A developer downloaded what looked like an open-source project archive. They moved it from a personal computer to a corporate workstation via Airdrop, then opened it in an AI-assisted development environment. Inside was malicious Python code disguised as a Kubernetes command-line tool. By the time anyone noticed, North Korean threat actor UNC4899 had stolen several million dollars in cryptocurrency.
That sequence — social engineering, a single compromised endpoint, a pivot through cloud infrastructure — sits at the center of a threat landscape report from Google covering the second half of 2025. The finding that leads it, according to the report, is a significant reversal in how attackers first get in.
Bug exploits were the primary initial access vector in 44.5% of investigated cloud intrusions. Credential-based breaches accounted for 27%. That gap has widened, and Google says it knows why: “We assess that this change in behavior from threat actors is potentially due to Google’s secure-by-default strategy and enhanced credential protections successfully closing traditional, more easily exploitable paths, raising the barrier to entry for threat actors.”
The exploitation window has collapsed
The firm observed cryptominers deployed within 48 hours of vulnerability disclosure — a compression of the attack timeline from what was previously measured in weeks. The most targeted vulnerability class is remote code execution. Two specific flaws featured prominently: React2Shell (CVE-2025-55182) and an XWiki vulnerability tracked as CVE-2025-24893, both leveraged in RondoDox botnet attacks.
State-sponsored and financially motivated actors alike relied heavily on compromised identities — phishing and vishing campaigns impersonating IT help desk staff — to reach cloud platforms once inside a network. In most investigated cases, the objective was quiet: exfiltrate large volumes of data, establish long-term persistence, avoid triggering immediate extortion that would expose the breach.
Iran-linked actor UNC1549 maintained access to one target environment for more than two years using stolen VPN credentials and the MiniBike malware, extracting nearly one terabyte of proprietary data. China-sponsored actor UNC5221 used BrickStorm malware to hold access to a victim’s VMware vCenter servers for at least 18 months, stealing source code before detection.
More Read
North Korea’s two-track cloud operation
UNC5267, a separate North Korean cluster, accounts for 3% of the intrusions analyzed — operators using fraudulent identities to secure employment and funnel revenue back to the government.
The UNC4899 operation was more technically elaborate. After the compromised developer opened the malicious archive, the embedded binary contacted attacker-controlled domains, establishing a backdoor. Google’s report describes what followed: the actor explored specific pods in a Kubernetes cluster, obtained a token for a high-privileged CI/CD service account, then moved laterally to a pod responsible for enforcing network policies — which allowed a container breakout and the planting of a second backdoor.
From there, UNC4899 reached a system handling customer identities, account security data, cryptocurrency wallet information, and database credentials stored without adequate protection. That combination was sufficient to compromise user accounts directly and complete the theft.
The full chain — from a developer’s personal machine to a multi-million-dollar cryptocurrency heist — ran through a single improperly secured file and a series of lateral moves that cloud security controls failed to interrupt at any stage.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
