T1059.009 Cloud API in MITRE ATT&CK Explained

What Is T1059.009 Cloud API in MITRE ATT&CK?

T1059.009 Cloud API is a sub-technique of Command and Scripting Interpreter (T1059) in the MITRE ATT&CK framework, under the Execution tactic. It refers to the abuse of cloud service provider APIs by adversaries to execute actions directly within a cloud environment.

Instead of running operating system–level commands, attackers issue instructions through cloud management interfaces exposed by platforms such as AWS, Microsoft Azure, Google Cloud, and other cloud service providers. These APIs allow programmatic control over cloud resources, including identity and access management (IAM), compute instances, storage services, and network configurations. Because API-driven actions are fundamental to cloud administration and automation, malicious use can closely resemble legitimate operational activity.

To read about other sub-techniques of the T1059 Command and Scripting Interpreter technique, you can visit the related hub blog.

Adversary Use of T1059.009 Cloud API

Adversaries use T1059.009 Cloud API to perform malicious actions in cloud environments by abusing stolen, misused, or misconfigured credentials. Once authenticated, attackers gain the same level of access as legitimate users or service accounts and can operate entirely through trusted cloud control planes.

Common adversary actions via cloud APIs include listing or modifying IAM users and roles, creating or terminating virtual machines, accessing or exfiltrating cloud storage data, altering network and security configurations, and deploying malicious resources such as cryptomining instances. Because these activities leverage native APIs and often blend into routine automation workflows, they can evade detection in environments lacking granular logging, identity controls, or continuous monitoring of cloud API activity.

Procedure Examples Used by Adversaries in Red Report 2026

Execution via API Data Relay

A notable example of Cloud API abuse emerged in November 2025 with SesameOp, an espionage-focused backdoor that leveraged a trusted cloud API as a covert command relay [1]. Rather than contacting a dedicated C2 server, the malware communicated exclusively through OpenAI's Assistants API, using a stolen API key and legitimate endpoints (e.g., api.openai.com) to fetch encrypted instructions and upload execution results.

This approach allowed SesameOp to blend seamlessly into normal business-related API traffic and bypass traditional network defenses that rely on detecting suspicious domains or IPs. By misusing a reputable cloud service as a transport layer, the attackers demonstrated how Cloud API channels can be repurposed for stealthy execution and long-term persistence.

Procedure Examples Used by Adversaries in Red Report 2025

Downloading, Loading, and Executing Malicious Payloads

In May 2024, cybersecurity researchers observed a significant uptick in the exploitation of the Microsoft Graph API by threat actors [2]. These adversaries leveraged the API to establish covert communication channels for malware, effectively blending malicious traffic with legitimate cloud service activities to evade detection.

Notably, several nation-state-aligned hacking groups, including APT28, REF2924, Red Stinger, Flea, APT29, and OilRig, were identified utilizing the Microsoft Graph API for command-and-control (C&C) communications. This tactic involved hosting C&C infrastructure on Microsoft cloud services, thereby masking malicious operations within trusted platforms.

A specific instance involved the deployment of a previously undocumented malware named BirdyClient* (also known as OneDriveBirdyClient) against an organization in Ukraine. This malware used the Microsoft Graph API to interact with OneDrive, serving as a C&C server for uploading and downloading files. The malicious DLL associated with BirdyClient was designed to mimic legitimate software components, further complicating detection efforts.

The increasing abuse of the Microsoft Graph API underscores the challenges organizations face in securing their networks against sophisticated cyber threats that exploit trusted cloud services. To mitigate such risks, it is imperative to implement robust monitoring of API activities, enforce strict access controls, and maintain up-to-date security measures across all cloud-based platforms.

Procedure Examples Used by Adversaries in Red Report 2024

Remote Code Execution

Adversaries often leverage cloud APIs for remote code execution. For instance, in a cyber incident disclosed in December 2022, adversaries exploited a vulnerability in Google Home smart speakers by leveraging the cloud API to gain unauthorized control [4].

The attackers manipulated the device's local HTTP API to add a rogue user account, enabling them to send remote commands via the cloud API. This process involved disconnecting the device from its network, obtaining crucial device information like its name, certificate, and cloud ID, and then using this data to link their account to the victim's device.

With this access, the attackers could remotely activate the speaker's microphone, eavesdrop on conversations, and execute other commands, such as controlling smart home devices or making unauthorized online purchases. This exploitation of the cloud API for malicious purposes underscores the potential security risks associated with interconnected smart devices and the critical need for robust security measures in IoT ecosystems.

Downloading, Loading, and Executing Malicious Payloads

Adversaries can leverage cloud APIs for downloading, loading, and executing malicious payloads on the victim system. For instance, in their latest campaign disclosed in June 2023, the Chinese state-sponsored hacking group APT15 [5], known for targeting global public and private organizations, has deployed a novel backdoor named 'Graphican.' This sophisticated malware leverages the Microsoft Graph API and OneDrive for its C&C operations, using these cloud services to obtain encrypted C&C infrastructure addresses stealthily.

This method provides Graphican with enhanced versatility and resilience against takedown attempts. By authenticating with the Microsoft Graph API, Graphican can access and decrypt specific OneDrive folder names to use as C&C server addresses. This innovative use of legitimate cloud APIs for malicious purposes marks a significant evolution in APT15's tactics, allowing them to execute various commands remotely, including file creation, downloading, and running interactive command lines, thereby maintaining their reputation as a formidable threat in cyberspace.

Enumerating High-Value User Accounts

One usage of cloud APIs can be enumerating high-value user accounts. For instance, in February 2023, the S1deload Stealer malware campaign, targeting YouTube and Facebook users, uniquely leveraged the Facebook Graph API to enhance its malicious operations [6].

Once a user's Facebook account is compromised, the malware uses the Graph API to evaluate the account's value by checking if the victim administers any Facebook pages or groups, has paid for ads, or is connected to a business manager account. This strategic use of the Graph API allows the malware to prioritize accounts with greater reach or financial value, optimizing its impact for spreading further or more targeted exploitation. This approach demonstrates sophisticated integration with legitimate social media infrastructure to facilitate and amplify malicious activities.

Validate Your Defenses Against the Red Report 2026 Threats

References

[1] K. Underhill, “Hackers Hijack OpenAI API in Stealthy New Backdoor Attack,” eSecurity Planet, Nov. 04, 2025. Available: https://www.esecurityplanet.com/threats/hackers-hijack-openai-api-in-stealthy-new-backdoor-attack/. [Accessed: Dec. 02, 2025]

[2] M. Callahan, “API Breaches Continue,” Oct. 15, 2024. Available: https://salt.security/blog/its-2024-and-the-api-breaches-keep-coming. [Accessed: Nov. 27, 2024]

[3] “Defending Against Cyber Threats Leveraging Microsoft Graph API,” Default. Available: https://www.csa.gov.sg/alerts-advisories/Advisories/2024/ad-2024-010. [Accessed: Nov. 27, 2024]

[4] B. Toulas, “Google Home speakers allowed hackers to snoop on conversations,” BleepingComputer, Dec. 29, 2022. Available: https://www.bleepingcomputer.com/news/security/google-home-speakers-allowed-hackers-to-snoop-on-conversations/. [Accessed: Dec. 21, 2023]

[5] B. Toulas, “Chinese APT15 hackers resurface with new Graphican malware,” BleepingComputer, Jun. 21, 2023. Available: https://www.bleepingcomputer.com/news/security/chinese-apt15-hackers-resurface-with-new-graphican-malware/. [Accessed: Dec. 21, 2023]

[6] S. Gatlan, “New S1deload Stealer malware hijacks Youtube, Facebook accounts,” BleepingComputer, Feb. 22, 2023. Available: https://www.bleepingcomputer.com/news/security/new-s1deload-stealer-malware-hijacks-youtube-facebook-accounts/. [Accessed: Dec. 21, 2023]