Hackers Abuse Amazon & GitHub to Deploy Java-based Malware

Hackers target these platforms due to their hosting of valuable resources and data.

For financial gain or some other bad motive, the hackers intrude on these platforms to steal data, deploy malicious software, or launch other cyber attacks.

Cybersecurity analysts at FortiGuard Labs uncovered that hackers actively abuse Amazon and GitHub to deploy Java-based malware.

Amazon & GitHub Abused

FortiGuard Labs found a phishing campaign tricking users into downloading malicious Java downloaders, which were aimed at spreading new VCURMS and STRRAT RATs. 

It’s been discovered that the malware hosted on AWS and GitHub was obfuscated via a commercial protector.

The attacker uses email for C2 by leveraging privacy-focused Proton Mail service at the victim’s end.

Attack flow (Source - Fortinet)Attack flow (Source - Fortinet)
Attack flow (Source – Fortinet)

Phishing emails lure victims to click the button, downloading malicious AWS-hosted JAR downloaders with obfuscated strings.

The downloader fetches and runs two more JARs that use a commercial “Sense Shield Virbox Protector” obfuscator with a trial expiration notice. 

Unusual RAT communicates via email, persists via the Startup folder, identifies victims by computer name/Volume ID, and then checks the email subject for ID to execute commands in the body. 

Keylogger and password stealer disguised as JPGs on AWS were downloaded via PowerShell.

It provides shell command execution, file upload/download, and malware installation. 

In this campaign, top malware uses the Branchlock obfuscator, which the Narumii/Deobfuscator aids in partially decoding. 

Upon receiving the “recovery” command, the program is deployed to steal system info, browser data, and app details to %USERPROFILE%\AppData\cookie as st.jar.

Discord and Steam are the apps that are targeted along with the top browsers like Brave, Chrome, Edge, Firefox, Opera, OperaGX, Vivaldi, and Yandex to collect the following types of system information:-

  • Network information
  • Computer information
  • Hardware information
  • Process lists
  • Screenshots

The program named VCURMS gathers app account details, cookies, browsing history, and passwords, storing them in %USERPROFILE%/<username>. Unlike Rude Stealer, it sends stolen data via the same path and email address as the main program.

VCURMS (Source – Fortinet)

Keylogger is stored in %USERPROFILE%\AppData\cookie\klog.jar, which records the keystrokes.

“windows.jar” executes additional actions like sending logs back. 

STRRAT is a Java-based RAT that can be used as a keylogger and extract credentials.

By 2023, it was found to use ZKM and Allatori for evasion. 

The recent attack campaign observed by FortiGuard Labs still uses Allatori and Branchlock for obfuscation.

Decoding the config file reveals server info and ID “Khonsari” with Base64 and AES decryption using the “strigoi” passphrase.

The attack launches malware simultaneously by using STRRAT and new Java-based VCURMS.

VCURMS handles C&C but also deploys modified Rude Stealer, a keylogger for data theft.

Threat actor obfuscates code and attempts C&C via email.

IOCs

E-mails

  • copier@ferrellengineering[.]com
  • sacriliage@proton[.]me

Domains

  • bankofindustry[.]s3[.]us-east-2[.]amazonaws[.]com
  • riseappbucket[.]s3[.]ap-southeast-1[.]amazonaws[.]com
  • ofornta[.]ddns[.]net
  • jbfrost[.]live
  • backinghof[.]ddns[.]net

Files

  • 97e67ac77d80d26af4897acff2a3f6075e0efe7997a67d8194e799006ed5efc9
  • 8d72ca85103f44742d04ebca02bff65788fe6b9fc6f5a411c707580d42bbd249
  • 588d6f6feefa6273c87a3f8a15e2089ee3a063d19e6a472ffc0249298a72392d
  • 8aa99504d78e88a40d33a5f923caf7f2ca9578031d004b83688aafdf13b3b59f
  • c0d0dee9b8345da3c6cf3e1c3ce5b5b6e8c9e4002358517df1e3cd04c0f0b3d1

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

5 hours ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

5 hours ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

5 hours ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

5 hours ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

9 hours ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

10 hours ago