A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques

Full database

Featured actors

Dive into the profiles of threat actors involved in cloud security incidents, shedding light on their motivations and tooling, to aid in risk assessment and threat modeling.

Dreambus botnet icon

Dreambus botnet

The Dreambus botnet is adept at exploiting weaknesses in various Internet-facing applications, including PostgreSQL, Hadoop, Redis, and other popular software. The operators behind this activity appear to be financially motivated, as infections result in cryptojacking.
LAPSUS$ icon


LAPSUS$ were notorious extortionists that managed to gain access to multiple large organizations throughout 2022 via social engineering and SIM swapping, and in some cases moved laterally into their targets’ cloud environments.
TeamTNT icon


TeamTNT is a financially motivated threat actor known for targeting misconfigured containers for cryptojacking. They have also been observed enumerating cloud environments and compromising their victim's credentials for various cloud services.

Featured techniques

An overview of attack techniques used by threat actors in cloud security incidents, aligned with the MITRE ATT&CK matrix framework for additional context.

SSH (Secure Socket Shell) is commonly utilized as a remote access method for Linux servers. If an local user is misconfigured to use an empty or weak password, it could be compromised by threat actors performing a brute-force or password spraying attack against an organization’s IP range. To mitigate against this technique, local users should use strong passwords, and firewall rules should be configured to prevent public exposure of the server, limiting access to trusted IP ranges (such as the organization’s own IP range or a VPN).

See the full list

Featured incidents

A historical collection of past cloud security incidents and campaigns, offering insights into targeting patterns, initial access methods and effective impact.

Double supply chain attack (April 2023)

In March 2023, a North Korean threat actor (dubbed “SmoothOperator”) gained access to 3CX (VoIP vendor) and inserted a backdoor into their desktop product, which was used for targeting some of their customers - primarily crypto companies. Researchers later discovered 3CX themselves were infected via a supply chain attack on another company called Trading Technologies that occurred in November 2021.

PyLoose cryptomining campaign

In mid-2023, an unknown financially-motivated threat actor began targeting publicly exposed Jupyter Notebook instances to hijack them for running cryptomining operations. The threat actor deployed a fileless Python tool (dubbed “PyLoose”) that loaded an XMRig miner directly into memory.

From Docker image to cloud breach (April 2021)

On April 2021, Codecov was compromised by an unknown threat actor who abused their access to the company's cloud environment to conduct a supply chain attack. The threat actor gained initial access to Codecov's GCP environment by extracting an HMAC key for a service account from a public Docker image created by Codecov. The attacker then used this key to modify the version of Codecov Bash Uploader stored in Google Cloud Storage and available to download for end-users, inserting a malicious payload to be executed in customer environments. Multiple Codecov customers are known to have been impacted by this supply chain attack, with the threat actor managing to exfiltrate data from their environments.


The Cloud Threat Landscape is a curated public instance of Wiz Research’s internal cloud threat intelligence database, summarizing information about publicly disclosed cloud security incidents and campaigns. Additionally, the database lists threat actors known to have compromised cloud environments, the tools and techniques in their arsenal, and the technologies they prefer to target.

Crying Out CloudThe Newsletter

Sign up to receive the latest updates in cloud security directly to your inbox

For information about how Wiz handles your personal data, please see our Privacy Policy.

World class research into cloud attacks

Incidents documented


Actors profiled


Technologies targeted


Techniques explained