A newly documented cyber espionage operation known as HazyBeacon, tracked as CL-STA-1020, is leveraging Amazon Web Services (AWS) to build stealthy command-and-control (C2) channels that are difficult for defenders to detect.
The campaign primarily targets government networks in Southeast Asia and represents a growing shift toward cloud-native attack infrastructure.
This misconfiguration enables threat actors to create covert communication relays within trusted AWS environments, effectively masking malicious traffic as legitimate cloud activity.
Traditionally, C2 infrastructure resided on attacker-controlled servers hosted on virtual private servers or compromised websites. Security teams relied on IP reputation, domain intelligence, and blocking known malicious endpoints. However, cloud platforms have blurred these boundaries.
In the HazyBeacon campaign, attackers no longer rely on external infrastructure. Instead, they deploy malicious relay points directly inside legitimate AWS accounts using stolen Identity and Access Management (IAM) credentials.
The attack begins with credential compromise. Threat actors obtain exposed AWS access keys through public repositories, phishing campaigns, or malware harvesting local credential files.
These credentials are often long-lived and poorly managed, making them ideal for exploitation. Once access is gained, attackers validate permissions using low-noise API calls and identify whether they can create Lambda functions and configure public endpoints.
According to research published by Palo Alto Networks Unit 42 in July 2025, the attackers abuse AWS Lambda Function URLs configured with AuthType set to NONE, allowing unauthenticated public access.
HazyBeacon Campaign Abuses AWS
After validation, attackers deploy lightweight Lambda functions using standard AWS APIs. These functions are typically named to appear benign and are often placed in less-monitored regions.
The critical step is enabling a Function URL with AuthType set to NONE, which exposes the function as a public HTTPS endpoint without authentication.
The Lambda function then acts as a proxy between infected systems and the attacker’s backend infrastructure. Malware on a compromised endpoint sends encrypted HTTP requests to the Lambda URL hosted within AWS.
The function forwards the payload to the attacker-controlled server, receives instructions, and relays them back to the malware. This creates a “middleman” architecture where both the victim and the attacker appear to be communicating only with AWS infrastructure.
This approach significantly complicates detection and attribution. From a defender’s perspective, network traffic appears as normal HTTPS communication with trusted AWS domains ending in on.aws.
Meanwhile, the attacker’s backend sees traffic originating from AWS, further obscuring the true source. In many cases, the AWS account owner remains unaware until abnormal billing or abuse reports surface.
The malware itself operates as a lightweight and flexible framework. It performs system enumeration to collect host details, executes remote commands delivered through encrypted channels, and supports data exfiltration including documents and keystrokes.
The effectiveness of this campaign lies in the simplicity and legitimacy of the abused feature. AWS Lambda Function URLs, introduced in 2022, allow developers to expose serverless functions without complex configurations like API Gateway.
While useful, this feature creates a low-friction path for attackers to deploy public-facing infrastructure within seconds.
Security experts emphasize that this is not a vulnerability in AWS itself but a failure in identity and configuration management.
Organizations can reduce risk by enforcing strict IAM controls, rotating credentials regularly, enabling global CloudTrail logging, and monitoring VPC flow logs for anomalies.
Additionally, implementing Service Control Policies to restrict Lambda Function URL exposure and continuously auditing configurations can help prevent misuse.
The HazyBeacon campaign highlights a broader trend where attackers weaponize trusted cloud services to evade detection. As cloud adoption accelerates, visibility and identity governance are becoming critical pillars of enterprise security.
MITRE ATT&CK
| Tactic | Technique ID | Technique Name | Context in HazyBeacon |
| Initial Access | T1078.004 | Valid Accounts Cloud Accounts | Usage of stolen, static IAM Access Keys to enter the cloud environment. |
| Execution | T1648 | Serverless Execution | Creating new Lambda functions that persist independently of the compromised user session. |
| Defense Evasion | T1564 | Hide Artifacts | Deploying in unused regions; using benign naming conventions (“BackupHandler”, “ImageResizer”). |
| Command & Control | T1102 | Web Service | Using AWS Lambda as the communication channel to blend with legitimate web traffic. |
| Command & Control | T1090 | Proxy | The Lambda function serves purely as a hop point to obscure the true destination. |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
