Attackers Abuse AWS, Google Cloud, Cloudflare, and Microsoft Services to Hide Malicious Traffic

Cybercriminals are increasingly weaponizing trusted cloud infrastructure, including Amazon Web Services, Google Cloud, Microsoft Azure, Cloudflare, and GitHub, to camouflage malicious traffic, evade detection, and sustain long-lived Command and Control (C2) operations.

A recent threat intelligence investigation using ANY.RUN’s Threat Intelligence (TI) Lookup reveals just how deeply this abuse has become embedded in modern attack chains.

The investigation by Threat Researcher Clandestine, spanning five targeted OSINT queries across ANY.RUN’s dynamic threat intelligence database, which indexes over 50 million IOCs, IOBs, and IOAs derived from real-time sandbox analyses conducted by over 500,000 analysts globally, exposes a recurring pattern: legitimate services are being turned into shields for adversarial activity.

Accelerate security workflows for faster triage & response. Integrate Threat Intelligence in your SOC or MSSP.

One of the most alarming findings emerged from a JA3S TLS fingerprint query targeting the hash 1af33e1657631357c73119488045302c, a signature commonly associated with Cobalt Strike beacons.

Analysts querying this hash in TI Lookup uncovered more than 1,000 system events, predominantly involving native Windows processes such as slui.exe, svchost.exe, and PowerShell classic Living-off-the-Land Binary (LOLBin) abuse. Nearly all communication was routed over port 443 (HTTPS), exploiting the protocol’s ubiquity to blend into normal enterprise traffic.

More critically, the C2 infrastructure tied to this JA3S fingerprint was found hosted across Microsoft, GitHub, Google, Amazon, and Cloudflare. This deliberate use of reputable platforms makes traditional reputation-based blocking ineffective.

JA3S fingerprinting provides a behavioral anchor that persists even as adversaries rotate domains and IP addresses, a powerful technique for tracking C2 infrastructure continuity.

Detection of this JA3S hash in network telemetry should be treated as a strong indicator of Cobalt Strike infection, immediately triggering endpoint correlation and incident response workflows.

The investigation also uncovered active phishing campaigns targeting Brazilian organizations, where attackers are leveraging subdomains of globally recognized services alongside malicious domains.

The use of globally hosted infrastructure serves a dual purpose: it lends the attacks a veneer of legitimacy and actively hinders domain takedowns. Security teams in Brazil and similar regions should be especially alert to emails containing links hosted on subdomains of popular cloud services.

Compound this with the discovery of Business Email Compromise (BEC) campaigns deploying fake invoice PDFs files named invoice.pdf and pagamento.pdf (Portuguese for “payment”) hosted on Amazon S3 buckets.

These files serve as infection vectors for financial fraud operations. The finding reinforces that legitimate cloud storage is now a preferred staging ground for initial payload delivery, with file hashes from these samples providing actionable IOCs for blocking and detection.

Trojan Traffic Tunneled Through HTTPS on Port 443

A behavior-based hunting query combining Russian IP geolocation, Suricata trojan classifications, and port 443 communication surfaced a diverse ecosystem of malicious traffic deliberately disguised as routine encrypted web activity.

This multi-layered attack strategy, employing multiple legitimate services across various ports for communication and fallback, demonstrates how attackers architect resilience directly into their infrastructure.

The .top TLD emerged as a particularly hostile domain space, with algorithm-generated Domain Generation Algorithm (DGA) domains classified as malicious at scale.

These domains routinely leverage WinRAR archives for payload delivery and use Cloudflare services to conceal true server locations. Given the extremely high volume of malicious activity tied to .top, many organizations are now blocking the entire TLD proactively at the perimeter.

Turn uncertain alerts into faster, defensible decisions. Gain clearer evidence for response and reporting.

For SOC teams and threat hunters, this research underscores several critical imperatives. Multi-parameter hunting queries combining JA3S fingerprints, destination geolocation, Suricata classifications, and file path patterns will outperform single-IOC lookups significantly.

Detection rules targeting the identified JA3S hash, HTTPS-based C2 behavior, and high-risk TLDs like .top, .shop, and .cc should be deployed immediately. Integration of ANY.RUN’s TI Feeds and Lookup results into SIEM/SOAR platforms can automate threat correlation and reduce analyst burden.

At an organizational level, the extensive abuse of trusted infrastructure from Microsoft, Google, and Amazon proves that brand reputation no longer guarantees network safety.

Adopting a Zero Trust posture, investing in advanced sandbox-based detection, and educating financial teams about BEC and phishing risks are no longer optional; they are baseline requirements for resilience in a threat landscape where the attacker’s most reliable weapon is the cloud platform your enterprise already trusts.

Close blind spots and reduce exposure to critical incidents with ANY.RUN’s Threat Intelligence.