Cloud Malware: How Attackers Exploit Cloud Services to Deliver and Host Threats
Table of Contents
When cybersecurity teams block connections to unknown or suspicious websites, attackers adapt. Increasingly, threat actors are hosting malware on the same cloud platforms that legitimate businesses use every day â Google Drive, Microsoft OneDrive, Dropbox, AWS S3, and GitHub. These platforms are rarely blocked, their TLS certificates are valid, and their traffic blends seamlessly with normal business operations. Welcome to the era of cloud malware.
What Is Cloud Malware?¶
"Cloud malware" encompasses several related threats:
- Malware hosted on cloud storage: Malicious files stored on Google Drive, OneDrive, Dropbox, or similar platforms and delivered via shared links
- Cloud C2 infrastructure: Malware that uses cloud services (GitHub, Slack, Discord, Trello) as command-and-control channels
- Cloud-native attacks: Malware targeting cloud infrastructure â AWS, Azure, GCP environments â including credential theft, cryptojacking, and data exfiltration from cloud storage
- SaaS platform abuse: Using SaaS platforms (like Google Docs or Notion) to host phishing pages or malware delivery infrastructure
Why Attackers Love Legitimate Cloud Platforms¶
The advantages of abusing trusted cloud platforms are compelling from an attacker's perspective:
Trusted domains bypass filters: Traffic to drive.google.com, onedrive.live.com, or s3.amazonaws.com is almost never blocked by corporate firewalls or web proxies. Security teams struggle to block these domains without disrupting legitimate business operations.
Valid TLS certificates: All major cloud platforms use valid HTTPS certificates. Deep packet inspection can't inspect the content, and certificate validity checks pass.
Free and anonymous access: Most cloud storage services offer free tiers. Attackers create throw-away accounts with anonymous or stolen email addresses to host malware.
High availability and CDN: Cloud platforms provide better uptime than most attacker-owned infrastructure, making malware C2 more reliable.
Attribution difficulty: Malicious content hosted on a shared platform is harder to attribute to a specific attacker.
Real-World Cloud Malware Techniques¶
Phishing with Cloud Storage Links¶
Phishing emails with links to Google Drive or OneDrive documents have largely replaced direct attachment delivery in sophisticated campaigns. The link passes email security scanning (because the domain is trusted), and the document requests macros or downloads additional malware.
APT29 (Cozy Bear), the Russian state-sponsored threat group, has extensively used OneDrive and Google Drive as malware staging areas in campaigns targeting government and defense organizations.
Dropbox and OneDrive C2¶
The ROMCOM malware family (linked to the Cuba ransomware group) used legitimate cloud services including Dropbox for command-and-control. The malware polls a specific Dropbox folder for command files, executes them, and uploads results â all through encrypted Dropbox API calls that appear to be normal cloud sync traffic.
GitHub as C2 Channel¶
Using GitHub repositories or Gist pages as C2 channels is increasingly documented. Malware reads "orders" from a GitHub file that the attacker updates, allowing stealthy command delivery through a platform nearly universally trusted on corporate networks.
AWS, Azure, GCP Metadata Service Abuse¶
In cloud environments, IMDS (Instance Metadata Service) provides EC2 instances, Azure VMs, and GCP instances with credentials via a local HTTP endpoint. Server-Side Request Forgery (SSRF) vulnerabilities in web applications can allow attackers to query this endpoint from outside and steal cloud credentials â a classic cloud-native attack.
S3 Bucket Malware Hosting¶
Misconfigured or intentionally created AWS S3 buckets host malware payloads. The amazonaws.com domain trust means downloads from these buckets bypass many content filtering solutions.
Cloud-Specific Malware Families¶
TeamTNT specializes in targeting cloud environments â particularly Docker and Kubernetes installations exposed to the internet. It deploys cryptominers and credential stealers that target cloud provider credentials and container orchestration systems.
Denonia was the first malware documented running specifically in AWS Lambda functions, abusing serverless computing infrastructure for cryptomining.
S3 Ransomware: Several ransomware incidents have targeted organizations' cloud storage, encrypting or deleting S3 bucket contents and demanding payment for recovery.
Defending Against Cloud Malware¶
For Individuals¶
- Be suspicious of Google Drive / OneDrive / Dropbox links in unexpected emails, even from known contacts (their accounts may be compromised)
- Don't enable macros in documents received via cloud sharing links
- Use MFA on all cloud accounts to prevent account takeover used for malware hosting
For Organizations¶
CASB (Cloud Access Security Broker): Deploy a CASB to inspect and control traffic to cloud services. A CASB can scan files being downloaded from cloud storage for malware signatures before they reach endpoints.
DNS filtering: Use DNS filtering solutions (Cisco Umbrella, Cloudflare Gateway) that can distinguish legitimate cloud service usage from malware C2 patterns even on trusted domains.
Behavioral analytics: Monitor for unusual cloud API activity â large data uploads, downloads from unusual geographic locations, or patterns consistent with C2 polling.
Cloud security posture management (CSPM): For cloud environments, tools like Prisma Cloud or Wiz continuously check for misconfigurations that could enable cloud-native attacks.
Least privilege IAM: Restrict cloud credentials to minimum necessary permissions. Use IAM roles rather than long-lived access keys. Rotate credentials regularly.
FAQ¶
Can my Google Drive account spread malware to others?
If attackers compromise your Google account, they can upload malware and share it to your contacts â who may trust a file from you more than from a stranger.
How do I know if a Google Drive link contains malware?
Google scans files in Drive for known malware, but novel threats evade scanning. Treat unexpected Drive links with the same skepticism as email attachments. When in doubt, scan before opening.
Is cloud malware more common in targeted attacks or mass campaigns?
Both. Mass phishing campaigns commonly use OneDrive and Google Drive links for payload delivery. Targeted APT attacks use cloud infrastructure for stealthy C2.
What should I do if my cloud storage account was used to distribute malware?
Change your password immediately, enable MFA, review account activity for unauthorized access, and report the incident to the cloud provider.
This article is published by ScamSandbox to help users understand and avoid malware threats and online scams.