MITRE ATT&CK Technique
Resource Development T1584.007
Description

Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them. Once compromised, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers - making it easier to [Hide Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)

Supported Platforms
PRE
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2022-07-08T12:46:15.450Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may compromise serverless cloud infrastructure, '
                'such as Cloudflare Workers, AWS Lambda functions, or Google '
                'Apps Scripts, that can be used during targeting. By utilizing '
                'serverless infrastructure, adversaries can make it more '
                'difficult to attribute infrastructure used during operations '
                'back to them. \n'
                '\n'
                'Once compromised, the serverless runtime environment can be '
                'leveraged to either respond directly to infected machines or '
                'to [Proxy](https://attack.mitre.org/techniques/T1090) traffic '
                'to an adversary-owned command and control server.(Citation: '
                'BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda '
                'Redirector)(Citation: GWS Apps Script Abuse 2021) As traffic '
                'generated by these functions will appear to come from '
                'subdomains of common cloud providers, it may be difficult to '
                'distinguish from ordinary traffic to these providers - making '
                'it easier to [Hide '
                'Infrastructure](https://attack.mitre.org/techniques/T1665).(Citation: '
                'Detecting Command & Control in the Cloud)(Citation: '
                'BlackWater Malware Cloudflare Workers)',
 'external_references': [{'external_id': 'T1584.007',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1584/007'},
                         {'description': 'Adam Chester. (2020, February 25). '
                                         'AWS Lambda Redirector. Retrieved '
                                         'July 8, 2022.',
                          'source_name': 'AWS Lambda Redirector',
                          'url': 'https://blog.xpnsec.com/aws-lambda-redirector/'},
                         {'description': 'Gary Golomb. (n.d.). Threat Hunting '
                                         'Series: Detecting Command & Control '
                                         'in the Cloud. Retrieved July 8, '
                                         '2022.',
                          'source_name': 'Detecting Command & Control in the '
                                         'Cloud',
                          'url': 'https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/'},
                         {'description': 'Lawrence Abrams. (2020, March 14). '
                                         'BlackWater Malware Abuses Cloudflare '
                                         'Workers for C2 Communication. '
                                         'Retrieved July 8, 2022.',
                          'source_name': 'BlackWater Malware Cloudflare '
                                         'Workers',
                          'url': 'https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/'},
                         {'description': 'Sergiu Gatlan. (2021, February 18). '
                                         'Hackers abuse Google Apps Script to '
                                         'steal credit cards, bypass CSP. '
                                         'Retrieved July 1, 2024.',
                          'source_name': 'GWS Apps Script Abuse 2021',
                          'url': 'https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette'}],
 'id': 'attack-pattern--df1bc34d-1634-4c93-b89e-8120994fce77',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'resource-development'}],
 'modified': '2025-04-15T23:06:14.037Z',
 'name': 'Serverless',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Awake Security'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['PRE'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About