Attackers are increasingly abusing trusted SaaS platforms, cloud infrastructure, and identity systems to blend malicious activity into legitimate enterprise traffic.
Adversaries are pushing command and control (C2) through high-reputation services, including OpenAI and AWS, to blend in with normal business traffic and evade blocklists.
The shift from “living off the land” to “living off the cloud” reflects how attackers have adapted to the enterprise’s migration of IT infrastructure to hybrid and cloud environments such as AWS, Azure, and Google Cloud.
“Instead of abusing local binaries like PowerShell or WMI [Windows Management Instrumentation] to evade detection, adversaries now leverage native cloud administrative tools, APIs, identity systems, and management consoles to operate using legitimate functionality,” says Arif Khan, head of threat hunting and response services at Mitiga. “Because cloud environments are inherently API-driven, attackers who obtain valid credentials or tokens can enumerate resources, extract data, escalate privileges, and maintain persistence through routine-looking administrative calls.”
Hacking cloud-based systems bypasses traditional defenses that rely heavily on domain reputation and static blocklists. Running attack infrastructure from the cloud also makes attacks easier to mount.
“Attackers are increasingly using legitimate cloud services as part of their attack infrastructure,” says Fredrik Almroth, security researcher and co-founder at Detectify. “Instead of operating their own command-and-control servers, they route traffic through trusted platforms like cloud storage, collaboration tools, or AI APIs. To defenders, it can look like routine traffic to a reputable provider.”
Below are some examples of how attackers are increasingly abusing cloud-based services to mount a variety of attacks.
Covert command-and-control via cloud-hosted productivity tools
Researchers from Google and Mandiant recently disrupted a suspected Chinese cyber-espionage operation (UNC2814) that was abusing legitimate Google Sheets functionality to evade detection.
The Gridtide malware at the center of the campaign connected to a threat actor–controlled Google spreadsheet for C2, effectively allowing it to blend in with normal network traffic.
The malware treats Google Sheets as a live C2 database, using a Service Account token to poll specific cells for instructions before writing results from tasks back into adjacent columns.
“This is part of an ongoing trend of actors increasingly finding success in abusing SaaS platforms as an alternative to creating and maintaining their own custom infrastructure,” according to Google’s researchers.
Hiding command-and-control in trusted APIs
Attackers are also forging malware that routes C2 traffic through trusted services such as OpenAI APIs.
For example, the SesameOp backdoor routes traffic through OpenAI’s Assistants API, masking C2 communications as legitimate AI development work.
“In cases such as the SesameOp backdoor, traffic looks like normal AI development activity,” says Parthiban Jegatheesan, managing director at Peneto Labs. “To security tools, it blends in with legitimate business use, making it much harder to block without breaking real workflows.”
Malware such as VEILDrive and malign variants of the Havoc Framework post-exploitation framework abuse the Microsoft Graph API.
“The malware authenticates to a legitimate corporate SharePoint or OneDrive tenant where it utilizes Graph API to read command files such as cmd.txt and write ‘output’ files (e.g., results.json) directly into a folder that looks like a user’s personal backup,” explains Kwangyun Keum, a senior offensive security engineer.
Malware staging in object storage
Attackers are increasingly storing second-stage payloads or configuration files in cloud storage services — for example, S3-compatible buckets — instead of their own servers.
“These files are pulled down only when needed, reducing the malware footprint on disk and allowing attackers to swap payloads without redeploying malware,” Peneto Labs’ Jegatheesan says.
Data exfiltration via trusted services
Attackers have also shifted from traditional FTP drops or risky pastebin (text storage) sites to exfiltrating massive troves of sensitive data via everyday cloud-based corporate communication tools such as Slack and Discord, according to Nicholas Carroll, manager cyber incident response at Nightwing.
Carroll says that in recent attack campaigns threat actors “configured compromised servers to execute HTTPS POST requests to api.slack.com, hooks.slack.com, or discord.com,” using these endpoints to exfiltrate “heavily monitored secrets such as AWS Access Keys, SSH keys, and internal API tokens directly into attacker-controlled chat channels.”
Hybrid and multi-stage kill chains entirely inside the cloud
Several campaigns demonstrate full cloud-native attack chains, including one campaign linked to a Chinese cyberespionage group.
“Since March 2024, Genesis Panda has systematically weaponized cloud services across the full attack chain — querying AWS Instance Metadata Service (IMDS) for credential harvesting, using cloud storage for payload hosting, routing C2 through domains impersonating legitimate cloud services, and using cloud compute for data exfiltration,” says Diptamay Sanyal, principal engineer for data, AI, and cybersecurity at CrowdStrike.
“The cloud isn’t a target here — it’s the entire operational backbone,” Sanyal adds.
Phishing and social engineering via trusted platforms
Attackers are increasingly hosting lures and login pages on legitimate cloud infrastructure.
For example, Russia-nexus hacking group Cozy Bear (APT 29) delivered phishing links redirecting to authentic Microsoft login pages, removing the most common phishing red flag — suspicious domains.
“Victims only ever saw legitimate Microsoft infrastructure, making traditional URL-based detection useless,” says CrowdStrike’s Sanyal.
Serverless and ephemeral infrastructure abuse
Attackers are abusing serverless services, such as AWS Lambda or Azure Functions, to conduct network reconnaissance and scanning.
The tactic was deployed during the HazyBeacon campaign targeting governmental entities in Southeast Asia and uncovered by Palo Alto Networks’ Unit 42 threat intel division.
“Instead of scanning a target from a single compromised server, which gets its IP blocked immediately, the attacker spins up thousands of ephemeral Lambda functions,” says Kaveh Ranjbar, co-founder and CEO of Whisper Security, and ex-CIO/CTO of RIPE NCC. “Each function scans a small slice of the target network and then dies.”
The traffic originates from high-reputation Amazon IPs that rotate constantly. Enterprise firewalls cannot block these IPs without breaking their own access to legitimate AWS services. “The attacker effectively ‘launders’ their traffic through Amazon’s reputation,” Ranjbar adds.
Cloud tunneling
Adversaries are bypassing inbound firewall rules by utilizing legitimate ‘tunneling’ services hosted on major cloud providers.
“An attacker compromises an internal server but cannot open a port to listen for commands due to the corporate firewall,” Whisper Security’s Ranjbar explains. “So, they install a Cloudflare Tunnel or ngrok agent. This agent initiates an outbound connection to the cloud provider, which is usually allowed.”
Ranjbar adds: “To the security team, this looks like legitimate, encrypted HTTPS traffic going to Cloudflare or AWS. In reality, it is a stable C2 channel that tunnels right through the perimeter defenses using trusted infrastructure as the carrier.”
EBS snapshot sharing
Cybercrime groups such as Scattered Spider and Storm-0501 abuse the “snapshot sharing technique,” creating a high-impact IaaS attack vector in the process.
The approach bypasses traditional network security by weaponizing the cloud’s management layer.
“Rather than downloading malicious files, the adversary creates a snap ‘photograph’ of the victim server’s entire hard drive and simply ‘shares’ it using the ModifySnapshotAttribute API with an external cloud account the attackers control,” says offensive security engineer Keum. “The attacker subsequently restores the snapshot and then perform attacks such as ‘offline’ credential dumping.”
Trust abuse via Entra ID tenant relationships
China-nexus actor Murky Panda compromised upstream IT service providers to silently pivot into downstream victims through trusted Entra ID (formerly Azure AD) tenant connections, according to CrowdStrike.
Hacking into Entra ID tenant configurations to gain admin privileges is also a feature of ransomware group Storm-0501’s tradecraft.
Pulling secrets directly from cloud vaults
Groups such as Storm-0501 have abused cloud-native secrets stores such as AWS Secrets Manager to harvest credentials as part of its broader ransomware and extortion campaigns.
“Instead of dumping credentials from endpoints, attackers query secrets directly through cloud APIs,” says Peneto Labs’ Jegatheesan. “This avoids endpoint detection and shifts the attack into places many security teams monitor less closely.”
Touching the void
Miscreants have even built cloud-native malware made up of custom loaders, implants, rootkits, and modular plugins, and designed to achieve persistence on compromised targets.
For example, VoidLink is a highly advanced malware framework purpose-built to compromise major cloud infrastructures such as AWS, Azure, GCP, and Kubernetes clusters. The framework, apparently built and maintained by Chinese-affiliated developers, was first identified by researchers from Check Point.