JavaGhost’s Persistent Phishing Attacks From the Cloud

    Monday, March 3, 2025 In: Threat Research Print

    Date: 03/03/2025

    Severity: High

    Summary

    The attack exploited overly permissive IAM permissions to abuse the victim’s Amazon SES and WorkMail services for sending phishing messages. JavaGhost gains an advantage by using other organizations' AWS environments, avoiding costs for created resources. By leveraging preexisting SES infrastructure, the threat actor can send phishing emails that bypass security protections, as they appear to come from a legitimate source that the target organization has previously interacted with.

    Indicators of Compromise (IOC) List

    IP Address : 

    34.145.16.68

    36.72.153.32

    45.130.83.119

    45.130.83.131

    45.130.83.132

    45.130.83.133

    45.130.83.134

    45.130.83.137

    45.130.83.150

    45.130.83.238

    45.130.83.239

    45.130.83.240

    45.130.83.241

    45.130.83.242

    45.130.83.243

    45.130.83.244

    45.130.83.245

    45.130.83.246

    45.130.83.247

    45.130.83.248

    45.130.83.249

    45.130.83.250

    45.130.83.251

    45.8.19.99

    45.8.19.101

    45.8.19.103

    45.8.19.104

    45.8.19.107

    45.8.19.108

    45.92.229.203

    45.92.229.205

    45.92.229.206

    45.92.229.209

    45.92.229.212

    45.92.229.218

    45.92.229.220

    54.158.129.118

    63.135.161.45

    63.135.161.46

    63.135.161.49

    63.135.161.51

    63.135.161.53

    63.135.161.54

    63.135.161.55

    63.135.161.56

    63.135.161.58

    63.135.161.59

    63.135.161.60

    63.135.161.61

    63.135.161.63

    63.135.161.64

    63.135.161.65

    63.135.161.68

    63.135.161.69

    63.135.161.71

    63.135.161.72

    63.135.161.73

    63.135.161.74

    63.135.161.75

    63.135.161.110

    63.135.161.111

    63.135.161.112

    63.135.161.113

    63.135.161.114

    63.135.161.115

    63.135.161.116

    63.135.161.117

    63.135.161.118

    63.135.161.119

    63.135.161.120

    63.135.161.121

    63.135.161.122

    63.135.161.123

    63.135.161.129

    64.64.116.169

    85.237.194.218

    85.237.194.223

    85.237.194.231

    85.237.194.233

    85.237.194.237

    85.237.194.240

    85.237.194.249

    85.237.194.250

    86.48.10.113

    89.108.82.105

    94.131.106.251

    98.159.224.12

    98.159.224.13

    98.159.224.14

    98.159.224.15

    98.159.224.16

    98.159.224.60

    98.159.224.61

    98.159.224.62

    98.159.224.63

    98.159.224.64

    98.97.79.212

    98.97.79.246

    102.215.57.82

    103.178.2.52

    104.234.53.207

    104.234.53.208

    104.234.53.210

    104.234.53.211

    104.234.53.212

    104.234.53.213

    104.234.53.215

    104.234.53.216

    104.234.53.217

    104.234.53.219

    104.234.53.221

    104.234.53.223

    104.234.53.224

    104.234.53.225

    104.234.53.226

    109.166.49.185

    114.125.76.5

    128.199.219.23

    159.223.58.222

    173.239.204.177

    173.239.204.190

    173.239.204.191

    173.239.204.192

    173.239.204.193

    173.239.204.195

    173.239.211.35

    173.239.211.36

    173.239.211.37

    173.239.211.38

    173.239.211.39

    173.239.211.40

    173.239.211.41

    173.239.211.42

    173.239.211.43

    173.239.211.44

    173.239.211.45

    173.239.211.46

    173.239.211.47

    173.239.211.48

    173.239.211.49

    173.239.211.50

    173.239.211.51

    173.239.211.52

    173.239.211.53

    173.239.211.54

    173.239.211.55

    173.239.211.113

    173.239.211.119

    173.239.211.139

    173.239.211.146

    174.215.21.14

    180.249.154.73

    180.249.154.162

    180.251.238.103

    182.1.66.249

    182.1.73.253

    182.1.74.253

    182.1.84.253

    182.1.88.149

    182.1.88.42

    182.1.90.233

    182.1.94.225

    184.82.129.170

    185.238.231.106

    197.253.58.225

    197.253.58.226

    197.253.58.227

    197.253.58.228

    197.253.58.229

    199.101.196.67

    199.101.196.68

    199.101.196.79

    199.101.196.80

    208.95.72.30

    216.73.160.1

    216.73.160.2

    216.73.160.12

    216.73.160.14

    216.73.160.15

    216.73.160.16

    216.73.160.155

    216.73.160.158

    216.73.160.159

    216.73.160.160

    216.73.160.161

    216.73.160.164

    216.73.160.165

    216.73.160.168

    216.73.160.170

    216.73.160.171

    216.73.160.172

    216.73.160.173

    216.73.161.170

    217.142.185.26

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address 1 :

    dstipaddress IN ("63.135.161.45","104.234.53.216","173.239.211.39","63.135.161.61","63.135.161.129","216.73.160.158","197.253.58.228","63.135.161.113","45.8.19.107","85.237.194.249","45.130.83.244","63.135.161.55","98.159.224.15","197.253.58.226","45.130.83.251","98.159.224.61","63.135.161.110","180.249.154.73","45.130.83.243","216.73.160.160","63.135.161.120","45.130.83.131","45.130.83.119","85.237.194.240","173.239.211.42","104.234.53.224","216.73.160.172","104.234.53.221","45.130.83.134","173.239.211.44","85.237.194.237","199.101.196.68","104.234.53.208","216.73.160.16","45.92.229.206","173.239.211.37","45.92.229.220","173.239.211.51","63.135.161.121","173.239.211.45","173.239.211.49","185.238.231.106","104.234.53.217","45.130.83.238","63.135.161.53","63.135.161.63","63.135.161.68","63.135.161.46","63.135.161.56","216.73.160.14","45.8.19.104","173.239.211.55","216.73.160.168","45.8.19.101","63.135.161.54","45.92.229.212","173.239.211.38","63.135.161.114","45.130.83.150","45.130.83.246","45.130.83.249","63.135.161.75","173.239.211.48","45.92.229.205","104.234.53.223","216.73.160.170","63.135.161.119","45.8.19.103","63.135.161.60","173.239.211.54","45.130.83.245","104.234.53.207","216.73.160.171","216.73.160.15","45.130.83.133","199.101.196.79","104.234.53.215","104.234.53.213","63.135.161.65","104.234.53.225","45.130.83.250","63.135.161.69","104.234.53.211","45.130.83.240","216.73.160.159","45.92.229.209","45.130.83.248","45.130.83.239","197.253.58.229","217.142.185.26","54.158.129.118","216.73.161.170","98.159.224.64","98.159.224.12","173.239.204.192","63.135.161.116","85.237.194.233","63.135.161.71","85.237.194.223","63.135.161.111","216.73.160.12","173.239.211.146","173.239.211.43","173.239.211.53","86.48.10.113","173.239.211.40","63.135.161.59","173.239.211.113","63.135.161.118","199.101.196.80","63.135.161.115","216.73.160.161","173.239.211.50","34.145.16.68","36.72.153.32","45.130.83.132","45.130.83.137","45.130.83.241","45.130.83.242","45.130.83.247","45.8.19.99","45.8.19.108","45.92.229.203","45.92.229.218","63.135.161.49","63.135.161.51","63.135.161.58","63.135.161.64","63.135.161.72","63.135.161.73","63.135.161.74","63.135.161.112","63.135.161.117","63.135.161.122","63.135.161.123","64.64.116.169","85.237.194.218","85.237.194.231","85.237.194.250","89.108.82.105","94.131.106.251","98.159.224.13","98.159.224.14","98.159.224.16","98.159.224.60","98.159.224.62","98.159.224.63","98.97.79.212","98.97.79.246","102.215.57.82","103.178.2.52","104.234.53.210","104.234.53.212","104.234.53.219","104.234.53.226","109.166.49.185","114.125.76.5","128.199.219.23","159.223.58.222","173.239.204.177","173.239.204.190","173.239.204.191","173.239.204.193","173.239.204.195","173.239.211.35","173.239.211.36","173.239.211.41","173.239.211.46","173.239.211.47","173.239.211.52","173.239.211.119","173.239.211.139","174.215.21.14","180.249.154.162","180.251.238.103","182.1.66.249","182.1.73.253","182.1.74.253","182.1.84.253","182.1.88.149","182.1.88.42","182.1.90.233","182.1.94.225","184.82.129.170","197.253.58.225","197.253.58.227","199.101.196.67","208.95.72.30","216.73.160.1","216.73.160.2","216.73.160.155","216.73.160.164","216.73.160.165","216.73.160.173")

    IP Address 2:

    ipaddress IN ("63.135.161.45","104.234.53.216","173.239.211.39","63.135.161.61","63.135.161.129","216.73.160.158","197.253.58.228","63.135.161.113","45.8.19.107","85.237.194.249","45.130.83.244","63.135.161.55","98.159.224.15","197.253.58.226","45.130.83.251","98.159.224.61","63.135.161.110","180.249.154.73","45.130.83.243","216.73.160.160","63.135.161.120","45.130.83.131","45.130.83.119","85.237.194.240","173.239.211.42","104.234.53.224","216.73.160.172","104.234.53.221","45.130.83.134","173.239.211.44","85.237.194.237","199.101.196.68","104.234.53.208","216.73.160.16","45.92.229.206","173.239.211.37","45.92.229.220","173.239.211.51","63.135.161.121","173.239.211.45","173.239.211.49","185.238.231.106","104.234.53.217","45.130.83.238","63.135.161.53","63.135.161.63","63.135.161.68","63.135.161.46","63.135.161.56","216.73.160.14","45.8.19.104","173.239.211.55","216.73.160.168","45.8.19.101","63.135.161.54","45.92.229.212","173.239.211.38","63.135.161.114","45.130.83.150","45.130.83.246","45.130.83.249","63.135.161.75","173.239.211.48","45.92.229.205","104.234.53.223","216.73.160.170","63.135.161.119","45.8.19.103","63.135.161.60","173.239.211.54","45.130.83.245","104.234.53.207","216.73.160.171","216.73.160.15","45.130.83.133","199.101.196.79","104.234.53.215","104.234.53.213","63.135.161.65","104.234.53.225","45.130.83.250","63.135.161.69","104.234.53.211","45.130.83.240","216.73.160.159","45.92.229.209","45.130.83.248","45.130.83.239","197.253.58.229","217.142.185.26","54.158.129.118","216.73.161.170","98.159.224.64","98.159.224.12","173.239.204.192","63.135.161.116","85.237.194.233","63.135.161.71","85.237.194.223","63.135.161.111","216.73.160.12","173.239.211.146","173.239.211.43","173.239.211.53","86.48.10.113","173.239.211.40","63.135.161.59","173.239.211.113","63.135.161.118","199.101.196.80","63.135.161.115","216.73.160.161","173.239.211.50","34.145.16.68","36.72.153.32","45.130.83.132","45.130.83.137","45.130.83.241","45.130.83.242","45.130.83.247","45.8.19.99","45.8.19.108","45.92.229.203","45.92.229.218","63.135.161.49","63.135.161.51","63.135.161.58","63.135.161.64","63.135.161.72","63.135.161.73","63.135.161.74","63.135.161.112","63.135.161.117","63.135.161.122","63.135.161.123","64.64.116.169","85.237.194.218","85.237.194.231","85.237.194.250","89.108.82.105","94.131.106.251","98.159.224.13","98.159.224.14","98.159.224.16","98.159.224.60","98.159.224.62","98.159.224.63","98.97.79.212","98.97.79.246","102.215.57.82","103.178.2.52","104.234.53.210","104.234.53.212","104.234.53.219","104.234.53.226","109.166.49.185","114.125.76.5","128.199.219.23","159.223.58.222","173.239.204.177","173.239.204.190","173.239.204.191","173.239.204.193","173.239.204.195","173.239.211.35","173.239.211.36","173.239.211.41","173.239.211.46","173.239.211.47","173.239.211.52","173.239.211.119","173.239.211.139","174.215.21.14","180.249.154.162","180.251.238.103","182.1.66.249","182.1.73.253","182.1.74.253","182.1.84.253","182.1.88.149","182.1.88.42","182.1.90.233","182.1.94.225","184.82.129.170","197.253.58.225","197.253.58.227","199.101.196.67","208.95.72.30","216.73.160.1","216.73.160.2","216.73.160.155","216.73.160.164","216.73.160.165","216.73.160.173")

    IP Address 3:

    publicipaddress IN ("63.135.161.45","104.234.53.216","173.239.211.39","63.135.161.61","63.135.161.129","216.73.160.158","197.253.58.228","63.135.161.113","45.8.19.107","85.237.194.249","45.130.83.244","63.135.161.55","98.159.224.15","197.253.58.226","45.130.83.251","98.159.224.61","63.135.161.110","180.249.154.73","45.130.83.243","216.73.160.160","63.135.161.120","45.130.83.131","45.130.83.119","85.237.194.240","173.239.211.42","104.234.53.224","216.73.160.172","104.234.53.221","45.130.83.134","173.239.211.44","85.237.194.237","199.101.196.68","104.234.53.208","216.73.160.16","45.92.229.206","173.239.211.37","45.92.229.220","173.239.211.51","63.135.161.121","173.239.211.45","173.239.211.49","185.238.231.106","104.234.53.217","45.130.83.238","63.135.161.53","63.135.161.63","63.135.161.68","63.135.161.46","63.135.161.56","216.73.160.14","45.8.19.104","173.239.211.55","216.73.160.168","45.8.19.101","63.135.161.54","45.92.229.212","173.239.211.38","63.135.161.114","45.130.83.150","45.130.83.246","45.130.83.249","63.135.161.75","173.239.211.48","45.92.229.205","104.234.53.223","216.73.160.170","63.135.161.119","45.8.19.103","63.135.161.60","173.239.211.54","45.130.83.245","104.234.53.207","216.73.160.171","216.73.160.15","45.130.83.133","199.101.196.79","104.234.53.215","104.234.53.213","63.135.161.65","104.234.53.225","45.130.83.250","63.135.161.69","104.234.53.211","45.130.83.240","216.73.160.159","45.92.229.209","45.130.83.248","45.130.83.239","197.253.58.229","217.142.185.26","54.158.129.118","216.73.161.170","98.159.224.64","98.159.224.12","173.239.204.192","63.135.161.116","85.237.194.233","63.135.161.71","85.237.194.223","63.135.161.111","216.73.160.12","173.239.211.146","173.239.211.43","173.239.211.53","86.48.10.113","173.239.211.40","63.135.161.59","173.239.211.113","63.135.161.118","199.101.196.80","63.135.161.115","216.73.160.161","173.239.211.50","34.145.16.68","36.72.153.32","45.130.83.132","45.130.83.137","45.130.83.241","45.130.83.242","45.130.83.247","45.8.19.99","45.8.19.108","45.92.229.203","45.92.229.218","63.135.161.49","63.135.161.51","63.135.161.58","63.135.161.64","63.135.161.72","63.135.161.73","63.135.161.74","63.135.161.112","63.135.161.117","63.135.161.122","63.135.161.123","64.64.116.169","85.237.194.218","85.237.194.231","85.237.194.250","89.108.82.105","94.131.106.251","98.159.224.13","98.159.224.14","98.159.224.16","98.159.224.60","98.159.224.62","98.159.224.63","98.97.79.212","98.97.79.246","102.215.57.82","103.178.2.52","104.234.53.210","104.234.53.212","104.234.53.219","104.234.53.226","109.166.49.185","114.125.76.5","128.199.219.23","159.223.58.222","173.239.204.177","173.239.204.190","173.239.204.191","173.239.204.193","173.239.204.195","173.239.211.35","173.239.211.36","173.239.211.41","173.239.211.46","173.239.211.47","173.239.211.52","173.239.211.119","173.239.211.139","174.215.21.14","180.249.154.162","180.251.238.103","182.1.66.249","182.1.73.253","182.1.74.253","182.1.84.253","182.1.88.149","182.1.88.42","182.1.90.233","182.1.94.225","184.82.129.170","197.253.58.225","197.253.58.227","199.101.196.67","208.95.72.30","216.73.160.1","216.73.160.2","216.73.160.155","216.73.160.164","216.73.160.165","216.73.160.173")

    IP Address 4:

    srcipaddress IN ("63.135.161.45","104.234.53.216","173.239.211.39","63.135.161.61","63.135.161.129","216.73.160.158","197.253.58.228","63.135.161.113","45.8.19.107","85.237.194.249","45.130.83.244","63.135.161.55","98.159.224.15","197.253.58.226","45.130.83.251","98.159.224.61","63.135.161.110","180.249.154.73","45.130.83.243","216.73.160.160","63.135.161.120","45.130.83.131","45.130.83.119","85.237.194.240","173.239.211.42","104.234.53.224","216.73.160.172","104.234.53.221","45.130.83.134","173.239.211.44","85.237.194.237","199.101.196.68","104.234.53.208","216.73.160.16","45.92.229.206","173.239.211.37","45.92.229.220","173.239.211.51","63.135.161.121","173.239.211.45","173.239.211.49","185.238.231.106","104.234.53.217","45.130.83.238","63.135.161.53","63.135.161.63","63.135.161.68","63.135.161.46","63.135.161.56","216.73.160.14","45.8.19.104","173.239.211.55","216.73.160.168","45.8.19.101","63.135.161.54","45.92.229.212","173.239.211.38","63.135.161.114","45.130.83.150","45.130.83.246","45.130.83.249","63.135.161.75","173.239.211.48","45.92.229.205","104.234.53.223","216.73.160.170","63.135.161.119","45.8.19.103","63.135.161.60","173.239.211.54","45.130.83.245","104.234.53.207","216.73.160.171","216.73.160.15","45.130.83.133","199.101.196.79","104.234.53.215","104.234.53.213","63.135.161.65","104.234.53.225","45.130.83.250","63.135.161.69","104.234.53.211","45.130.83.240","216.73.160.159","45.92.229.209","45.130.83.248","45.130.83.239","197.253.58.229","217.142.185.26","54.158.129.118","216.73.161.170","98.159.224.64","98.159.224.12","173.239.204.192","63.135.161.116","85.237.194.233","63.135.161.71","85.237.194.223","63.135.161.111","216.73.160.12","173.239.211.146","173.239.211.43","173.239.211.53","86.48.10.113","173.239.211.40","63.135.161.59","173.239.211.113","63.135.161.118","199.101.196.80","63.135.161.115","216.73.160.161","173.239.211.50","34.145.16.68","36.72.153.32","45.130.83.132","45.130.83.137","45.130.83.241","45.130.83.242","45.130.83.247","45.8.19.99","45.8.19.108","45.92.229.203","45.92.229.218","63.135.161.49","63.135.161.51","63.135.161.58","63.135.161.64","63.135.161.72","63.135.161.73","63.135.161.74","63.135.161.112","63.135.161.117","63.135.161.122","63.135.161.123","64.64.116.169","85.237.194.218","85.237.194.231","85.237.194.250","89.108.82.105","94.131.106.251","98.159.224.13","98.159.224.14","98.159.224.16","98.159.224.60","98.159.224.62","98.159.224.63","98.97.79.212","98.97.79.246","102.215.57.82","103.178.2.52","104.234.53.210","104.234.53.212","104.234.53.219","104.234.53.226","109.166.49.185","114.125.76.5","128.199.219.23","159.223.58.222","173.239.204.177","173.239.204.190","173.239.204.191","173.239.204.193","173.239.204.195","173.239.211.35","173.239.211.36","173.239.211.41","173.239.211.46","173.239.211.47","173.239.211.52","173.239.211.119","173.239.211.139","174.215.21.14","180.249.154.162","180.251.238.103","182.1.66.249","182.1.73.253","182.1.74.253","182.1.84.253","182.1.88.149","182.1.88.42","182.1.90.233","182.1.94.225","184.82.129.170","197.253.58.225","197.253.58.227","199.101.196.67","208.95.72.30","216.73.160.1","216.73.160.2","216.73.160.155","216.73.160.164","216.73.160.165","216.73.160.173")

    Reference:    

    https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/


    Tags

    AWSJavaGhostMalwareExploitPhishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.