Threat Actors Attacking Azure Blob Storage to Compromise Organizational Repositories

Cybersecurity researchers have identified a sophisticated campaign where threat actors are leveraging compromised credentials to infiltrate Azure Blob Storage containers, targeting organizations’ critical code repositories and sensitive data.

This emerging threat exploits misconfigured storage access controls to establish persistence and exfiltrate valuable intellectual property.

The attack vector represents a significant shift in how threat actors are approaching cloud infrastructure, moving beyond traditional endpoint-focused attacks toward enterprise storage systems.

The campaign has been linked to multiple threat groups operating across different sectors, including finance, technology, and critical infrastructure.

Microsoft analysts noted that the attacks typically begin with credential harvesting through phishing campaigns and malware-based information stealers.

Once initial access is established, operators conduct reconnaissance to identify accessible Azure Blob Storage instances with weak or default access policies.

The threat actors then systematically enumerate containers to locate valuable repositories, configuration files, and backup data.

Microsoft researchers identified a critical component of this operation involving SharkStealer, a Golang-based infostealer that employs an advanced communication technique called EtherHiding to evade traditional detection mechanisms.

This malware family utilizes the BNB Smart Chain Testnet as a command-and-control dead-drop, retrieving encrypted command instructions through smart contract calls rather than direct domain-based communications.

Technical Analysis of EtherHiding Pattern in Azure Attacks

The sophistication of these operations lies in how threat actors combine traditional credential theft with blockchain-based obfuscation techniques. SharkStealer initiates contact with BNB Smart Chain nodes using Ethereum JSON-RPC calls targeting specific smart contracts.

The malware executes eth_call requests to predetermined contract addresses, receiving tuples containing an initialization vector and encrypted payload.

Using a hardcoded AES-CFB encryption key embedded within the binary, the malware decrypts the returned data to extract current C2 server coordinates.

This methodology creates significant detection challenges because network traffic analysis reveals only legitimate blockchain node communications, making it extremely difficult to distinguish malicious activity from benign cryptocurrency wallet interactions.

The use of public blockchain infrastructure as a dead-drop mechanism provides threat actors with remarkable resilience against traditional takedown operations and domain blocking strategies.

In observed campaigns, once SharkStealer compromises a system, it harvests Azure credentials stored in browser caches, configuration files, and credential managers.

These stolen credentials grant direct access to Azure Blob Storage containers without triggering standard access controls.

Threat actors then establish secondary connections to Azure Storage, downloading entire repositories containing source code, API keys, and sensitive configuration data.

The combination of EtherHiding-based command infrastructure with Azure Storage access creates a particularly dangerous threat profile that organizations must actively defend against through credential rotation, access reviews, and monitoring for anomalous blockchain-based communications originating from internal networks.

Organizations should implement strict Azure Storage authentication policies, enforce multi-factor authentication on administrative accounts, and deploy behavioral monitoring to detect unusual API access patterns.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.