SCARLETEEL Cryptojacking Campaign Exploiting AWS Fargate in Ongoing Campaign

SCARLETEEL Cryptojacking Campaign Exploiting AWS Fargate in Ongoing Campaign

Cloud environments continue to be at the receiving end of an ongoing advanced attack campaign dubbed SCARLETEEL, with the threat actors now setting their sights on Amazon Web Services (AWS) Fargate.

SCARLETEEL was first exposed by the cybersecurity company in February 2023, detailing a sophisticated attack chain that culminated in the theft of proprietary data from AWS infrastructure and the deployment of cryptocurrency miners to profit off the compromised systems’ resources illegally.

A follow-up analysis by Cado Security uncovered potential links to a prolific cryptojacking group known as TeamTNT, although Sysdig told The Hacker News that it “could be someone copying their methodology and attack patterns.”

The latest activity continues the threat actor’s penchant for going after AWS accounts by exploiting vulnerable public-facing web applications with an ultimate aim to gain persistence, steal intellectual property, and potentially generate revenue to the tune of $4,000 per day using crypto miners.


It all begins with the adversary exploiting JupyterLab Notebook containers deployed in a Kubernetes cluster, leveraging the initial foothold to conduct reconnaissance of the target network and gather AWS credentials to obtain deeper access into the victim’s environment.

This is followed by the installation of the AWS command line tool and an exploitation framework called Pacu for subsequent exploitation. The attack also stands out for its use of various shell scripts to retrieve AWS credentials, some of which target AWS Fargate compute engine instances.

Some of the other steps taken by the attacker include the use of a Kubernetes Penetration Testing tool known as Peirates to exploit the container orchestration system and a DDoS botnet malware called Pandora, indicating further attempts on part of the actor to monetize the infected hosts.

“The SCARLETEEL actors continue to operate against targets in the cloud, including AWS and Kubernetes,” Brucato said.

“Their preferred method of entry is exploitation of open compute services and vulnerable applications. There is a continued focus on monetary gain via crypto mining, but […] intellectual property is still a priority.”