Saturday, May 31, 2025
HomeMalwareSiloscape: First Known Malware Targeting Windows Containers to Hack Cloud Environments

Siloscape: First Known Malware Targeting Windows Containers to Hack Cloud Environments

Published on

SIEM as a Service

Follow Us on Google News

Using Windows Server in a “Windows container”? Then beware of it, as recently, it has been confirmed that highly sophisticated malware has been active for over a year.

The cybersecurity researchers at Palo Alto Networks Unit 42 have recently discovered a new malware, known as, “Siloscape,” and it uses Windows containers to access Kubernetes clusters. 

Since they generally focus on Linux systems, that’s why it goes after the Windows containers that are deemed as unusual. To connect to a C2 server that is used by attackers to control the Siloscape, data filtering, and commands, the malware (Siloscape) uses a Tor proxy and an onion domain.

- Advertisement - Google News

Technical Overview

Through server isolation and un-patched vulnerabilities, Cloudmalware.exe, it’s the malware that targets the Windows containers. After that using the different breakout techniques for Windows containers, Siloscape try to run the RCE on a container’s underlying node.

Siloscape

To steal data from the apps present on the cluster or upload cryptographers, the Siloscape will create malicious containers, but these things will be possible when it will manage to break out and establish itself in a cluster successfully.

Behaviors and techniques used

  • Exploiting the known vulnerabilities, it targets the common cloud apps for initial access like web servers.
  • To gain code execution on the underlying node and avoid the container it uses escape techniques of Windows container.
  • To spread in the cluster, it abuses the node’s credentials.
  • Over the Tor network using the IRC protocol, it connects to its C2 server.
  • While for the further commands, it usually waits.
  • Waits for further commands.

During the investigations, the researchers at Palo Alto Networks Unit 42 identified, “23 active victims and a total of 313 victims from the past year.” 

However, the security experts were expelled from the server after the operators identified them, and not only that even after their detection they also shut down the service running on the onion address.

Here, initially, the Siloscape evades the detection then it installs a backdoor on the infected system to open the gateway to exploit the negotiated cloud infrastructure to carry out malicious actions like:-

  • Theft of credentials
  • Theft of personal data
  • Ransomware attacks
  • Supply chain attacks

Apart from these things, Siloscape has a different view as compared to other malware; since the maximum number of cloud-based malware is designed to carry out DDoS attacks and mine cryptocurrencies.

Indicators of Compromise

DescriptionSHA256
Our Siloscape variant5B7A23676EE1953247A0364AC431B193E32C952CF17B205D36F800C270753FCB
unzip.exe, the unzip binary Siloscape writes to the disk81046F943D26501561612A629D8BE95AF254BC161011BA8A62D25C34C16D6D2A
tor.zip, the tor archive Silsocape writes to the disk010859BA20684AEABA986928A28E1AF219BAEBBF51B273FF47CB382987373DB7
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra...

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages...

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated...

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Use AI-Generated Videos on TikTok to Spread Info-Stealing Malware

TrendMicro has uncovered a sophisticated campaign where threat actors are exploiting TikTok to distribute...

Novel Malware Evades Detection by Skipping PE Header in Windows

Researchers have identified a sophisticated new strain of malware that bypasses traditional detection mechanisms...

New Rust-Based InfoStealer Uses Fake CAPTCHA to Deliver EDDIESTEALER

A newly discovered Rust-based infostealer, dubbed EDDIESTEALER, has been uncovered by Elastic Security Labs,...