Hackers Abuse Amazon & GitHub to Deploy Java-based Malware

Hackers target these platforms due to their hosting of valuable resources and data.

For financial gain or some other bad motive, the hackers intrude on these platforms to steal data, deploy malicious software, or launch other cyber attacks.

Cybersecurity analysts at FortiGuard Labs uncovered that hackers actively abuse Amazon and GitHub to deploy Java-based malware.

Amazon & GitHub Abused

FortiGuard Labs found a phishing campaign tricking users into downloading malicious Java downloaders, which were aimed at spreading new VCURMS and STRRAT RATs. 

It’s been discovered that the malware hosted on AWS and GitHub was obfuscated via a commercial protector.

The attacker uses email for C2 by leveraging privacy-focused Proton Mail service at the victim’s end.

Attack flow (Source - Fortinet)Attack flow (Source - Fortinet)
Attack flow (Source – Fortinet)

Phishing emails lure victims to click the button, downloading malicious AWS-hosted JAR downloaders with obfuscated strings.

The downloader fetches and runs two more JARs that use a commercial “Sense Shield Virbox Protector” obfuscator with a trial expiration notice. 

Unusual RAT communicates via email, persists via the Startup folder, identifies victims by computer name/Volume ID, and then checks the email subject for ID to execute commands in the body. 

Keylogger and password stealer disguised as JPGs on AWS were downloaded via PowerShell.

It provides shell command execution, file upload/download, and malware installation. 

In this campaign, top malware uses the Branchlock obfuscator, which the Narumii/Deobfuscator aids in partially decoding. 

Upon receiving the “recovery” command, the program is deployed to steal system info, browser data, and app details to %USERPROFILE%\AppData\cookie as st.jar.

Discord and Steam are the apps that are targeted along with the top browsers like Brave, Chrome, Edge, Firefox, Opera, OperaGX, Vivaldi, and Yandex to collect the following types of system information:-

  • Network information
  • Computer information
  • Hardware information
  • Process lists
  • Screenshots

The program named VCURMS gathers app account details, cookies, browsing history, and passwords, storing them in %USERPROFILE%/<username>. Unlike Rude Stealer, it sends stolen data via the same path and email address as the main program.

VCURMS (Source – Fortinet)

Keylogger is stored in %USERPROFILE%\AppData\cookie\klog.jar, which records the keystrokes.

“windows.jar” executes additional actions like sending logs back. 

STRRAT is a Java-based RAT that can be used as a keylogger and extract credentials.

By 2023, it was found to use ZKM and Allatori for evasion. 

The recent attack campaign observed by FortiGuard Labs still uses Allatori and Branchlock for obfuscation.

Decoding the config file reveals server info and ID “Khonsari” with Base64 and AES decryption using the “strigoi” passphrase.

The attack launches malware simultaneously by using STRRAT and new Java-based VCURMS.

VCURMS handles C&C but also deploys modified Rude Stealer, a keylogger for data theft.

Threat actor obfuscates code and attempts C&C via email.

IOCs

E-mails

  • copier@ferrellengineering[.]com
  • sacriliage@proton[.]me

Domains

  • bankofindustry[.]s3[.]us-east-2[.]amazonaws[.]com
  • riseappbucket[.]s3[.]ap-southeast-1[.]amazonaws[.]com
  • ofornta[.]ddns[.]net
  • jbfrost[.]live
  • backinghof[.]ddns[.]net

Files

  • 97e67ac77d80d26af4897acff2a3f6075e0efe7997a67d8194e799006ed5efc9
  • 8d72ca85103f44742d04ebca02bff65788fe6b9fc6f5a411c707580d42bbd249
  • 588d6f6feefa6273c87a3f8a15e2089ee3a063d19e6a472ffc0249298a72392d
  • 8aa99504d78e88a40d33a5f923caf7f2ca9578031d004b83688aafdf13b3b59f
  • c0d0dee9b8345da3c6cf3e1c3ce5b5b6e8c9e4002358517df1e3cd04c0f0b3d1

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Hackers Bypass AI Filters from Microsoft, Nvidia, and Meta Using a Simple Emoji

Cybersecurity researchers have uncovered a critical flaw in the content moderation systems of AI models…

6 minutes ago

Microsoft Alerts That Default Helm Charts May Expose Kubernetes Apps to Data Leaks

Microsoft’s cybersecurity research team has issued a stark warning about the risks of using default…

9 minutes ago

Popular Instagram Blogger’s Account Hacked to Phish Users and Steal Banking Credentials

A high-profile Russian Instagram blogger recently fell victim to a sophisticated cyberattack, where scammers hijacked…

48 minutes ago

Ransomware Attacks on Food & Agriculture Industry Surge 100% – 84 Attacks in Just 3 Months

The food and agriculture industry is facing an unprecedented wave of cybersecurity threats in 2025,…

58 minutes ago

Microsoft 365 Copilot and Office Apps Now Protected by SafeLinks at Click Time

Microsoft announced a major update aimed at bolstering the cybersecurity of its flagship AI-powered productivity…

1 hour ago

Hackers Targeting Schools and Universities in New Mexico with Cyber Attacks

A major cyberattack on the Coweta County School System's computer network occurred late Friday night, which is a worrying development for New Mexico's educational institutions. The unauthorized intrusion, detected around 7:00 p.m., prompted immediate action from the school…

1 hour ago