Cybercriminals and penetration testers actively look for strings like file:///root/.aws/config or encoded variants in: