CISA: AWS, Microsoft 365 Accounts Under Active Androxgh0st Attack

Cyberattackers are targeting Apache webservers and websites using the popular Laravel Web application framework in order to steal credentials for the apps.

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert about a malware campaign targeting Apache webservers and websites using the popular Laravel Web application framework, leveraging known bugs for initial compromise.
The end goal of the campaign is to steal credentials to high-profile applications such as Amazon Web Services, Microsoft 365, Twilio, and SendGrid, so the threat actors can access sensitive data in the apps or use the apps for other malicious operations.
For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies, the
two agencies said
. In many incidents the adversaries have also used the stolen credentials to create new AWS instances for additional, malicious scanning activity, they noted.
The campaign involves a known malware threat dubbed Androxgh0st that Lacework
first warned about
in December 2022. The malware, written in Python, is designed to scan for and extract application secrets such as credentials and API keys from Laravel .env files.
Laravel
is an open source PHP Web application framework that many developers use for common Web development tasks without having to write low-level code from scratch. Laravel .env files are a popular adversary target because they often contain credentials and other information that attackers can use to access and abuse high-value apps, such as AWS, Microsoft 365, and Twilo.
Lacework identified the malware as capable of scanning for and exploiting exposed credentials and APIs and of deploying Web shells on compromised systems.
This is not the first big campaign for the malicious code; last March,
Fortinet reported
observing threat actors using Androxgh0st to target Laravel .env files on an average of 40,000 Fortinet devices per day.
According to the FBI and CISA, Androxgh0st threat actors are also actively scanning for websites with specific vulnerabilities in them, particularly
CVE-2017-9841
, a critical remote code execution (RCE) vulnerability in PHPUnit, a module for testing PHP code.
They are exploiting the vulnerability to drop Androxgh0st and other malware on affected websites and make them part of a botnet, used to scan for and gather information on other potential targets. CVE-2017-9841 is a widely targeted vulnerability from 2017, with vendors like
Imperva reporting millions of attacks
on affected systems through at least early 2020.
In many instances, the Androxgh0st adversaries have also been observed scanning for Web servers running Apache HTTP Server versions 2.4.49 or 2.4.50 that are vulnerable to
CVE-2021-41773
, a path traversal vulnerability from 2021 that allows for RCE. CISA has previously warned about CVE-2021-41773 being among the
list of vulnerabilities
that China-backed threat actors tend to exploit the most in their campaigns.
The FBI and CISA alert described the threat actors as using the botnet to scan for websites using the Laravel Web application and to then determine if the domains root .env file is exposed.
If the .env file is exposed, threat actors will issue a GET request to the /.env URI to attempt to access the data on the page, the two agencies said. Alternatively, Androxgh0st may issue a POST request to the same URI with a POST variable named 0x[] containing certain data sent to the Web server.
If either method elicits a successful response, the threat actors are able to look for secrets in the .env file including usernames and passwords to AWS, email accounts and other enterprise apps.
To protect against this and similar threats, CISA recommended the following best practices:
Prioritize patching known exploited vulnerabilities in Internet-facing systems;
Review and ensure only necessary servers and services are exposed to the Internet;
And review platforms or services that have credentials listed in .env files for unauthorized access or use.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
CISA: AWS, Microsoft 365 Accounts Under Active Androxgh0st Attack