A collection of cloud malware & hacktools

A repository of interesting scripts related to AlienFox & Friends

AlienFox is a label for a series of communally developed Python scripts that are used to attack improperly secured cloud services. These tools are based on the Androxgh0st code snippets found on GitHub.

The dominant themes I've seen is targeting of AWS and/or Laravel. These scripts aim to enable spamming on the victim's resources (cloud service, webserver).

Several of these scripts are explicitly named AlienFox. You can find the name AlienFox in the script name or internally declared in the script's ASCII art logo.

Files related to Predator AI, an actively maintained multipurpose cloud attack tool. Borrows components of Androxgh0st & AlienFox. The AI features are in beta. There may be an OpenAI API key in there. This tool requires a lot of hand holding to actually run, so reach out if you want help with that.

Several files from the 2023 TeamTNT-like campaign collecting credentials from AWS, Azure, & GCP.

These are cloud hack tools, dare I say CLOUD MALWARE! Please be careful and use them for research purposes--do no evil.

I did not write these scripts. I found them in code and malware repositories.

• Analyze the reconnaissance mechanisms and check your assets/organization's exposure on these sites.
• Build detections based on TTPs like the persistence & privilege escalation profiles or user account names (props to Permiso for this Androxgh0st tip).
• If you want to find the authors, grep for "t.me" in these files. You will find author handles and distribution channels on Telegram.
• Build these techniques into your red team ops. The configuration parsing scripts are particularly interesting from this standpoint. It may be less fruitful if your org doesn't use Laravel, but there are plenty of AF variants that parse other text-like configuration file types.