JavaGhost is a persistent phishing threat actor that emerged around 2020, initially focusing on website defacement before pivoting in 2022 to target misconfigured Amazon Web Services (AWS) environments for financially motivated phishing campaigns. The group is distinguished by its operational model of leveraging compromised cloud resources, such as AWS Simple Email Service (SES) and WorkMail, for email delivery and infrastructure without engaging in data extortion, a unique characteristic compared to many other financially driven groups. This group is also tracked as TGR-UNK-0011. There is no confirmed nation-state or cybercriminal group attribution for JavaGhost.