The Invisible Infiltrator: Why 2025’s Cloud Attacks Are Abandoning Malware for Native APIs

The Insikt Group team, a division of Recorded Future, has disseminated a comprehensive analysis regarding the cloud threat landscape of 2025. Analysts have documented a burgeoning surge in offensives where adversaries eschew traditional malware in favor of exploiting legitimate cloud services, trusted credentials, and native provider functionalities. Consequently, the cloud has increasingly evolved into both a strategic target and a formidable instrument of aggression.

The authors delineate five primary vectors: the exploitation of vulnerabilities and configuration defects, the illicit subversion of cloud services, cloud-native ransomware, credential exfiltration, and third-party compromise. Initial ingress is most frequently achieved through vulnerable or misconfigured internet-facing services, as well as via purloined passwords and session tokens. Once they have infiltrated the perimeter, aggressors navigate through hybrid infrastructures, usurping synchronized directories and high-privilege roles to exert total dominion over the entire cloud environment.

The report underscores a shift in methodology, as malicious actors increasingly retreat from deploying extensive executable files. Instead, they harness native APIs and management consoles to encrypt datasets, purge backups, manipulate cryptographic keys, and execute mass modifications to storage repositories. In ransomware campaigns, they rely upon built-in encryption mechanisms, which complicates detection as the activity mirrors legitimate administrative maneuvers. Furthermore, traditional ransomware paradigms are being supplanted by novel monetization schemes that do not necessitate the encryption of the victim’s data.

A distinct trend involves the registration of proprietary cloud resources to host command-and-control (C2) infrastructures and facilitate data exfiltration. Traffic directed toward ubiquitous SaaS platforms is often camouflaged as legitimate communication; thus, C2 channels facilitated via digital calendars or cloud storage are increasingly indistinguishable from routine operations. Simultaneously, classic DDoS offensives targeting cloud environments are losing their efficacy due to the sophisticated filtration mechanisms employed by modern providers.

Throughout 2025, there has been an intensified focus on machine learning services and Large Language Models (LLMs). Adversaries exploit compromised development environments and roles with excessive permissions to hijack Amazon SageMaker and Amazon Bedrock, manipulating guardrail configurations and data sources while injecting deleterious code into CI/CD pipelines. Instances have been documented where malware invoked LLMs for dynamic command generation, thereby frustrating signature-based detection efforts.

The compromise of service providers and SaaS platforms remains one of the most devastating scenarios. By hijacking trusted integrations, OAuth applications, or privileged access management systems, attackers can launch simultaneous offensives against multiple clients through a singular conduit. Analysts emphasize that as the proliferation of cloud services continues, the attack surface expands accordingly, while a deficit of skilled professionals leads to configuration drift and the emergence of “security blind spots.”

According to Insikt Group’s evaluation, data exfiltration remains the primary objective of most incidents, though it is increasingly paired with destructive actions and extortion. The longer an adversary maintains access, the more acute the risk to the entire cloud infrastructure becomes. The cloud, once a convenient medium for business scalability, has definitively transformed into a theater of perpetual conflict, where success is predicated upon the rigorous control of access rights, continuous monitoring, and the uncompromising discipline of configuration management.