiting any AWS vulnerabilities. Instead, the group is taking advantage of misconfigured AWS environments, where exposed access keys allow them to abuse Amazon Simple Email Service (SES) and WorkMail to distribute phishing emails.

This technique gives them two key advantages:
1. No Infrastructure Costs – They don’t have to set up or pay for their own servers.
2. Bypassing Email Security – Messages appear to come from trusted sources, making them harder to detect.

How They Infiltrate AWS Environments

The JavaGhost hackers gain access through exposed long-term IAM access keys and then use the AWS CLI to establish control. Between 2022 and 2024, they adopted more advanced defense evasion tactics to cover their tracks in CloudTrail logs, a technique also linked to the notorious Scattered Spider hacking group.

Once inside an AWS environment, their strategy includes:
🔹 Generating Temporary Credentials & Login URLs – This allows them to maintain access while obfuscating their identities.
🔹 Setting Up New SES and WorkMail Users – These services are leveraged to create phishing infrastructure for sending out scam emails.
🔹 Creating Multiple IAM Users – Some are used actively, while others serve as backdoors for long-term persistence.
🔹 Deploying IAM Roles with Trust Policies – This allows the attackers to control the victim’s AWS environment from their own AWS accounts.

The JavaGhost "Calling Card"

In a brazen move, JavaGhost leaves behind a signature after infiltrating AWS accounts.
🔹 They create a new Amazon EC2 security group named Java_Ghost with the eerie description:
"We Are There But Not Visible."
🔹 These security groups contain no rules and aren’t attached to any resources—they seem to exist purely as a message to victims.
Researchers confirmed that these activities consistently appear in CloudTrail logs under CreateSecurityGroup events, providing a telltale sign of an ongoing breach.

Defending Against JavaGhost

AWS customers must take proactive steps to secure their environments against these attacks:
1. Regularly rotate and audit IAM credentials.
2. Enforce strict IAM role policies with minimal privileges.
3. Monitor CloudTrail logs for unusual security group creations.
4. Scan for exposed access keys and misconfigurations.

With cloud-based phishing attacks on the rise, organizations must remain vigilant against sophisticated adversaries like JavaGhost. The message is clear: misconfigurations can be just as dangerous as vulnerabilities.
Contact us today at Pyralink for an audit on your cloud environment before it is too late.