A sophisticated Linux backdoor linked to Chinese state-sponsored hackers has been quietly harvesting cloud credentials from major providers for at least six years, exploiting a fundamental weakness in how cloud infrastructure handles internal authentication.
Security researchers at Breakglass Intelligence have uncovered an ongoing campaign by APT41, also known as Winnti, that targets AWS, Google Cloud Platform, Azure, and Alibaba Cloud environments. The malware operates by extracting credentials directly from instance metadata services—the internal APIs that cloud workloads use to authenticate themselves—turning a core cloud security feature into an attack vector.
The Metadata Service Vulnerability
At the heart of this campaign lies a design characteristic common to all major cloud providers: the instance metadata service. This internal API, typically accessible at the IP address 169.254.169.254, allows virtual machines and containers to retrieve their own credentials and configuration data without storing sensitive information on disk.
The APT41 backdoor queries these endpoints systematically. On AWS, it extracts IAM role credentials. In Google Cloud, it targets service account tokens. Azure deployments yield managed identity tokens, while Alibaba Cloud instances expose RAM role credentials. These aren't static passwords—they're temporary tokens that grant the same access privileges as the compromised workload itself.
What makes this particularly dangerous is that these credentials are designed to be accessible without authentication from within the instance. The metadata service assumes that if you can query it, you must be the legitimate workload. Once an attacker gains initial access to any cloud instance through conventional means—a vulnerable application, misconfigured service, or compromised container—the metadata service becomes an open vault.
SMTP as Camouflage
The technical sophistication extends to how stolen data exits the network. Rather than using HTTPS connections that modern security tools scrutinize heavily, the malware communicates over SMTP port 25—the protocol designed for email transmission.
This choice exploits a gap in cloud security postures. Many organizations maintain legacy systems or email relay configurations that require outbound SMTP access. Security teams often apply less stringent inspection to port 25 traffic, assuming it carries routine email rather than command-and-control communications. The researchers note that egress filtering on this port remains inconsistent across cloud providers, creating a reliable exfiltration channel.
The command-and-control infrastructure adds another layer of operational security. The malware's servers remain completely silent unless they receive a specific handshake sequence. Automated security scanners like Shodan and Censys, which work by probing internet-facing services, find nothing. Sandbox environments that attempt to analyze the malware see no network activity unless they can replicate the exact authentication sequence the attackers use.
Domain Deception at Scale
APT41 routes stolen credentials through three typosquatted domains that mimic legitimate Alibaba Cloud services. These domains are hosted on actual Alibaba Cloud infrastructure in Singapore, allowing malicious traffic to blend with genuine cloud API calls.
For security operations teams monitoring network traffic, distinguishing between a legitimate API call to Alibaba Cloud and a credential exfiltration attempt becomes nearly impossible without deep packet inspection or domain reputation analysis. In multi-cloud environments where Alibaba Cloud services are legitimately used, the deception becomes even more effective.
The malware also implements a peer-to-peer coordination mechanism through UDP broadcasts. Compromised hosts periodically send encoded beacons to the broadcast address 255.255.255.255 on port 6006. Other infected machines on the same network segment can receive these broadcasts, enabling lateral movement and task distribution without generating additional command-and-control traffic that might trigger alerts.
Evolution of a Six-Year Campaign
Breakglass researchers traced the campaign's origins back to 2020, when the first variant called "PWNLNX" used basic reverse shell techniques and simple XOR encoding. The current iteration represents a substantial evolution in tradecraft.
The modern backdoor is an obfuscated ELF binary—the executable format for Linux systems—that was completely undetected by VirusTotal's collection of antivirus engines at the time of analysis. This "zero-detection" status reflects both the malware's technical sophistication and the challenge security vendors face in identifying novel threats that don't match known signatures.
The six-year timeline suggests this isn't an opportunistic campaign but a sustained intelligence collection operation. APT41 has maintained and refined this toolset across multiple iterations, adapting to changes in cloud provider security measures while keeping the core methodology intact.
Detection Requires Behavioral Analysis
Traditional signature-based detection fails against this threat. Organizations need to implement behavior-driven monitoring across three layers: network, host, and cloud control plane.
Network monitoring should flag unusual outbound SMTP connections, particularly to domains that resemble but don't exactly match known cloud providers. The periodic UDP broadcasts to 255.255.255.255:6006 represent another distinctive pattern. However, these indicators alone may generate false positives in complex environments.
At the host level, security teams should investigate any obfuscated or unknown ELF binaries, especially those making unexpected queries to the 169.254.169.254 metadata endpoint. Not all metadata queries are malicious—legitimate applications use this service constantly—but unusual access patterns or queries from processes that shouldn't need cloud credentials warrant investigation.
Cloud-native detection offers the most reliable approach. Cloud providers' logging services can track every metadata service query and credential usage. Anomalous patterns—such as credentials being used from unexpected IP addresses, unusual API calls for a given role, or metadata queries that don't align with an instance's normal behavior—provide high-confidence indicators of compromise.
Implications for Cloud Security Architecture
This campaign exposes a fundamental tension in cloud security design. The instance metadata service exists because storing credentials in application code or configuration files creates even greater risks. But the current model assumes that gaining access to an instance is sufficiently difficult that the metadata service doesn't need additional authentication.
That assumption breaks down when attackers exploit application vulnerabilities, supply chain compromises, or misconfigurations to gain initial access. Once inside, the metadata service provides an escalation path that's difficult to prevent without breaking legitimate functionality.
Cloud providers have introduced some mitigations. AWS offers IMDSv2, which requires session tokens before serving metadata, making automated exploitation harder. Google Cloud and Azure provide similar protections. However, these features often remain optional for backward compatibility, and many organizations haven't enabled them across their entire infrastructure.
The campaign's success over six years suggests that detection and response capabilities haven't kept pace with attacker techniques. Organizations running cloud workloads need to assume that initial access will occur and focus on limiting what attackers can accomplish afterward. That means implementing least-privilege IAM policies, enabling advanced metadata service protections, and deploying behavioral monitoring that can identify credential abuse even when the initial compromise goes undetected.
As cloud adoption accelerates and workloads become more distributed, the metadata service will remain a high-value target. APT41's sustained focus on this attack vector indicates that state-sponsored actors view cloud credentials as strategic intelligence assets worth years of operational investment to collect.
