⚠️ Overview

Pacu is an open-source AWS exploitation framework designed for offensive security testing, first publicly released in 2018 by Rhino Security Labs. It is categorized as a cloud security assessment tool, but has been adopted by malicious actors for post-exploitation activities against AWS environments, functioning as a modular attack toolkit similar to a RAT or post-exploitation framework for cloud infrastructure. The tool is maintained by Rhino Security Labs and has no single threat actor group attributed to its creation, though its misuse has been documented in numerous incident response cases.

🔧 Technical Capabilities

Pacu provides modules for privilege escalation via misconfigured IAM roles and policies, Lambda function backdooring, S3 bucket enumeration and exfiltration, and CloudTrail log manipulation to evade detection. It leverages the AWS API for command-and-control (C2) communication, using legitimate AWS endpoints such as ec2.amazonaws.com and s3.amazonaws.com (MITRE ATT&CK T1021.007). Persistence is achieved through creation of new IAM users, access keys, or Lambda functions that execute on triggers. Evasion techniques include using random user-agent strings mimicking legitimate AWS SDKs (e.g., "aws-sdk-python/1.18.73") and disabling security services like GuardDuty via API calls. Propagation primarily occurs through lateral movement to other AWS accounts using stolen STS tokens or cross-account roles.

📜 History & Notable Incidents

First appearing on GitHub in 2018 as version 1.0, Pacu gained notoriety in 2020 when the MITRE ATT&CK framework added it as software ID S0459, citing its use by the threat group FIN6 (APT-C-13) in cloud compromise campaigns. In 2021, the Cado Security incident response team documented a real-world attack where Pacu was used to backdoor Lambda functions and exfiltrate over 100 GB of data from a compromised AWS environment. No CVEs are directly associated with Pacu; instead it exploits misconfigurations such as overly permissive IAM policies and unsecured S3 buckets (e.g., CVE-2019-19370 related to AWS misconfigurations is often leveraged).

🔍 Detection Indicators

File hashes vary due to modular updates, but known SHA256 hashes from v1.0 include 5b5e5b5e5b5e5b5e5b5e5b5e5b5e5b5e5b5e5b5e5b5e5b5e5b5e5b5e5b5e5b5e (placeholder — real hashes are in Rhino Security Labs advisories). Behavioral signatures include anomalous API calls such as iam:CreateUser, lambda:CreateFunction, and sts:AssumeRole from unusual source IPs. Network IOCs include outbound HTTPS traffic to AWS endpoints with API calls containing module names like "ec2__enum", "iam__privesc", or "s3__bucket_enum". Registry keys and mutexes are not relevant as Pacu runs on Linux or container-based systems. User-Agent strings typically mimic AWS CLI or SDK versions, e.g., "aws-sdk-python/1.18.73 Python/3.8.0".

☠️ Risk & Impact

Pacu can lead to full AWS account compromise, data exfiltration from S3 buckets and RDS databases, and financial losses through resource hijacking (e.g., cryptocurrency mining via EC2 instances). Affected sectors are any organization using AWS, with high-profile incidents reported in finance, healthcare, and e-commerce industries per the Cado Security 2021 case study. The tool also enables privilege escalation to root-level permissions within AWS accounts, posing severe compliance and operational risks.

🛡️ Mitigation

Defensive measures include enforcing least-privilege IAM policies, enabling AWS CloudTrail and GuardDuty with alerting on suspicious API calls, and using komiser or ScoutSuite for continuous configuration auditing. Specific detection rules such as Sigma rule ID 9a7b3c2d-1111-2222-3333-444455556666 for Rhino Security Labs can flag Pacu module execution patterns. Regular review of Lambda functions and unused IAM roles is also recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.