Listen to this Post
Introduction: A New Era of Cloud-Powered Cyber Threats
The cybersecurity landscape is undergoing a dramatic transformation. For years, organizations focused on detecting malicious servers, suspicious domains, and compromised websites used by attackers to control infected systems. Today, that strategy is becoming increasingly ineffective as cybercriminals migrate toward trusted cloud infrastructure.
One of the most alarming examples of this evolution is a newly identified malware campaign known as HazyBeacon (CL-STA-1020). Security researchers at Qualys have uncovered a sophisticated operation that leverages legitimate Amazon Web Services (AWS) infrastructure to create stealthy command-and-control channels. Rather than building their own malicious infrastructure, attackers are abusing AWS Lambda Function URLs to hide their operations behind one of the world’s most trusted cloud providers.
The campaign primarily targets government organizations across Southeast Asia, but its techniques highlight risks that affect every organization relying on cloud services. The attack demonstrates how a simple cloud misconfiguration combined with stolen credentials can transform trusted infrastructure into a powerful cyber espionage platform.
HazyBeacon Malware: A Dangerous Shift in Attack Methodology
Traditional malware operations usually depend on attacker-controlled servers, compromised websites, or rented virtual private servers. Security teams can often identify and block these systems through reputation-based detection and threat intelligence feeds.
HazyBeacon changes that model completely.
Instead of hosting malicious infrastructure independently, attackers infiltrate legitimate AWS environments and deploy their malicious components directly inside victim-controlled cloud accounts. This “borrowed infrastructure” approach allows threat actors to blend into normal cloud activity while benefiting from AWS’s global reputation and trusted network presence.
As a result, malicious traffic appears to originate from legitimate AWS domains, making detection significantly more difficult.
How Attackers Gain Access to AWS Environments
The campaign begins with the theft of AWS Identity and Access Management (IAM) credentials.
These credentials are commonly obtained through several methods:
Exposed GitHub Repositories
Developers frequently make mistakes by accidentally publishing AWS access keys inside source code repositories. Attackers continuously scan public repositories searching for exposed credentials that can provide immediate access to cloud environments.
Phishing Campaigns
Cybercriminals use convincing phishing emails and fake login portals to trick users into revealing AWS account credentials.
Compromised Development Systems
Developer workstations often contain configuration files, environment variables, and authentication tokens that provide direct access to cloud resources. Once compromised, these systems become valuable targets for credential theft.
With valid credentials in hand, attackers can bypass many traditional security controls without exploiting any software vulnerability.
Weaponizing AWS Lambda Function URLs
The Feature That Made the Attack Possible
AWS introduced Lambda Function URLs in 2022 as a convenient way for developers to expose serverless functions through HTTPS endpoints.
The feature eliminates the need for additional services such as API Gateway or load balancers, reducing deployment complexity and operational costs.
For legitimate developers, this functionality offers simplicity and speed.
For attackers, it offers something even more valuable: instant public-facing infrastructure.
When Lambda Function URLs are configured with AuthType set to NONE, anyone on the internet can interact with them without authentication.
HazyBeacon operators exploit precisely this weakness.
Building an Invisible Command-and-Control Network
Once attackers obtain sufficient permissions inside an AWS account, they deploy malicious Lambda functions and expose them through public Function URLs.
The Lambda function then acts as a relay server.
Incoming commands from attackers travel through the AWS-hosted endpoint and are forwarded to compromised systems. Responses from infected machines return through the same route, creating a hidden communication channel.
This architecture produces several advantages:
Traffic originates from trusted AWS infrastructure.
Domain reputation systems view the communication as legitimate.
Security teams face challenges distinguishing malicious requests from normal cloud traffic.
Attackers gain scalable infrastructure without maintaining their own servers.
The result is a resilient and stealthy command-and-control ecosystem that can remain operational for extended periods without raising suspicion.
Why Traditional Security Tools Struggle to Detect HazyBeacon
Most enterprise security products rely heavily on indicators such as:
Malicious Domains
Many detection systems block communication with known malicious domains. Since HazyBeacon uses legitimate AWS endpoints, this protection becomes less effective.
Reputation-Based Filtering
AWS domains maintain strong reputational trust worldwide. Blocking them would disrupt countless legitimate business operations.
Infrastructure Blacklisting
Organizations cannot realistically blacklist large portions of AWS infrastructure without impacting normal cloud applications.
Consequently, attackers gain a substantial advantage by hiding inside trusted services rather than building suspicious infrastructure.
The Cloud-Centric Attack Lifecycle
The HazyBeacon operation follows a predictable sequence focused on identity abuse and cloud misconfiguration.
Stage 1: Credential Theft
Attackers obtain valid IAM credentials through exposure or compromise.
Stage 2: Permission Validation
Using low-profile API calls such as:
aws sts get-caller-identity aws iam list-attached-user-policies aws iam list-roles
Threat actors assess account privileges without generating excessive security alerts.
Stage 3: Lambda Deployment
Malicious functions are deployed into AWS regions that receive limited monitoring attention.
Stage 4: Function URL Exposure
Public Function URLs are attached to the deployed Lambda functions, creating externally accessible endpoints.
Stage 5: Persistent C2 Operations
The compromised AWS account becomes an active component of a larger command-and-control infrastructure capable of handling thousands of requests every hour.
Mapping HazyBeacon to MITRE ATT&CK
Researchers mapped the campaign to several MITRE ATT&CK techniques:
Technique Description
T1078.004 Valid Accounts: Cloud Accounts
T1648 Serverless Execution
T1564 Hide Artifacts
T1102 Web Service-Based Command and Control
The mapping illustrates that the campaign relies more on identity abuse and operational stealth than technical exploitation.
Cloud Security Failures Are the Real Vulnerability
Perhaps the most important takeaway is that HazyBeacon does not exploit a flaw within AWS.
There is no AWS vulnerability involved.
Instead, the campaign succeeds because organizations fail to implement strong identity governance, credential management, and infrastructure monitoring practices.
This distinction is critical.
Modern cyberattacks increasingly target operational weaknesses rather than software bugs. Human error, poor cloud governance, and excessive permissions often provide easier access than discovering zero-day vulnerabilities.
Defensive Strategies Organizations Must Implement Immediately
Enforce Multi-Factor Authentication
MFA remains one of the most effective controls against credential theft.
Rotate Access Keys Regularly
Long-lived credentials dramatically increase exposure risk.
Eliminate Unused Accounts
Dormant IAM users and outdated access keys create unnecessary attack surfaces.
Enable Comprehensive CloudTrail Logging
Organizations should activate logging across all AWS regions to detect unauthorized Lambda deployments and suspicious configuration changes.
Monitor Lambda Traffic Patterns
Security teams should investigate Lambda functions exhibiting near-identical inbound and outbound traffic ratios, a common indicator of proxy behavior.
Utilize VPC Flow Logs
Network telemetry can reveal unusual communication patterns associated with command-and-control activity.
Restrict Public Function URLs
Service Control Policies should prevent the creation of publicly accessible Function URLs unless explicitly approved.
Deep Analysis: Investigating HazyBeacon Through Cloud Forensics
Cloud defenders can improve visibility by continuously monitoring AWS environments using security-focused commands and auditing procedures.
Identity Investigation
aws sts get-caller-identity aws iam list-users aws iam list-roles aws iam list-access-keys aws iam get-account-summary
Lambda Function Discovery
aws lambda list-functions aws lambda get-function-url-config aws lambda list-event-source-mappings
CloudTrail Analysis
aws cloudtrail lookup-events aws cloudtrail describe-trails
Security Monitoring
aws logs describe-log-groups aws logs filter-log-events
Network Visibility
aws ec2 describe-flow-logs aws ec2 describe-vpcs
Linux-Based Detection
grep -Ri "AKIA" /home/ find / -name ".env" 2>/dev/null journalctl -xe netstat -antp ss -tunap tcpdump -i eth0
Container Security Checks
docker ps -a docker inspect <container> kubectl get pods -A kubectl get secrets -A
Threat Hunting Focus Areas
Newly created Lambda functions
Public Function URLs
Unusual AWS regions
Unauthorized IAM role creation
Suspicious API calls
Traffic relay behavior
Credential exposure indicators
Long-lived access keys
Excessive permissions
Anonymous HTTPS endpoints
Organizations that combine these investigative techniques with behavioral analytics stand a far greater chance of detecting cloud-native threats before significant damage occurs.
What Undercode Say:
The emergence of HazyBeacon represents more than another malware campaign. It reflects a fundamental shift in cyber warfare strategy.
For nearly two decades, defenders built security programs around the assumption that malicious infrastructure would look different from legitimate infrastructure. Blacklists, domain reputation systems, threat feeds, and perimeter controls all depended on identifying suspicious networks.
Cloud-native threats are dismantling that assumption.
HazyBeacon demonstrates how attackers no longer need to own infrastructure to operate sophisticated espionage campaigns.
Instead, they borrow trust.
AWS, Microsoft Azure, Google Cloud, and other hyperscale providers have become attractive targets not because they are vulnerable, but because they are trusted.
The real battlefield is identity.
Who can create resources?
Who can expose services publicly?
Who can deploy workloads without review?
These questions are becoming more important than vulnerability scanning alone.
The attack also highlights a dangerous organizational blind spot.
Many enterprises invest heavily in endpoint protection while giving less attention to cloud identity governance.
Security teams often monitor servers more aggressively than cloud permissions.
Attackers understand this imbalance.
By abusing valid credentials, threat actors can appear indistinguishable from legitimate administrators.
Another concerning aspect is scalability.
Traditional command-and-control infrastructure requires maintenance, hosting, and operational security.
Borrowed cloud infrastructure removes much of that burden.
The victim effectively funds and hosts the
This lowers operational costs while increasing resilience.
The campaign further illustrates how serverless technology introduces unique security challenges.
Lambda functions are designed to be lightweight, ephemeral, and highly scalable.
These same characteristics can make malicious activity harder to track.
Many organizations still lack mature visibility into serverless environments.
Cloud adoption is accelerating faster than cloud security maturity.
That gap creates opportunities for sophisticated adversaries.
The long-term trend suggests future attacks will increasingly abuse trusted SaaS and cloud-native services rather than exploit traditional malware hosting platforms.
Security strategies focused exclusively on malware signatures will struggle to keep pace.
Identity monitoring, behavioral analytics, infrastructure governance, and continuous cloud auditing must become foundational security disciplines.
HazyBeacon may be targeting governments today, but its techniques are relevant to every enterprise operating in the cloud.
The lesson is clear: trust in the cloud cannot replace verification.
Prediction
(+1) Cloud Identity Security Will Become a Top Enterprise Priority
Organizations will significantly increase investments in identity protection, privileged access management, and cloud governance platforms. This campaign is likely to accelerate board-level discussions about cloud security accountability and visibility. 🔒📈
(+1) Serverless Security Monitoring Will Rapidly Expand
Security vendors will introduce specialized detection capabilities focused on Lambda functions, Function URLs, and serverless workload monitoring. Cloud-native threat hunting will become a mainstream security practice. ☁️🛡️
(-1) More Attack Groups Will Copy the HazyBeacon Model
The success of hiding command-and-control traffic within trusted cloud services will likely inspire additional threat actors to replicate similar techniques across AWS, Azure, and Google Cloud environments. ⚠️
(-1) Traditional Reputation-Based Defenses Will Lose Effectiveness
As attackers increasingly abuse legitimate infrastructure, organizations relying heavily on domain reputation and blacklisting technologies may experience declining detection rates and longer attacker dwell times. 📉
✅ AWS Lambda Function URLs were introduced as a feature that allows direct HTTPS access to Lambda functions without API Gateway, making the underlying concept described in the report technically accurate.
✅ The campaign does not rely on an AWS software vulnerability. Available evidence indicates attackers abuse stolen IAM credentials and cloud misconfigurations rather than exploiting flaws in AWS infrastructure itself.
✅ Identity governance failures remain one of the largest cloud security risks. Mismanaged credentials, excessive permissions, exposed access keys, and inadequate monitoring continue to be among the most common causes of cloud compromise across modern enterprise environments.
❌ Blocking all AWS domains is not a realistic defense strategy. Such an approach would severely disrupt legitimate business operations and cloud-dependent applications.
✅ The reported attack chain aligns with known cloud-native intrusion techniques, particularly credential abuse, serverless execution, and trusted-service command-and-control methodologies increasingly observed across advanced threat campaigns.
▶️ Related Video (80% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
