Unveiling the Reign of GUI-vil: Financially Motivated Cyberthreat Group Targeting AWS Accounts

A financially motivated cyberthreat group has been identified, relentlessly attacking organizations’ Amazon Web Services (AWS) accounts with the intent to establish unauthorized cryptomining operations. Researchers have shed light on the activities of this group, tracing their origins to IP addresses associated with Indonesian internet service providers. This article delves into the tactics employed by the group and highlights their adaptability and persistence in maintaining access to compromised accounts.

Unmasking GUI-vil: Unleashing Cyberattacks with Personalized Precision

Permiso, a leading cloud security company, has been diligently monitoring the activities of the cyberthreat group for approximately 18 months. Referred to as GUI-vil (pronounced Goo-ee-vil), the group has earned this moniker due to its inclination towards employing graphical user interfaces (GUIs), specifically an older version of S3 Browser, a tool designed for AWS account access.

- Advertisement -

Methodology: Infiltrating AWS Accounts and Exploiting Weaknesses

The attackers commence their assault by identifying publicly exposed AWS access credentials or resorting to hacking services such as GitLab to gather valuable login information. What sets GUI-vil apart from other groups focused on crypto mining is their meticulous approach to establishing a foothold within an environment. They employ various tactics, including creating usernames that mimic the victim’s naming conventions or, in some cases, commandeering existing user profiles by generating login credentials for non-existent users.

Persistence and Adaptability: GUI-vil’s Battle Strategy

Permiso’s analysts, Ian Ahl and Daniel Bohannon, who possess extensive experience in cybersecurity, emphasize the tenacity of GUI-vil.

The attackers vigorously defend their access privileges when confronted by defenders. Instead of retreating, they adapt to the situation at hand, displaying a steadfast determination to retain control over compromised accounts. Their actions reflect a proactive stance, utilizing personalized strategies to masquerade as legitimate users.

Cryptojacking in the Shadows: GUI-vil’s Ultimate Objective

The primary objective of the hackers behind GUI-vil is to discreetly deploy cryptomining software, commonly known as cryptojacking, on Elastic Compute Cloud (EC2) instances. These instances enable users to rent computing resources, making them an ideal target for illicit operations. GUI-vil displays an opportunistic approach, targeting any organization for which they acquire compromised credentials, rather than focusing on specific targets.


The financial motivations driving GUI-vil, a notorious cyberthreat group, have led them to orchestrate persistent attacks on AWS accounts, aiming to establish clandestine cryptomining activities. By analyzing their modus operandi, researchers have uncovered their adaptability and tenacity in maintaining control over compromised environments. It is crucial for organizations to enhance their security measures to mitigate the risks posed by GUI-vil’s sophisticated tactics.

Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.

Exit mobile version