Cybercriminals are increasingly exploiting misconfigurations within Kubernetes clusters to gain access to cloud accounts, moving beyond individual containers to target core infrastructure. Recent telemetry data reveals a significant surge in Kubernetes-related threat operations, particularly service account token theft, which saw a 282% increase over the past year, with the information technology sector bearing the brunt of this activity at over 78%.
This evolving threat landscape sees adversaries leveraging weak identity configurations and overly permissive access controls as a pathway from a compromised container to the host cloud environment. In approximately 22% of monitored cloud environments during 2025, suspicious activity linked to service account token theft was detected, indicating a recurring pattern of exploitation. Attackers first achieve code execution within a container, then extract mounted credentials, probe API permissions, and ultimately pivot towards more valuable cloud resources.
Hackers Exploit Kubernetes Misconfigurations for Cloud Account Access
Findings from Unit 42 researchers, based on real-world intrusion cases, highlight how threat groups are combining Kubernetes misconfigurations with cloud credential abuse to inflict significant financial and operational damage. These incidents demonstrate a direct progression from a single compromised container to an organization’s central financial systems.
A concerning real-world example involves Slow Pisces, a North Korean state-sponsored group also known as Lazarus and TraderTraitor. In mid-2025, this group targeted a cryptocurrency exchange after initial compromise of a developer’s workstation via spearphishing. Utilizing the developer’s active, privileged cloud session, the attackers deployed a malicious pod directly into the production Kubernetes cluster. This pod was designed to expose the mounted service account token, a JSON Web Token (JWT) automatically assigned to pods for authentication with the Kubernetes API server.
The stolen token belonged to a highly privileged management service account with extensive Role-Based Access Control (RBAC) permissions. Armed with this compromised identity, the threat actor gained access to the Kubernetes API server, enabling them to list secrets, interact with workloads across various namespaces, and install a backdoor in a production pod for persistent access. The theft of a single misconfigured token provided the attacker with sweeping control over the entire cluster.
From Cluster to Cloud: Token Theft in Action
The attack’s progression extended beyond the Kubernetes cluster itself. Leveraging the elevated privileges associated with the stolen token, the threat actor moved laterally from Kubernetes into the broader cloud platform. This allowed them to access backend systems, retrieve sensitive credentials, and ultimately reach the cryptocurrency exchange’s financial infrastructure, leading to the theft of millions in cryptocurrency.
This attack vector aligns with the post-exploitation workflow demonstrated by Peirates, an open-source penetration testing framework. Peirates illustrates how stolen tokens can be used for enumerating secrets, pivoting across namespaces, and querying cloud metadata services, further emphasizing the critical risk posed by compromised service account tokens.
A second significant incident involved the exploitation of CVE-2025-55182, a critical vulnerability known as React2Shell in React Server Components. Publicly disclosed on December 3, 2025, active exploitation targeting cloud services began within two days. Attackers exploited insecure deserialization within the React Server Components flight protocol to achieve code execution inside application containers. From this initial foothold, they harvested service account tokens, queried the Kubernetes API, and exfiltrated cloud credentials stored in environment variables, ultimately pivoting into the cloud account to deploy backdoors and cryptominers.
To mitigate these risks, security teams should prioritize the enforcement of the principle of least privilege through stringent RBAC policies, strictly avoiding wildcard permissions for service account roles. Replacing long-lived static tokens with short-lived, projected service account tokens that expire automatically significantly reduces the value of any stolen credential. The implementation of runtime monitoring tools is also crucial. These tools can identify unusual process execution, unexpected outbound connections, and unauthorized access to sensitive system paths within containers, potentially halting malicious activities before they escalate to the cloud layer.
Ensuring that Kubernetes audit logs are consistently enabled and meticulously reviewed is paramount. These logs capture the earliest indicators of API misuse, unauthorized token access, and lateral movement across namespaces, providing invaluable insights for threat detection and incident response. The ongoing evolution of these attack methods underscores the need for continuous vigilance and adaptation of security postures within cloud-native environments.