KUBERNETES is presented as a high‑value target for adversaries, with Unit 42 noting that threat actor operations involving Kubernetes tokens increased by 282% over the last year and that the IT sector accounted for over 78% of observed activity.
According to Unit 42, the analysis draws on two real‑world cases: stolen cloud identities enabling lateral movement from a production cluster into core financial systems, including a cryptocurrency exchange, and the exploitation of React2Shell CVE-2025-55182 to execute commands inside Kubernetes workloads. The executive summary highlights that 22% of cloud environments in 2025 showed evidence of service account token theft, illustrating how attackers compromise Kubernetes identities to move laterally.
React2Shell was disclosed on 3 December 2025, with the earliest cloud targeting operations occurring between 5 and 7 December 2025, allowing attackers to exfiltrate cloud credentials and pivot to the underlying cloud account. The article also cites a February 2025 Bybit heist linked to North Korea’s Slow Pisces (Lazarus) group, where stolen AWS session tokens provided administrative access to cloud infrastructure. Defenders are urged to enforce least privilege, use short‑lived tokens, and improve runtime visibility to disrupt post‑exploitation attack chains.