Kubernetes on AWS targeted by hackers abusing legitimate pentesting tools
Experts believe the campaign is going to develop further, expanding attacks to other cloud providers


Cyber criminals have been found abusing legitimate open-source penetration testing tools to launch attacks on AWS-hosted Kubernetes environments.
The campaign, dubbed SCARLETEEL, started in February 2023 and is known for targeting cloud environments.
The latest discoveries revealed new tools and techniques to bypass security measures and execute novel intrusions.
A typical SCARLETEEL attack sees attackers exploiting misconfigured AWS policies to escalate their privileges and gain account control.
RELATED RESOURCE
Automating application-driven container elasticity
Learn how to operationalize speed to market while assuring application performance
Once in, the attackers target Kubernetes in order to significantly scale up the attack and deploy malware, such as cryptomining tools.
A combination of penetration testing tools was used in the attack. Once the victim’s AWS credentials had been stolen and the AWS CLI binary installed on the exploited containers, the attackers installed Pacu, an AWS exploitation framework, to reveal further vulnerabilities in the victim’s account.
The attackers also leveraged Peirates, a Kubernetes-specific penetration testing tool, to exploit the Kubernetes environment.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
While cryptomining remains one of the operation’s objectives, according to researchers from the Sysdig Threat Research Team, other goals include gaining persistence and the theft of proprietary data.
What has changed in the attack pattern?
SCARLETEEL was first noted by the team in February 2023 and the techniques in use have changed in the time since.
Michael Clark, director of threat research at Sysdig, said: “They kind of evolved their toolsets to understand modern approaches”.
The attacker’s scripts now account for the differences.
Although the ability to detect the presence of a Fargate-hosted container is novel, the use of the AWS CLI and Pacu on exploited containers and Peirates to further exploit Kubernetes is a significant development.
“They use these tools to keep hopping into new environments,” Clark said.
“So, they may end up in a Fargate [environment] because they look for all the credentials they can.”
How were the attackers detected?
In Sysdig’s research, Clark noted that the tools the attackers used are “noisy”, meaning when they run, their processes are often detectable by system and network monitoring tools.
Understanding what the tools’ reconnaissance looks like is key to detecting what they’re doing and when they’re running.
“That is really the only way to do it,” Clark said. “You obviously can’t just say ‘don’t let them in’ - that’s the answer to everything.”
Clark also said the use of Peirates was particularly interesting. The previous attack did not use this tool, but the SCARLETEEL campaign has now expanded to look for Kubernetes and, if found, take advantage of it.
Moving beyond AWS
Alessandro Brucato, threat research engineer at Sysdig, said he believes that the attackers behind the campaign will continue to develop it to target other cloud providers.
“They will try to focus on how they can make a lot less noise, because actually they can look even more like a legitimate service provider. They may try to find some edge services on some cloud providers.”

Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITPro, CloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.
Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.
-
Using DeepSeek at work is like ‘printing out and handing over your confidential information’
News Thinking of using DeepSeek at work? Think again. Cybersecurity experts have warned you're putting your enterprise at huge risk.
-
Can cyber group takedowns last?
ITPro Podcast Threat groups can recover from website takeovers or rebrand for new activity – but each successful sting provides researchers with valuable data
-
Is AWS' cloud dominance waning? New stats show the hyperscaler's IaaS market share is decreasing while Microsoft and Google record gains
News AWS maintained its lead in the IaaS market last year, but its share decreased while Microsoft and Google recorded gains.
-
AWS says only Europeans will run its European Sovereign Cloud service
News The firm wants to reassure customers that sovereign really does mean sovereign
-
‘Misses the mark’: Microsoft, AWS hit out at CMA cloud competition report
News The CMA claims Microsoft and AWS are harming competition – the duo strongly disagree
-
US companies dominate the European cloud market – regional players are left fighting for scraps
News Synergy data shows EU providers hold just 15% of the market despite rise in AI and drive for cloud sovereignty
-
Three of the biggest announcements from AWS Summit New York
News AWS may be known as a cloud services provider, but its pivot to AI services has taken the limelight
-
AWS misses quarterly revenue expectations – but Andy Jassy is still upbeat
News Jassy highlighted a number of key areas of interest after AWS' quarterly earnings results
-
The Wiz acquisition stakes Google's claim as the go-to hyperscaler for cloud security – now it’s up to AWS and industry vendors to react
Analysis The Wiz acquisition could have monumental implications for the cloud security sector, with Google raising the stakes for competitors and industry vendors.
-
AWS expands Ohio investment by $10 billion in major AI, cloud push
News The hyperscaler is ramping up investment in the midwestern state