China-aligned hackers have deployed a Linux-based ELF backdoor to steal cloud credentials at scale from workloads across AWS, GCP, Azure, and Alibaba Cloud environments. According to Breakglass Intelligence findings, the backdoor uses a “zero-detection” technique, employing SMTP port 25 as a covert command-and-control (C2) channel to harvest cloud provider credentials and metadata. “A selective C2 handshake validation mechanism renders the server invisible to conventional scanning tools like Shodan and Censys,” Breakglass researchers said in a blog post. Stolen credentials are sent to three Alibaba-themed typosquatted domains hosted on Alibaba Cloud infrastructure in Singapore. The campaign,...