China-Linked Hackers Exploit Cloud Credentials Using Typos and SMTP
China-aligned hackers have been identified using a Linux-based ELF backdoor to steal cloud credentials from major cloud service providers such as AWS, GCP, Azure, and Alibaba Cloud. The technique involves using SMTP port 25 as a covert command-and-control channel to harvest credentials and metadata. This method, described as 'zero-detection,' employs a selective C2 handshake validation mechanism, making the server invisible to conventional scanning tools like Shodan and Censys. The stolen credentials are then sent to domains hosted on Alibaba Cloud infrastructure in Singapore, which are designed to mimic legitimate Alibaba domains through typosquatting. 
