Skip to main content

95% of security breaches happen mainly due to two reasons when you do something which you are not supposed to do or don’t do what needs to be done. Today we will discuss the latter point where we didn’t do what needs to be done, i.e., misconfiguration of servers. These misconfigured assets provide an entry point for attackers to your organization.

In this article, we will discuss on what is the new Alienfox credential stealer toolkit and who Alienfox is targeting.

What is a Credential Stealer?

The most efficient way of intruding into any system is by stealing the credentials. Attackers can go to any length to steal these. Some of the common credential stealer malware can be programs that can log keystroke or something which can wait till the user enter credentials and steal them, or it can be something that dumps already stored credentials from Windows or browsers.

What is The New Alienfox Credential Stealer Toolkit?

Alienfox is one of the latest toolkits targeting web services, primarily cloud-based email services. Alienfox is highly modular and evolves rapidly. Most of the tools in this toolkit are open source because those highly sophisticated developers take credit for readily adapting and modifying tools as per their needs.

Alienfox is used by threat actors to collect information on misconfigured hosts with the help of security scanning platforms like LeakIX and SecurityTrails. These programs can collect sensitive information such as API keys or any exposed configuration files etc.

There are multiple versions of Alienfox available. The distribution and usage of this tool start from February 2022 onward. Analysis by multiple researchers summarised that the malware used belongs to the malware families Androxgh0st and GreenBot (aka Maintance). The scripts of this malware are available for the public on GitHub, which helps it to adapt and evolve.

The latest version Alienfox V4 has the additional feature of automating malicious actions with the stolen credentials, which includes setting up persistence and privilege escalation in Amazon web services (AWS), and sending spam campaigns from compromised accounts.

New Alienfox Credential Stealer Toolkit

AlienfoxV4 logo (Source: Sentinel One)

Targets of Alienfox Credential Stealer Toolkit

The general theme of Alienfox is cloud-based and software-as-a-service (SaaS) email hosting services. The threat actors are targeting popular web services like Joomla, Magento, OpenCart, Laravel , WordPress, etc., for any server misconfiguration. The tools in the Alienfox toolkit will check for any above-mentioned web services. The script in the tools will read the list of targets from a text file, and separate scripts such as  and will generate the targeted files. The target-generated script will provide more details about potential targets. These scripts use web APIs for Opensource intelligence and a combination of Ips and subnets brute force.

Once the target is spotted, the threat actor parses exposed details or configuration files, or any sensitive information. Sentinel One researcher observed secrets from the below services.


IOCS of the New Alienfox Credential Stealer Toolkit

Recommendations to Be Protected from Alienfox

Organizations should always practice and follow the least privilege principle, where users only get access to only what they are supposed to have to do the work. Best principles on configuration management also should be followed. Monitoring and detecting interactive activity on OS using containers and using Cloud Workload Protection Platform (CWPP) for virtual machines should be encouraged.

Proper monitoring of logs for any brute force or creation of new profiles etc., should be monitored. Email campaigns and other email activities also should be under monitoring.

The IOCs on Alienfox are available here.


Cyber crimes are evolving at a faster pace, and the Alienfox toolkit is one example of that. This toolset is highly advanced due to skilled developers and added modifications to existing versions. Alienfox toolkit can even attack minimal services, so a compromised victim can lose everything.

Leave a Reply