Kubernetes has become one of the most widely used platforms for managing containerized applications in enterprise environments. But as its adoption has grown, so has the attention it draws from malicious actors.
Threat actors are now exploiting misconfigurations within Kubernetes clusters to break out of containers and move directly into the cloud accounts that host them.
Recent telemetry data shows that Kubernetes-related threat operations — including service account token theft — increased by 282% over the last year, with the information technology sector accounting for over 78% of all observed activity.
The attacks are calculated, not random. Adversaries are no longer simply trying to escape a single container. They are abusing weak identity configurations and overly permissive access controls to move from an initial foothold all the way into the core cloud infrastructure.
In roughly 22% of cloud environments monitored in 2025, suspicious activity tied to service account token theft was detected.
These incidents follow a clear pattern: gain code execution inside a container, extract mounted credentials, test API permissions, and pivot toward higher-value cloud resources.
Unit 42 researchers identified this growing threat through real-world intrusion cases, revealing how threat groups are chaining Kubernetes misconfigurations with cloud credential abuse to cause serious financial and operational harm.
Their findings trace a direct line from a single compromised container all the way to the core financial systems of targeted organizations.
Among the most alarming real-world examples is an intrusion tied to Slow Pisces, a North Korean state-sponsored group also tracked as Lazarus and TraderTraitor.
In mid-2025, this group targeted a cryptocurrency exchange after gaining persistence on a developer’s workstation through spearphishing.
Using the developer’s active, privileged cloud session, the attackers deployed a malicious pod directly into the production Kubernetes cluster.
That pod was built to expose the mounted service account token — a JSON Web Token (JWT) that Kubernetes automatically assigns to pods for authenticating with the API server.
.webp)
The stolen token belonged to a high-privileged management service account with broad RBAC permissions.
Using this stolen identity, the threat actor authenticated to the Kubernetes API server, listed secrets, interacted with workloads across namespaces, and dropped a backdoor into a production pod to maintain persistent access.
A single misconfigured token, when stolen, can hand an attacker sweeping control over an entire cluster.
From Cluster to Cloud: Token Theft in Action
The attack did not stop at the cluster boundary. Using the privileges tied to the stolen token, the threat actor moved laterally from Kubernetes into the broader cloud platform.
They accessed backend systems, retrieved sensitive credentials, and reached the financial infrastructure of the exchange — resulting in millions stolen in cryptocurrency.
This mirrors the post-exploitation workflow modeled by Peirates, an open-source penetration testing framework demonstrating how stolen tokens enumerate secrets, pivot across namespaces, and query cloud metadata services.
.webp)
A second major incident involved CVE-2025-55182, a critical flaw in React Server Components known as React2Shell.
Publicly disclosed on December 3, 2025, active exploitation targeting cloud services started within just two days.
Attackers abused insecure deserialization in the React Server Components flight protocol to achieve code execution inside application containers.
From there, they harvested service account tokens, queried the Kubernetes API, and collected cloud credentials from environment variables — pivoting into the cloud account to install backdoors and deploy cryptominers.
To reduce exposure, security teams should enforce least privilege through strict RBAC policies, avoiding wildcard permissions across service account roles.
Long-lived static tokens should be replaced with short-lived, projected service account tokens that expire automatically, cutting the value of any stolen credential.
Runtime monitoring tools that flag unusual process execution, unexpected outbound connections, and unauthorized access to sensitive system paths inside containers are also essential, as they can stop malicious activity before it escalates to the cloud layer.
Kubernetes audit logs must always be enabled and reviewed — they capture the earliest signs of API misuse, token access, and lateral movement across namespaces.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
