XRayC2 Abuses AWS X-Ray for Covert Command-and-Control Operations
Researchers have identified a new command-and-control framework known as XRayC2, which exploits Amazon Web Services’ X-Ray tracing service to create hidden communication channels between attackers and compromised systems. Traditionally, threat actors rely on self-hosted servers or malicious domains to control infected machines, which makes them easier to detect. XRayC2 changes that dynamic by embedding malicious commands and data within legitimate AWS X-Ray API traffic, allowing it to blend seamlessly with normal cloud monitoring activity. Through AWS’s annotation feature, attackers can store encoded instructions and retrieve execution results through standard API queries, all routed through trusted AWS domains. This abuse of legitimate cloud infrastructure enables adversaries to bypass many traditional detection controls that depend on identifying unusual network behavior or suspicious outbound traffic. The framework operates in a three-phase cycle that includes beaconing, command delivery, and data exfiltration. During the initial phase, infected systems send trace segments containing encoded identifiers and system information to signal their presence. Commands are then transmitted by embedding base64-encoded payloads within annotations that are polled by the implants at randomized intervals, typically between 30 and 60 seconds. Exfiltrated data is returned through the same AWS service, making the traffic appear legitimate and authenticated under AWS’s SigV4 protocol. XRayC2 supports macOS, Linux, and Windows implants, providing operators with flexibility across various environments, and requires only minimal AWS permissions to function. The result is a highly stealthy and persistent control channel that leverages trusted cloud services for malicious activity. Organizations are encouraged to expand their monitoring to include API-level telemetry and behavioral analytics across cloud environments, ensuring that misuse of trusted platforms, such as AWS X-Ray, can be detected before attackers establish long-term access.
Kibana CrowdStrike Connector Vulnerability Exposes Stored API Credentials
A newly disclosed vulnerability in the Kibana CrowdStrike Connector (CVE-2025-37728) allows attackers to gain unauthorized access to stored CrowdStrike API credentials across different Kibana spaces. The issue arises from insufficient credential isolation within the connector’s caching mechanism, meaning that when a connector is created in one workspace, its credentials may be inadvertently exposed to users in another. This vulnerability affects a broad range of Kibana versions, including 7.17.29 and earlier, 8.14.0 through 8.19.4, 9.0.0 through 9.0.7, and 9.1.0 through 9.1.4. The impact is classified as medium (CVSS 5.4) because it enables credential disclosure without requiring full administrative privileges or direct access to CrowdStrike systems. However, attackers who successfully exploit this issue could retrieve valid API keys and use them to query CrowdStrike data, access threat intelligence, or alter detection configurations—actions that could degrade the effectiveness of an organization’s threat visibility. Elastic confirmed that the flaw impacts all Kibana deployments utilizing the CrowdStrike Connector prior to the patched versions and that no workaround currently exists. Elastic has released fixed versions—8.18.8, 8.19.5, 9.0.8, and 9.1.5—and urges immediate upgrades to prevent further exposure. After applying updates, administrators should rotate all CrowdStrike API keys stored in affected connectors and review permission settings for each space to ensure least-privilege access. Indicators of potential compromise include unexplained API activity, new or modified connector configurations, or unauthorized access to dashboards or alerting tools. Security teams should monitor logs for CrowdStrike API requests originating from unexpected users or workspaces and validate that only trusted credentials are in use. Upgrading to a patched release and performing a full credential audit are the most effective defenses, followed by strengthening access controls and continuously monitoring for suspicious connector interactions across all Kibana spaces.
Update: Microsoft Attributes Medusa Ransomware Deployments to GoAnywhere Flaw and Storm-1175
Microsoft has attributed exploitation of a critical deserialization vulnerability in Fortra’s GoAnywhere product (CVE-2025-10035, CVSS 10.0) to a cybercriminal group it tracks as Storm-1175, and linked that exploitation to the deployment of Medusa ransomware. The flaw allows an attacker to deserialize malicious objects on a public-facing GoAnywhere instance. This is achieved by forging a license response signature, leading to command injection and full remote code execution without prior credentials. Microsoft notes that the group has used this vector since at least September 11, 2025, and independent reporting suggests attacks began a day earlier, meaning adversaries had a head start. After achieving initial access, actors have deployed Remote Monitoring & Management tools (SimpleHelp, MeshAgent) for persistence, placed JSP backdoors in GoAnywhere directories, conducted system enumeration, and used RDP to move laterally. They’ve also used Cloudflare tunnels for C2 and leveraged tools like Rclone to exfiltrate data before executing Medusa ransomware across victim networks. This campaign reveals a weaponization of trust: GoAnywhere is often part of file transfer infrastructure, and once compromised, it gives attackers a powerful foothold for lateral escalation and data theft. The chain from deserialization bug is typical of modern ransomware campaigns, but the speed and stealth reported here suggest advanced planning and operational maturity by Storm-1175. Victims are likely to see signs such as unexpected service installations, JSP files where none belonged, web-based backdoors in GoAnywhere directories, inbound connections masquerading as legitimate GoAnywhere traffic, and tunnelled C2 via Cloudflare endpoints. To defend, organizations should immediately patch to GoAnywhere versions 7.8.4 or Sustain Release 7.6.3, audit and rotate any keys or credentials used by GoAnywhere, scan GoAnywhere directories for unknown JSPs or altered files, block or closely monitor Cloudflare-related tunnels, and hunt for signs of RMM installations or lateral movement activity early.
