Friday, May 2, 2025
HomeCyber Security NewsHackers Deploying Androxgh0st Botnet Malware that Steals AWS, Microsoft Credentials

Hackers Deploying Androxgh0st Botnet Malware that Steals AWS, Microsoft Credentials

Published on

SIEM as a Service

Follow Us on Google News

Threat actors use botnet malware to gain access to the network of compromised systems that enable them to perform several types of illicit activities.

They get attracted to botnet malware due to its distributed and anonymous infrastructure, which makes it stealthy and sophisticated.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently discovered that hackers are actively deploying Androxgh0st botnet malware that steals AWS and Microsoft credentials.

- Advertisement - Google News
Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Androxgh0st Botnet Malware

Androxgh0st malware builds a botnet to find and exploit victims in target networks. It’s a Python-scripted threat targeting .env files with sensitive data, like credentials for AWS, Office 365, SendGrid, and Twilio. 

This botnet malware, “Androxgh0st,” also misuses SMTP for scanning, exploiting credentials and APIs, and deploying web shells on compromised targeted systems.

To scan for websites with vulnerabilities, Androxgh0st malware uses scripts by exploiting CVE-2017-9841 to run PHP code remotely via PHPUnit.

It targets /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI on websites with exposed /vendor folders, which allows threat actors to execute code. 

Not only that, but this malware also enables downloading malicious files, setting up fake pages for backdoor access, and accessing databases in cyber operations.

The malware targets the .env files for credentials, and to scan Laravel web applications, it forms a botnet.

Threat actors issue GET/POST requests to /.env URI by searching for usernames, passwords, and more. In debug mode, they use a POST variable (0x[]) as an identifier. 

If successful, they access email, AWS credentials, and the Laravel application key. 

Besides this, by exploiting CVE-2018-15133, they encrypt PHP code to pass it through the XSRF-TOKEN cookie for remote code execution and file uploads.

Threat actors behind Androxgh0st botnet malware exploit CVE-2021-41773 by scanning Apache servers (v2.4.49 or v2.4.50). Through path traversal, they locate files beyond the root directory, allowing remote code execution

They access sensitive data or misuse the services by obtaining the credentials. While for AWS compromises; they create users, policies, and instances for further scanning.

Looking for cost-effective penetration testing services? Try Kelltron’s to assess and evaluate the security posture of digital systems – 

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical...

NVIDIA TensorRT-LLM Vulnerability Let Hackers Run Malicious Code

NVIDIA has issued an urgent security advisory after discovering a significant vulnerability (CVE-2025-23254) in...

CISA Issues Alert on Actively Exploited Apache HTTP Server Escape Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a...

Disney Hacker Admits Guilt After Stealing 1.1TB of Internal Data

A 25-year-old man from Santa Clarita, California, has agreed to plead guilty to hacking...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical...

NVIDIA TensorRT-LLM Vulnerability Let Hackers Run Malicious Code

NVIDIA has issued an urgent security advisory after discovering a significant vulnerability (CVE-2025-23254) in...

CISA Issues Alert on Actively Exploited Apache HTTP Server Escape Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a...