A sophisticated malware campaign known as HazyBeacon is leveraging trusted cloud services to target government networks in Southeast Asia. The campaign, identified as CL-STA-1020, cleverly utilizes Amazon Web Services (AWS) to mask its malicious activities.
Using AWS for Stealthy Operations
HazyBeacon operates by compromising AWS accounts of unrelated entities to deploy serverless functions as covert relay points. This approach allows the malware to maintain discreet communication with infected systems. To network defenders, these interactions appear as standard HTTPS traffic directed towards AWS infrastructure, complicating detection efforts.
Qualys researchers, in collaboration with Cyber Security News, revealed that the campaign was initially highlighted by Palo Alto Networks Unit 42 in July 2025. Their report provides a detailed analysis, including strategies for detecting and mitigating this cloud-native threat.
Mechanics of HazyBeacon
Upon installation on a Windows system, HazyBeacon acts as a backdoor, gathering system data such as hostname and IP address. It receives encrypted instructions to execute shell commands or download additional payloads, effectively exfiltrating documents and keystrokes without detection.
The malware does not exploit AWS vulnerabilities but rather relies on stolen IAM access keys obtained through exposed GitHub repositories or phishing. These keys are instrumental in creating relays within compromised cloud accounts.
Exploiting AWS Lambda Functionality
The attack’s foundation lies in the misuse of AWS Lambda Function URLs, introduced in April 2022. These URLs allow serverless functions direct internet exposure, which, while beneficial for developers, presents an opportunity for exploitation. Attackers prefer the AuthType: NONE setting, enabling public HTTPS relay creation without authentication, making the traffic blend seamlessly with legitimate AWS activity.
The relay facilitates encrypted HTTP POST requests to a Lambda URL in a compromised account, forwarding payloads to the attacker’s backend server. Typically, neither the victim nor the AWS account holder realizes the breach until receiving an abuse alert or unexpected billing spike.
Defensive Measures Against AWS Exploitation
To combat such threats, robust IAM practices are crucial. Deactivating unused keys, implementing regular rotations, and enforcing multi-factor authentication can thwart initial access attempts. Additionally, enabling AWS CloudTrail logging across all regions can uncover unauthorized deployments by tracking API calls related to Lambda functions.
Organizations can also enforce Service Control Policies to prevent unauthorized public relays and route Lambda functions through Virtual Private Clouds for enhanced detection. Monitoring for unusual Lambda usage and cost spikes can further alert organizations to potential abuse.
Stay updated with the latest cyber threats and defenses by following us on Google News, LinkedIn, and X, and set CSN as your preferred source for timely information.
