This post is part of our ongoing series on cloud-focused threat actors, designed to increase visibility and awareness of their methods, bolster your defenses, and help close the gap between traditional cyber threat intelligence (CTI) and cloud security. Each installment will spotlight some well-known and lesser-known adversaries in the cloud, providing a concise profile, mapped TTPs, and an incident response checklist.
Summary
- Threat Actor: JavaGhost (Indonesia-nexus), a.k.a. TGR-UNK-0011.
- Motivation: Cybercrime seeking financial gain.
- Targeting: Opportunistic attacks against AWS environments, sector-agnostic.
- Attack Types: Stolen IAM keys to abuse SES/WorkMail for phishing emails; IAM users/roles for persistence; detection evasion using non-standard API calls; etc.
- Defenses: Secure storage of credentials; CloudTrail monitoring; anti-phishing filters; etc.
Overview
JavaGhost (a.k.a. TGR-UNK-0011) is assessed to be an Indonesia-nexus cybercriminal threat actor, with first signs of activity observed as early as November 2018. Their primary motivation is financial gain, and they have conducted website defacements, credential theft, likely SMS messaging scams, and phishing via cloud-native infrastructure.
Between 2018 and 2021, JavaGhost built its reputation on website defacements signed by multiple team handles, often leaving Bahasa Indonesia phrases on victim sites, such as “berhenti menyalahkan segalanya”. In May 2021, an open-source report detailed a victim’s Twilio API credentials were stolen and used to send roughly 10,000 fraudulent SMS messages branded “JavaGhost – Mass Twilio Checker.” This incident is assessed with realistic probability to be associated with the threat actor based on the overlaps in name. Furthermore, it likely underscores their shift toward abusing legitimate services.
In 2022, JavaGhost pivoted into cloud-native phishing operations. They scan for exposed AWS IAM keys and abuse compromised SES and WorkMail accounts to send high volumes of phishing emails that appear to originate from trusted domains. To minimize detection, they avoid the typical GetCallerIdentity API calls in CloudTrail, instead using GetFederationToken and GetSigninToken to generate console URLs without creating new resources or raising billing alerts.
More recently, in 2025, JavaGhost has adopted a novel technique within AWS environments, effectively creating a “persistence-as-a-service” mechanism. By deploying API Gateway endpoints fronting Lambda functions, the actor can retain access long after initial credentials are revoked. Even if victim IAM keys are rotated or disabled, JavaGhost makes external HTTP calls to its API Gateway, triggering the Lambda to spin up new malicious IAM users on demand.
TTPs
All of the details below are also available in our GitHub repository, which provides background on each observed technique along with corresponding MITRE ATT&CK mappings, making it easy to map these insights directly to your cloud logs.

Incident Response Checklist
Here are several practical, universal, and high-impact steps to prepare for and respond to cloud-based attacks, including the TTPs mentioned above (this list isn’t exhaustive, but it highlights key areas where defenders can focus their efforts):
1. Enable Comprehensive AWS Logging: Use these logs to prepare, detect and respond to an incident.
- Configure CloudTrail (management and data events)
- SES Send Statistics
- VPC Flow Logs (API calls, email activity, and network traffic)
2. Store and Retain Logs: Use these considerations to increase your response capabilities.  
- Minimum Retention: 90 days
- Recommended: 180 days or more
3. Enforce MFA and Least Privilege IAM: Use these actions to prevent unauthorized access and persistence. 
- Require MFA for all IAM users/roles
- Use short-lived session tokens
- Implement least privilege IAM policies
4. Monitor and Restrict SES/WorkMail Usage: Use these settings and monitor WorkMail activity to detect and limit phishing campaigns abusing AWS email services. 
- Set SES sending quotas
- Enable DKIM/SPF
5. Block and Investigate Suspicious Network Traffic: Use these logs to detect and respond to actor-controlled network connections, such as C2 traffic. 
- Route 53 DNS Logs
- VPC Flow Logs

For additional security considerations and detection queries, see Palo Alto Networks Unit 42’s “JavaGhost’s Persistent Phishing Attacks From the Cloud” and Datadog Security Labs’ “Tales from the Cloud Trenches: The Attacker doth persist too much, methinks.”
About Invictus Incident Response
We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!
🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/24-7