AWS Credentials File Grab for 2026-02-25

Feb 25, 2026 WebExploit

Last Updated: 12:13 UTC

Direct requests for /.aws/credentials — the AWS CLI credential store. Long-term AWS access keys in this file grant full programmatic access to the associated AWS account. Widely targeted in automated cloud credential harvesting campaigns.

MITRE ATT&CK

Tactic: Credential Access (TA0006)
Technique: T1552.005 — Cloud Instance Metadata API

Observed URIs

/.aws/credentials
/admin/config?cmd=cat%20/root/.aws/credentials
/pms?module=logging&file_name=../../../../../../~/.aws/credentials&number_of_lines=10000

Attackers by Country

IP Address : ASN : City/Provider

185.177.72.22 : ASNone : Congleton
36.83.123.170 : AS7713 pt telekomunikasi indonesia : Sengkang
92.118.39.32 : AS48090 pptechnology limited : Dallas

Share on: