Profiling JavaGhost: Tactics, History & Defenses

May 22, 2025

This post is part of our ongoing series on cloud-focused threat actors, designed to increase visibility and awareness of their methods, bolster your defenses, and help close the gap between traditional cyber threat intelligence (CTI) and cloud security. Each installment will spotlight some well-known and lesser-known adversaries in the cloud, providing a concise profile, mapped TTPs, and an incident response checklist.

Summary

  • Threat Actor: JavaGhost (Indonesia-nexus), a.k.a. TGR-UNK-0011.
  • Motivation: Cybercrime seeking financial gain.
  • Targeting: Opportunistic attacks against AWS environments, sector-agnostic.
  • Attack Types: Stolen IAM keys to abuse SES/WorkMail for phishing emails; IAM users/roles for persistence; detection evasion using non-standard API calls; etc.
  • Defenses: Secure storage of credentials; CloudTrail monitoring; anti-phishing filters; etc.

Overview

JavaGhost (a.k.a. TGR-UNK-0011) is assessed to be an Indonesia-nexus cybercriminal threat actor, with first signs of activity observed as early as November 2018. Their primary motivation is financial gain, and they have conducted website defacements, credential theft, likely SMS messaging scams, and phishing via cloud-native infrastructure.

Between 2018 and 2021, JavaGhost built its reputation on website defacements signed by multiple team handles, often leaving Bahasa Indonesia phrases on victim sites, such as “berhenti menyalahkan segalanya”. In May 2021, an open-source report detailed a victim’s Twilio API credentials were stolen and used to send roughly 10,000 fraudulent SMS messages branded “JavaGhost – Mass Twilio Checker.” This incident is assessed with realistic probability to be associated with the threat actor based on the overlaps in name. Furthermore, it likely underscores their shift toward abusing legitimate services.

In 2022, JavaGhost pivoted into cloud-native phishing operations. They scan for exposed AWS IAM keys and abuse compromised SES and WorkMail accounts to send high volumes of phishing emails that appear to originate from trusted domains. To minimize detection, they avoid the typical GetCallerIdentity API calls in CloudTrail, instead using GetFederationToken and GetSigninToken to generate console URLs without creating new resources or raising billing alerts.

More recently, in 2025, JavaGhost has adopted a novel technique within AWS environments, effectively creating a “persistence-as-a-service” mechanism. By deploying API Gateway endpoints fronting Lambda functions, the actor can retain access long after initial credentials are revoked. Even if victim IAM keys are rotated or disabled, JavaGhost makes external HTTP calls to its API Gateway, triggering the Lambda to spin up new malicious IAM users on demand.

TTPs

All of the details below are also available in our GitHub repository, which provides background on each observed technique along with corresponding MITRE ATT&CK mappings, making it easy to map these insights directly to your cloud logs.

Overview of TTPs for JavaGhost
Cloud Techniques Table
Tactic Technique ID Technique Context
Initial Access T1078.004 Valid Accounts: Cloud Accounts Twilio: Stolen Twilio API credentials used to access the platform and send fraudulent SMS messages.
AWS: Exploiting long-term IAM access keys to gain access to AWS environments, enabling unauthorized console access.
Initial Access T1566.002 Phishing: Spearphishing Link AWS: Using SES/WorkMail to send phishing emails with malicious links to trick users into revealing credentials or accessing malicious content.
Execution T1648 Serverless Execution AWS: Creating a Lambda function named "buckets555" for malicious execution, likely to run unauthorized code or scripts in the AWS environment.
Persistence T1078.004 Valid Accounts: Cloud Accounts AWS: Using temporary STS credentials for persistent AWS console access, maintaining a foothold without needing permanent credentials.
Persistence T1136.003 Create Account: Cloud Account Twilio: The threat actor created subaccounts in Twilio to manage fraudulent activities.
AWS: Creating IAM users with login profiles and administrative permissions to maintain long-term access to the AWS environment.
Persistence T1543.005 Create or Modify System Process: Cloud Instance AWS: Creating an EC2 security group named “Administratorsz” to ensure persistent access or control over cloud instances.
Privilege Escalation T1078.004 Valid Accounts: Cloud Accounts AWS: Attaching administrative policies to IAM users, granting elevated access to perform privileged actions in the AWS environment.
Defense Evasion T1550.001 Use Alternate Authentication Material: Application Access Token Twilio: Stolen Twilio API tokens (likely) used for programmatic authentication to send SMS messages, bypassing user-level authentication.
AWS: Using temporary STS credentials/login URLs to authenticate and bypass detection mechanisms in the AWS environment.
Defense Evasion T1562.008 Impair Defenses: Disable or Modify Cloud Logs AWS: Avoiding GetCallerIdentity API calls to evade CloudTrail detection, reducing visibility of malicious activities.
Collection T1530 Data from Cloud Storage AWS: Potential reconnaissance of S3 buckets via the Lambda function "buckets555," likely to identify or access sensitive data.
Command and Control T1071.001 Application Layer Protocol: Web Protocols AWS: Using the AWS console over HTTPS for command and control, managing malicious activities via web protocols.
Command and Control T1090.002 Proxy: External Proxy AWS: Routing callbacks through residential/ISP proxies or freely available VPN services to obscure the source of malicious traffic.
Impact T1491 Defacement Websites: Defacements signed by multiple team handles with Bahasa Indonesia phrases, indicating public-facing impact.
Impact T1496 Resource Hijacking Twilio: Sending ~10,000 fraudulent SMS messages using the victim’s Twilio account, incurring costs and disrupting operations.
AWS: Hijacking SES/WorkMail for phishing campaigns and other AWS resources for malicious purposes, abusing victim infrastructure.

Incident Response Checklist

Here are several practical, universal, and high-impact steps to prepare for and respond to cloud-based attacks, including the TTPs mentioned above (this list isn’t exhaustive, but it highlights key areas where defenders can focus their efforts):

1. Enable Comprehensive AWS Logging: Use these logs to prepare, detect and respond to an incident. 

  • Configure CloudTrail (management and data events)
  • SES Send Statistics
  • VPC Flow Logs (API calls, email activity, and network traffic)

2. Store and Retain Logs: Use these considerations to increase your response capabilities. 

  • Minimum Retention: 90 days
  • Recommended: 180 days or more

3. Enforce MFA and Least Privilege IAM: Use these actions to prevent unauthorized access and persistence.

  • Require MFA for all IAM users/roles
  • Use short-lived session tokens
  • Implement least privilege IAM policies

4. Monitor and Restrict SES/WorkMail Usage: Use these settings and monitor WorkMail activity to detect and limit phishing campaigns abusing AWS email services.

  • Set SES sending quotas
  • Enable DKIM/SPF

5. Block and Investigate Suspicious Network Traffic: Use these logs to detect and respond to actor-controlled network connections, such as C2 traffic.

  • Route 53 DNS Logs
  • VPC Flow Logs 
A basic IR Runbook for JavaGhost

For additional security considerations and detection queries, see Palo Alto Networks Unit 42’s “JavaGhost’s Persistent Phishing Attacks From the Cloud” and Datadog Security Labs’ “Tales from the Cloud Trenches: The Attacker doth persist too much, methinks.”

About Invictus Incident Response

We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!

🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/24-7

More news

6.5.2025

Cloud Incident Readiness: Critical infrastructure for cloud incident response

Read more
2.4.2025

Cloud Heavy, Hybrid Ready: Lessons from BlackBasta and Scattered Spider

Read more