top of page

Introducing GUI-Vil

May 27, 2023

They're all about that GUI life


Permiso has been on the case for a year and a half, tracking a bunch of miscreants they're calling "GUI-vil." Yeah, you heard that right, "gooey-ville." And their reason for being is crypto mining.


The bad guys are based in Indonesia, and they're using Amazon Web Services (AWS) for their shady operations. These hackers aren’t using some fancy command-line tools, though. They're all about that Graphical User Interface (GUI) hence the name GUI-Vil. They're using an old version of the S3 Browser, dated back to early 2021. And that's where they conduct their dirty work once they gain access to the AWS Management Console.


According to the researchers, these lowlifes start by doing some recon. They scout public sources for exposed AWS keys, like GitHub and Pastebin. They also scan for vulnerable GitLab instances. They're digging deep to find their way in.


So let this be a reminder to keep your AWS keys locked up tight, watch out for vulnerable GitLab instances, and for crying out loud, update your software! Don't make it easy for these GUI-vil gangsters to break into your cloud.


bottom of page