Moroccan Hacking Group 'Atlas Lion' Abuses Cloud Systems to Steal Gift Cards

Cybercriminals from the Moroccan group Atlas Lion are infiltrating major retailers by enrolling attacker-controlled virtual machines (VMs) into company cloud domains, blending into corporate networks to avoid detection.

Researchers at cybersecurity firm Expel discovered the tactic during a recent incident where Atlas Lion used phishing texts disguised as helpdesk messages to trick employees into revealing credentials and multi-factor authentication (MFA) codes. The hackers then enrolled their own devices in the company’s MFA app and joined a malicious VM to the corporate domain using Microsoft Azure.

Although their activity triggered alerts—thanks to a flagged IP address—Atlas Lion returned within hours, exploring internal policies and documentation, especially those related to gift card systems and fraud prevention.

The group is known for issuing fake gift cards, which are later cashed out or sold on the dark web. Microsoft previously warned that Atlas Lion could steal up to $100,000 daily using these methods.

Their evolving use of cloud infrastructure shows how traditional defences are being bypassed by attackers who understand enterprise systems from the inside.