Southeast Asian government agencies are experiencing a surge of cyber espionage, with attackers concealing themselves in the open. Researchers have uncovered that state-backed hackers are leveraging AWS Lambda URLs as covert channels to steal highly sensitive government data, bypassing many traditional detection methods.
At the heart of this sophisticated campaign is a previously unknown Windows backdoor dubbed HazyBeacon, linked to the threat cluster CL-STA-1020. Since late 2024, this operation has been targeting ministries and agencies across the region, with a sharp focus on data about tariffs, trade negotiations, and regulatory planning.
How does HazyBeacon exploit AWS Lambda for command and control?
Instead of sending information to suspicious, easily blocked command servers, HazyBeacon blends with legitimate business traffic. It uses AWS Lambda URLs as direct cloud endpoints for running serverless code to receive instructions and exfiltrate stolen files. This approach effectively transforms trusted Amazon infrastructure into a covert digital getaway vehicle.
Attackers first compromise targets by sideloading a malicious DLL named mscorsvc.dll alongside a real Windows system file. When the system’s service launches, it loads the backdoor, which then establishes a persistent connection to an attacker-controlled AWS Lambda URL.
Did you know?
AWS Lambda URLs, introduced in 2022, allow direct HTTPS access to serverless functions. This feature is now being abused to run hard-to-detect command-and-control channels for advanced cyber espionage malware like HazyBeacon.
Are trusted cloud services now the ultimate cover for cyber spies?
HazyBeacon’s operators go further: they deploy specialized payloads to search, compress, and transmit documents, particularly files on economics or foreign relations, such as those tied to recent U.S. tariff measures. These collected data packets are routed through both AWS Lambda and common cloud storage providers like Google Drive and Dropbox, ensuring exfiltration traffic mimics routine user activity.
By utilizing well-known, whitelisted cloud services, the group blurs the distinction between normal and malicious network operations. This makes it far harder for defenders to spot threats without deep, context-aware monitoring of endpoint behavior and network communications.
ALSO READ | Billions of IoT Devices Exposed as Kigen eSIM Flaw Enables Cloning and Spying
Stealthy exfiltration: Blurring the line between normal and malicious traffic
Malware staged in compromised environments includes file collectors, archiving tools, and custom uploaders. Most importantly, attackers hid their data theft methods by using file names and cloud service APIs that look like normal use, often getting past security systems that depend on checking domain reputations.
Security teams have detected attempted uploads to Google Drive and Dropbox, sometimes blocked but sometimes successful. Following data theft, attackers deleted logs and payloads to wipe away forensic traces, underscoring the operation’s advanced tradecraft.
Advanced tactics push defenders to rethink cloud security
The exposure of HazyBeacon’s campaign highlights a dangerous new norm: attackers abusing trusted cloud platforms as both a command hub and a storage medium for stolen secrets. Analysts warn this model will likely proliferate, especially as dependency on cloud environments grows worldwide.
Defenders are now urged to monitor outbound connections to rare cloud endpoints such as .lambda-url..amazonaws.com, especially when contacted by unusual binaries or unfamiliar Windows services. As attackers increasingly rely on mainstream technology, sophisticated baselining, correlation of process chains, and fine-grained cloud monitoring will become crucial.
The battle for cybersecurity just moved further into the cloud. Only rapid detection and smarter, context-rich security practices can hope to keep pace with the next generation of nation-state malware.
Comments (0)
Please sign in to leave a comment
No comments yet. Be the first to share your thoughts!