Over the past several weeks, security researchers have uncovered a new threat actor, Crimson Collective, targeting cloud infrastructure—especially AWS accounts—with a focus on data exfiltration and extortion. Experts warn that the group’s techniques, which exploit leaked long-term credentials and overly permissive identity configurations, represent a dangerous evolution in cloud threats, where persistent access is valued over fast attacks.
A New Breed of Cloud Threat
In September 2025, Rapid7 observed two AWS environments compromised by a group calling itself Crimson Collective. The attacks began with leaked credentials—long-term access keys—that allowed the group to authenticate into Identity & Access Management (IAM) accounts. From there, the pattern included creating new IAM users, escalating privileges, and undertaking reconnaissance across cloud assets.
Rather than brute-force exploits, Crimson Collective leans on misconfigurations and credential exposure. Once inside, it maps out the environment: EC2 instances, snapshots, VPCs, security groups, databases, and storage buckets. Then, the group extracts valuable data—database snapshots, project repositories—and delivers extortion notes demanding payment to prevent disclosure.
Technical Pathways: How Access Becomes Exfiltration
The first technical pivot in their playbook is use of TruffleHog, a tool originally designed to detect secrets in code. Crimson Collective uses it to locate exposed AWS credentials. If these credentials work, they authenticate API calls to inspect the identity of the compromised IAM entity.
Once they have footholds, they often proceed to create new users (via CreateUser API), attach powerful policies (notably AdministratorAccess), and then spin up infrastructure under their control. They take snapshots of databases and storage (RDS, EBS), modify configurations, and stage exports—especially into S3 buckets. All of this is done leveraging the compromised and newly created accounts.
The final stage: after data is harvested or staged, an extortion demand is issued. In some cases, the group uses AWS’s own Simple Email Service (SES) infrastructure, as well as external emails, to send the demand.
Why This Matters: Cloud Risk in the Age of Exposure
Cloud environments, particularly AWS, have become critical backbones for enterprises. The very features that give flexibility—API-driven identity control, snapshots, remote backups—also expand attack surface when misused. Crimson Collective takes advantage of long-standing identity keys (which may have been forgotten or neglected in code), overly broad permissions, and weak control over who can create or attach policies.
For organizations, the implications are serious: intellectual property, customer data, proprietary code repositories, or internal project information—all potentially at risk. Moreover, exfiltration and extortion via cloud assets are harder to detect early, since many of the API calls used are legitimate, only misused. The group’s stealthy reconnaissance—mapping and discovery—often precedes any visible signs of compromise.
What Organizations Can Do: Mitigation & Defense
Security teams are being urged to adopt a “least privilege” posture: limit or remove long-term access keys; prefer temporary credentials via roles; regularly review and prune IAM policies.
Other recommended actions include scanning all code repositories for leaked keys; setting up strong alerting on anomalous API usage (e.g., unexpected creation of users, snapshots, or exports); restricting sensitive operations (exports, snapshot attachments) to known IP addresses or isolated environments; and ensuring that all cloud-trail logs and telemetry are collected and regularly reviewed.
For now, Crimson Collective’s full scope—its members, ultimate base of operations, and whether it represents one stable group or a collection of actors—remains under investigation. But its rise underscores how cloud misconfigurations and exposure are among the most potent risks in modern cyber-security.
