ClickCease CISA and FBI Warn of AndroxGh0st Malware Threat

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

CISA and FBI Warn of AndroxGh0st Malware Threat

Rohan Timalsina

February 1, 2024 - TuxCare expert team

CISA and FBI have jointly issued a warning about the threat posed by AndroxGh0st malware, emphasizing its use in establishing a botnet for “victim identification and exploitation within target networks.” Originating in a Lacework report from December 2022, AndroxGh0st, a Python-based malware, has spawned similar tools such as AlienFox, GreenBot (aka Maintance), Legion, and Predator.

This cloud attack tool is proficient at breaching servers with known security vulnerabilities to gain access to Laravel environment files. Subsequently, it pilfers credentials for high-profile applications like AWS, Microsoft Office 365, SendGrid, and Twilio. Notable vulnerabilities exploited by AndroxGh0st include CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel Framework).


AndroxGh0st Malware Capabilities


Lacework highlights AndroxGh0st’s capabilities in enabling SMTP abuse through scanning, exploiting exposed credentials and APIs, and deploying web shells. Specifically for AWS, the malware not only scans and parses AWS keys but also possesses the capability to generate keys for brute-force attacks.

Compromised AWS credentials are utilized to create new users, user policies, and in some instances, set up new AWS instances for further malicious scanning activities. These functionalities make AndroxGh0st malware a formidable threat capable of downloading additional payloads and maintaining persistent access to compromised systems.

SentinelLabs’ Alex Delamotte notes the rarity of cloud-focused malware advisories and commends CISA for addressing this type of threat. This advisory follows SentinelOne’s revelation of a related but distinct tool called FBot, used by attackers to breach web servers, cloud services, CMS, and SaaS platforms.

Delamotte emphasizes the evolving cloud threat landscape, where tools like AlienFox and Legion integrate code from AndroxGh0st and FBot into a holistic ecosystem. As cloud services continue to be monetized, tailored tools are expected to emerge for specific services, similar to those targeting mail services for spamming attacks.


Final Words


In conclusion, the joint advisory from CISA and FBI underscores the escalating danger posed by AndroxGh0st malware and its derivatives. Due to their emphasis on taking advantage of known vulnerabilities, these attacks necessitate proactive cybersecurity measures and increased awareness, especially in cloud environments. As the landscape continues to evolve, collaboration and awareness remain crucial in mitigating the risks posed by these sophisticated cloud-based attacks.


The sources for this article include a story from TheHackerNews.

CISA and FBI Warn of AndroxGh0st Malware Threat
Article Name
CISA and FBI Warn of AndroxGh0st Malware Threat
Stay informed about the rising threat of AndroxGh0st malware. Learn how this cloud attack tool exploits known flaws and steals credentials.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter