HOMETHREATSAndroxGh0st
APT / THREAT GROUP

AndroxGh0st

4
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to Laceworks, this is a SMTP cracker, which is primarily intended to scan for and parse Laravel application secrets from exposed .env files. Note: Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various configuration data including AWS, SendGrid and Twilio. AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of webshells. For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute force attacks. However, the brute force capability is likely a novelty and is a statistically unlikely attack vector.

Threat Analysis

AndroxGh0st is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases4

Also Known As

py.androxgh0stAndroxGh0stAndroxGhostAndrox

External Intelligence

Malpedia: py.androxgh0st

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.