JavaGhost’s Persistent Phishing Attacks: Exploiting Cloud Environments for Long-Term Access

Security researchers from Unit 42 have uncovered an advanced phishing campaign orchestrated by the JavaGhost threat actor group. The group has been active for over five years and continues to target cloud environments, particularly AWS services, to launch sophisticated phishing attacks.

JavaGhost was known for website defacement campaigns, as recorded in databases like DefacerID. However, researchers noted a significant shift in tactics starting in 2022: “Based on our investigations, the group shifted in 2022 from website defacement to sending out phishing campaigns to unsuspecting targets.”

Between 2022 and 2024, Unit 42 has linked JavaGhost to multiple phishing campaigns, leveraging compromised AWS environments for email distribution. Notably, their attacks are not due to AWS vulnerabilities but rather misconfigurations in victim organizations’ cloud environments that expose long-term AWS access keys.

JavaGhost exploits overly permissive Identity and Access Management (IAM) permissions, allowing them to abuse Amazon Simple Email Service (SES) and Amazon WorkMail to send phishing emails. By using legitimate AWS services, their emails can evade traditional security filters: “Using preexisting SES infrastructure allows the threat actor’s phishing emails to bypass email protections since the emails originate from a known entity from which the target organization has previously received emails.”

This tactic enables JavaGhost to operate stealthily within compromised cloud environments for extended periods.

Upon obtaining exposed AWS access keys, JavaGhost avoids traditional detection methods by:

• Skipping the GetCallerIdentity API call, which is commonly used by attackers to enumerate compromised accounts.
• Using alternative API calls like GetServiceQuota, GetSendQuota and GetAccount to verify access while avoiding security alerts.
• Generating temporary credentials via the GetFederationToken API, allowing them to create AWS console login URLs with broad permissions.

This technique aligns with advanced adversary behaviors previously attributed to Scattered Spider, a sophisticated cybercriminal group known for its cloud-focused attack techniques.

JavaGhost establishes persistence within compromised environments by:

1. Creating new IAM users and roles with administrative access.
2. Leveraging AWS WorkMail to establish rogue accounts for phishing operations.
3. Configuring SMTP credentials within AWS SES to send fraudulent emails while remaining undetected.

Additionally, JavaGhost has been observed creating misleading AWS security groups labeled “Java_Ghost”, with descriptions such as: “We Are There But Not Visible.”

This phrase matches JavaGhost’s historical website slogans, further linking their activities across different attack campaigns.

With phishing as a primary attack vector, organizations must take immediate action to secure their AWS environments against JavaGhost’s tactics. Recommended defensive measures include:

• Regularly rotating AWS access keys and monitoring for unauthorized API calls.
• Enforcing strict IAM policies to prevent excessive privileges.
• Enabling CloudTrail logging for SES, WorkMail, and IAM activities.
• Deploying email authentication measures (SPF, DKIM, DMARC) to detect fraudulent messages.

Unit 42’s research confirms that JavaGhost’s tactics leave a detectable footprint in AWS logs, allowing organizations to create custom alerts for suspicious activity.

Related Posts:

• New Phishing Campaign Targets AWS Accounts: Security Experts Warn
• AWS IAM Roles Anywhere: A Potential Backdoor for Attackers?
• LockBit Imposter: New Ransomware Leverages AWS for Attacks