Cloud Platforms Increasingly Exploited for Malicious Activities, Study Finds

Cloud platforms are being increasingly utilized for malicious activities, with attackers favoring hybrid setups to evade detection, according to a new study by researchers from the University of Twente. The study, titled “Double-Edged Sword: An Empirical Study on the Contribution of Cloud Providers in Malicious Infrastructure,” highlights a shift in how threat actors use cloud services, revealing growing challenges for internet security and policy frameworks.

Key Findings: Hybrid Cloud Use on the Rise

The study analyzed DNS data from OpenINTEL, cloud classification from IP2Location, and data on five major cloud providers to track malicious usage patterns. One notable trend is the increased reliance on partial cloud setups—where attackers deploy only specific components, such as web hosting—while avoiding full-stack cloud adoption. This strategy helps obscure operations, reduce dependency on a single provider, and complicates detection. In contrast, fully cloud-based infrastructures for malicious domains have decreased significantly since 2021.

Notably, despite AWS, Google Cloud, and Azure dominating the market share for legitimate domains, malicious actors are distributing their infrastructure more broadly across smaller providers. This diversification dilutes detection capabilities and challenges mitigation efforts due to the lack of centralized controls.

Geographic Insights: Hotspots for Malicious Infrastructure

The study also examined the geographic hosting patterns of blocked domains. Countries like China and Russia were found to host a disproportionate concentration of malicious infrastructure relative to the total number of hosted domains. This trend, observed across web hosting, DNS, and email infrastructure, underscores regional vulnerabilities that security professionals must address.

Researchers concluded that differences in national policies, regulatory oversight, and abuse response mechanisms significantly impact the prevalence of malicious activity in these regions.

Implications for Cloud Providers and Internet Security

The findings underline the critical need for cloud providers to enhance their security practices and abuse response mechanisms. Providers’ policies significantly influence whether their platforms host a higher share of malicious domains, even if they don’t dominate the market for blocked domains. Additionally, hybrid cloud usage by malicious actors highlights the need for adaptive detection and mitigation strategies that account for more fragmented, selective infrastructure deployments.

As cloud computing remains vital for a scalable and open internet, the report emphasizes that stronger collaboration between providers, researchers, and policymakers is necessary to reduce the abuse of shared infrastructure.

For further details, read the study: Double-Edged Sword: An Empirical Study on the Contribution of Cloud Providers in Malicious Infrastructure.