These kill chains span from 1990s social engineering through the 2025 cloud-identity era - the newest full write-up is Salesloft Drift (UNC6395), August 2025. Fast-moving 2026 incidents are tracked first in the news feed, with the recurring root causes distilled in breach lessons and the 2025 year in review; the most instructive graduate into full kill chains here.
-
Kevin Mitnick / Novell - OSINT → Pretexting → Phone Social Engineering → Dial-Up Access → NetWare Source Code Theft
While a fugitive living under a false identity in Denver, Kevin Mitnick - the FBI's most wanted hacker - targeted Novell's technical support staff using a technique he called pretexting. By impersonating a Novell employee using authentic…
Read kill chain → -
Capital One - SSRF → IMDSv1 → Over-Privileged IAM Role → 106M Record S3 Exfiltration
A former AWS engineer exploited a misconfigured WAF via server-side request forgery to reach the EC2 instance metadata service, stealing temporary IAM role credentials. An over-privileged role then granted access to 700+ S3 buckets…
Read kill chain → -
SolarWinds - Build System Compromise → SUNBURST Backdoor → On-Prem to Cloud Pivot → Golden SAML → US Government Espionage
Russian SVR (APT29 / Cozy Bear) breached SolarWinds' build pipeline and injected the SUNBURST backdoor into signed Orion software updates sent to 18,000+ customers. At high-value government targets, they used SUNBURST to achieve domain…
Read kill chain → -
Uber - Dark Web Creds → MFA Push Fatigue → Hardcoded PAM Secret → Full AWS/GCP Admin
An 18-year-old attacker purchased an Uber contractor's VPN credentials from a dark web infostealer marketplace, then used MFA push-bombing combined with WhatsApp social engineering to bypass two-factor auth. Once inside the corporate…
Read kill chain → -
LastPass - Dev Env Breach → Source Code Recon → DevOps Home PC (Plex Exploit) → Keylogger → AWS S3 Vault Backup Exfil
A two-stage attack first compromised LastPass's development environment, then used the stolen technical knowledge to target a specific DevOps engineer - one of only four people with access to production decryption keys. The attacker…
Read kill chain → -
Storm-0558 - Compromised Engineer → Crash Dump → Stolen MSA Signing Key → Forged Tokens → Government Email Espionage
Chinese nation-state actor Storm-0558 compromised a Microsoft engineer's corporate account, discovered a consumer MSA signing key that had accidentally been included in a crash dump in a debugging environment, and used it to forge…
Read kill chain → -
Microsoft AI Research SAS Token - Over-Permissioned Token → Public GitHub → 38TB Internal Data Exposed for 3 Years
A Microsoft AI researcher shared a URL to open-source training data on a public GitHub repository. The URL contained an Azure Shared Access Signature token - but instead of being scoped to a specific file or container, it was an Account…
Read kill chain → -
Scattered Spider / MGM Resorts - LinkedIn OSINT → Vishing Help Desk → Okta Super Admin → Azure AD → 100 ESXi Servers Encrypted
Scattered Spider (UNC3944) compromised MGM Resorts International in September 2023 using a single 10-minute phone call to the IT help desk. Attackers researched an MGM employee on LinkedIn, impersonated them to a help desk agent, obtained…
Read kill chain → -
Promptware - Indirect Prompt Injection → Context Poisoning → Persistence → C2 → Covert Camera Livestream
Researchers demonstrated a complete seven-stage kill chain targeting cloud-connected AI assistants - from a malicious Google Calendar invite to covert Zoom video streaming, all triggered by the victim typing "thanks." Documented across 36…
Read kill chain → -
UNC5537 / Snowflake - Infostealer Creds → No MFA → SHOW TABLES → Bulk Exfil → 165+ Orgs Extorted
A financially motivated threat actor tracked as UNC5537 spent months harvesting Snowflake credentials from infostealer malware logs, then systematically logged into victim Snowflake tenants - none of which required MFA - and exfiltrated…
Read kill chain → -
Codefinger / S3 Ransomware - Stolen AWS Keys → Valid Access → Bucket Enum → SSE-C Encryption → 7-Day Delete + BTC Ransom
The Codefinger crew used compromised AWS access keys to encrypt victims' S3 buckets with AWS's own SSE-C, keeping the AES-256 key so data cannot be recovered, then set 7-day lifecycle deletion timers and demanded Bitcoin. No AWS vulnerability was exploited…
Read kill chain → -
tj-actions/changed-files - Stolen PAT → Retag to Malicious Commit → Runner Memory Dump → Secrets in Public Logs → 23,000+ Repos Exposed
A chained GitHub Actions supply-chain compromise (CVE-2025-30066): a stolen bot PAT let attackers retag every version of tj-actions/changed-files to a malicious commit that scraped CI runner memory and printed AWS keys, PATs, and npm tokens into publicly readable build logs…
Read kill chain → -
Salesloft Drift / UNC6395 - GitHub Compromise → Stolen Drift OAuth Tokens → Bulk SOQL Exfil → Secret-Mining → 700+ Orgs Hit
UNC6395 (GRUB1) stole OAuth tokens from the Salesloft Drift integration and used them to run bulk SOQL queries against 700+ Salesforce tenants, then mined the exports for embedded AWS keys, Snowflake tokens, and passwords to enable downstream cloud compromise…
Read kill chain →
Real cloud breaches chain three to six tactics together. Detection content should target the chains, not isolated techniques. - the lesson under every kill chain on this page