Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/g\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-sc.html\"><br \/>\n<meta property=\"og:title\" content=\"Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography\/Alibaba%20Cloud_641.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography\/Alibaba%20Cloud_641.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.376180408739\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1253156667\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.7685714285714\">\n<div class=\"article-details\" role=\"heading\" readability=\"37.022857142857\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cloud<\/p>\n<p class=\"article-details__description\">In this blog entry, we discuss a malicious campaign that targets Alibaba Cloud\u2019s OSS buckets with leaked credentials for malware distribution and cryptojacking. <\/p>\n<p class=\"article-details__author-by\">By: Alfredo Oliveira, David Fiser <time class=\"article-details__date\">July 21, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"41.946514103246\">\n<div readability=\"34.278871740287\">\n<p>Previously, we reported on how threat actors are targeting multiple cloud environments such as <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware-.html\" target=\"_blank\" rel=\"noopener\">Huawei Cloud<\/a> to host <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/news\/cybercrime-and-digital-threats\/security-101-the-impact-of-cryptocurrency-mining-malware\">cryptocurrency-mining<\/a> malware by abusing misconfiguration issues and weak or stolen credentials obtained from a previous malware infection.<\/p>\n<p>This time, we have identified a malicious campaign using the <a href=\"https:\/\/www.alibabacloud.com\/product\/object-storage-service\">object storage service (OSS)<\/a> of Alibaba Cloud (also known as Aliyun) for malware distribution and illicit cryptocurrency-mining activities. OSS is a service that allows Alibaba Cloud customers to store data like web application images and backup information in the cloud. Unfortunately, this is not the first time that we\u2019ve seen malicious actors targeting Alibaba Cloud: Earlier this year, we detailed how malicious actors <a href=\"https:\/\/www.trendmicro.com\/en_us\/devops\/22\/b\/cryptojacking-attacks-target-alibaba-ecs-instances.html\" target=\"_blank\" rel=\"noopener\">disabled features<\/a> inside Alibaba Cloud for cryptojacking purposes.<\/p>\n<p><span class=\"body-subhead-title\">How malicious actors abuse unsecure OSS buckets, credentials<\/span><\/p>\n<p>To secure an OSS bucket, a user has <a href=\"https:\/\/www.alibabacloud.com\/help\/en\/object-storage-service\/latest\/tutorial-use-ram-policies-to-control-access-to-oss\">to set up a proper access policy<\/a>. If this is done incorrectly, a malicious user can upload or download a user\u2019s files to or from the bucket itself.<\/p>\n<p>Malicious actors can also get hold of a user\u2019s OSS bucket by obtaining their <a href=\"https:\/\/www.alibabacloud.com\/help\/en\/log-service\/latest\/accesskey-pair\"><span>AccessKey ID and AccessKey secret<\/span><\/a> or an auth-token. Any of these can be stolen from previously compromised services, particularly those that have secrets accessible as configurations inside plain-text files or environmental variables. Malicious actors can also obtain access to an OSS bucket by using credential stealers. <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/teamtnt-extended-credential-harvester-targets-cloud-services-other-software.html\" target=\"_blank\" rel=\"noopener\">TeamTNT\u2019s extended credential harvester<\/a> is a notorious example of a stealer that targeted multiple cloud environments. <\/p>\n<p>When we investigated the technical details of this campaign, we saw that one of the shell scripts contained a reference to OSS<i> <\/i>KeySecret and GitHub. Initially, we assumed that malicious actors simply search for credentials that have been inadvertently pushed into the GitHub public repository.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography\/Fig%201_Alibaba%20OSS%20Buckets.png\" alt=\"A comment inside a malicious script suggesting that a bad developer practice has been exploited\"><figcaption>Figure 1. A comment inside a malicious script suggesting that a bad developer practice has been exploited<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>We saw a comment on a malicious script in one of the samples that we analyzed and confirmed our initial assumption after using Google Translate to obtain an English translation of the comment that was originally written in Chinese.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography\/Fig%202_Alibaba%20OSS%20Buckets.png\" alt=\"The English translation of the comment written inside a malicious script\"><figcaption>Figure 2. The English translation of the comment written inside a malicious script<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"45\">\n<div readability=\"35\">\n<p><span class=\"body-subhead-title\">The role of steganography in distributing malware to exploited OSS buckets<\/span><\/p>\n<p>Upon further investigation, we discovered that malicious actors uploaded images that contained an embedded shell script to the compromised OSS buckets using steganography.<\/p>\n<p>Steganography is a technique used by malicious actors to bypass defense mechanisms, especially network-related ones. The simplest version of this tactic involves simply changing the extension of the malicious file to a trivial one, such as \u201c.png\u201d. As a result, a security proxy that only looks at a file\u2019s extension would grant access to the malicious file.<\/p>\n<p>After this technique was uncovered, cybercriminals were forced to improve their tactics. For example, they started hiding malware in images and videos for obfuscation purposes. Typically, a simple security solution looks at an image file by analyzing its header. If the header matches that of a file type usually considered harmless (like a PNG file), then the solution would grant the file access into a corporation\u2019s network \u2014 even if it contains malicious scripts.<\/p>\n<p>In the campaign we analyzed, the malicious actors opted to use a simple steganography tactic and embedded malware inside an image file. The PNG image itself is a legitimate image file, but the malicious actors appended a malicious shell script at the end of it. A user would therefore be able to access the image itself without seeing the malicious script attached to the file.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography\/Fig%203_Alibaba%20OSS%20Buckets.png\" alt=\"The image containing a malicious shell script\"><figcaption>Figure 3. The image containing a malicious shell script<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.842105263158\">\n<div readability=\"10.614035087719\">\n<p>As Figure 4 shows, when the command <a href=\"https:\/\/www.man7.org\/linux\/man-pages\/man1\/file.1.html\">“file”<\/a> is used, it reads the header of the picture and determines that it is an image file. Using a tool like <a href=\"https:\/\/man7.org\/linux\/man-pages\/man4\/hd.4.html\">“hd”<\/a> to check the raw content of the file results in the same outcome in which the header is considered compatible with that of a PNG file.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography\/Fig%204_Alibaba%20OSS%20Buckets.png\" alt=\"The PNG header of the downloaded file\"><figcaption>Figure 4. The PNG header of the downloaded file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>However, upon downloading the image and doing a closer investigation, we found the embedded malicious shell script.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography\/Fig%205_Alibaba%20OSS%20Buckets.png\" alt=\"The malicious shell script embedded inside a PNG file\"><figcaption>Figure 5. The malicious shell script embedded inside a PNG file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"29.867957746479\">\n<div readability=\"9.1901408450704\">\n<p>The malware authors used a Unix <a href=\"https:\/\/man7.org\/linux\/man-pages\/man1\/dd.1.html\">dd command-line utility<\/a> program to extract the malicious shell script after the download was completed. Because this command is typically used in more advanced tasks, it\u2019s evident that the authors have at least intermediate knowledge of Unix systems.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography\/Fig%206_Alibaba%20OSS%20Buckets.png\" alt=\"From PNG file to malicious code execution\"><figcaption>Figure 6. From PNG file to malicious code execution<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.12106918239\">\n<div readability=\"28.320754716981\">\n<h2><span class=\"body-subhead-title\">Shell scripts target misconfigured Redis instances to mine Monero<\/span><\/h2>\n<p>We observed that the payload itself illicitly mined Monero using <a href=\"https:\/\/github.com\/xmrig\/xmrig\">XMRig<\/a>, an open-source and multiplatform Monero miner. The campaign used the xmr-asia1[.]nanopool[.]org pool. The malicious shell scripts also targeted <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/d\/more-than-8-000-unsecured-redis-instances-found-in-the-cloud.html\" target=\"_blank\" rel=\"noopener\">misconfigured Redis instances<\/a>, which can be abused to perform remote code execution (RCE). This is similar to what multiple threat actors involved in a cryptojacking competition (such as <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/gb\/security\/news\/cybercrime-and-digital-threats\/teamtnt-activities-probed\" target=\"_blank\" rel=\"noopener\">TeamTNT<\/a> and <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/d\/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html\" target=\"_blank\" rel=\"noopener\">Kinsing<\/a>) have done in the past.<\/p>\n<h2><span class=\"body-subhead-title\">Conclusion and Trend Micro solution<\/span><\/h2>\n<p>We are continuously observing how cybercriminals are adapting to new environments and targeting an increasing number of cloud services. As we predict that this will be an enduring trend, we advise cloud users to be aware that in most cases, malicious actors will continue to exploit both misconfiguration issues and design issues in cloud services to easily access authentication tokens.<\/p>\n<p>Developers should also avoid putting any credentials and secrets into the versioning systems of their favors or pushing them into publicly accessible repositories. Indeed, this investigation is further proof that malicious actors are always actively seeking leaked or exposed credentials.<\/p>\n<p>Security solutions such as <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud.html\">Trend Micro Cloud One\u2122<\/a> protect cloud-native systems and their various layers. By leveraging this solution, enterprises gain access to protection for continuous integration and continuous delivery (CI\/CD) pipeline and applications. The Trend Micro Cloud One platform also includes <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud\/cloud-one-workload-security.html\" target=\"_blank\" rel=\"noopener\">Workload Security<\/a> runtime protection for workloads.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<h2><span class=\"main-subtitle-black\"><span class=\"body-subhead-title\">Indicators of compromise (IOCs)<\/span><\/span><\/h2>\n<p>495605cee98f3b437c3744c24fcf255d1cee7717f7e3150d38f95673ca0617e4<\/p>\n<p>8ec8e800fe3f627ce9f49268e4d67e944848f8ae3a8efc2ef6f77e46781a70f3<\/p>\n<p>8bb70f52377091ccbb13e7be0a1d4dab079edeca6adc18b126bbdc40dbcf3ae4<\/p>\n<p>ce95789643e31a65ee77a31c69a6952e9e260200b50e0e8ba6bf8493cce7fb71<\/p>\n<p>34c78249ab1415afacd16cf76375a800d8d56fa5ac60b5522146e65c1521955b<\/p>\n<p><span class=\"body-subhead-title\">MITRE ATT&CK\u00ae table<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography\/MITRE_Alibaba%20OSS%20Buckets.png\" alt=\"MITRE ATT&CK\u00ae table\"> <\/figure>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/g\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-sc.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog entry, we discuss a malicious campaign that targets Alibaba Cloud\u2019s OSS buckets with leaked credentials for malware distribution and cryptojacking. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":47872,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9513,9509],"class_list":["post-47871","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"\n<title>Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography Sr. Security Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography Sr. Security Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-21T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography\/Alibaba%20Cloud_641.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography Sr. Security Researcher Threat Researcher\",\"datePublished\":\"2022-07-21T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\\\/\"},\"wordCount\":1127,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\\\/\",\"name\":\"Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography Sr. Security Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher.png\",\"datePublished\":\"2022-07-21T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher.png\",\"width\":1448,\"height\":206},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography Sr. Security Researcher Threat Researcher\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography Sr. Security Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/","og_locale":"en_US","og_type":"article","og_title":"Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography Sr. Security Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-07-21T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography\/Alibaba%20Cloud_641.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography Sr. Security Researcher Threat Researcher","datePublished":"2022-07-21T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/"},"wordCount":1127,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/08\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/","url":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/","name":"Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography Sr. Security Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/08\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher.png","datePublished":"2022-07-21T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/08\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/08\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher.png","width":1448,"height":206},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography Sr. Security Researcher Threat Researcher"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47871","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=47871"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47871\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/47872"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=47871"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=47871"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=47871"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":47871,"date":"2022-07-21T00:00:00","date_gmt":"2022-07-21T00:00:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/"},"modified":"2022-07-21T00:00:00","modified_gmt":"2022-07-21T00:00:00","slug":"alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-scripts-via-steganography-sr-security-researcher-threat-researcher\/","title":{"rendered":"Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography Sr. Security Researcher Threat Researcher"},"content":{"rendered":"