Winnti backdoor harvests cloud metadata tokens

A stealthy new Linux backdoor attributed to the APT41 group, also tracked as Winnti, is actively harvesting cloud credentials from major infrastructure providers using an unorthodox SMTP-based communication channel that has successfully evaded widespread detection, according to Cyber Press.

The malware, a stripped and statically linked ELF binary, queries internal metadata services on AWS, Google Cloud, Azure, and Alibaba Cloud to siphon access tokens and identity information, subsequently encrypting the loot with AES-256 before exfiltration. Rather than relying on conventional HTTP traffic, the implant masks its command-and-control chatter within port 25 email protocols, a tactic that allows it to blend into background network noise and bypass security tools that seldom perform deep inspection of SMTP streams.

Researchers at Breakglass note the operation employs a selective handshake mechanism that presents a benign facade to scanning engines while only responding to properly authenticated victims. The campaign infrastructure leverages typosquatting domains mimicking legitimate Alibaba services and supports lateral UDP broadcast discovery for peer-to-peer communication within compromised networks. This iteration represents a six-year refinement of Winnti's Linux capabilities, pivoting decisively toward cloud-native credential theft.