Sofacy Using AWS to Spread Campaign

Today Jigsaw Security put out an alert in which we have noted a shift in APT28 (Sofacy) activity. This marks the second time in a week that our team noted that this threat actor is using AWS to spread malicious code and farther their campaign.

We have noted and warned our end users from white-listing AWS even though it may affect legitimate services by blocking legitimate websites. Our Jigsaw Sensor will allow good traffic but will block known back domains and IP destinations. We have observed many companies whitelisting AWS and Azure as examples even though these environments are known to be hosting APT malware. We highly recommend not white-listing these cloud hosting environments as you will open your network up to malicious activity when doing so.

In addition the Coldroot APT is being hosted in Vultr (another popular hosting provider). Just because the hosting provider is well known doesn't mean that threat actors won't use the hosting providers infrastructure to carry out attacks.

For more information

For more information on this threat and to see what malware is being hosted in Amazon, Azure, Vultr and other cloud providers, login to Jigsaw Security threat intelligence or cross reference in the threat feed/

See this specific event for examples of this activity.


Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2018 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business Jigsaw Security is an operator of WIMAX networks and is operating under license WQVC235 as a common carrier, non-common carrier and private communications operator. Jigsaw Security operates cable and satellite services. Courses may be provided by a third party authorized training partner in some cases. Some training is only available for cleared and US Citizens. Courses approved by the North Carolina Department of Public Safety Private Protective Services Board for licensing and CE credits. JPM program insurance is provided by an authorized Jigsaw Security Insurance Partner and is not underwritten by Jigsaw Security. For insurance information please contact our JPM program manager. Jigsaw Security operates a network through our NCBroadband brand.