Ddos 
Researchers from Unit 42 at Palo Alto Networks have uncovered a novel backdoor—HazyBeacon—used by a threat cluster identified as CL-STA-1020. The campaign, which began in late 2024, has targeted governmental entities in Southeast Asia, with a focus on stealing sensitive trade and tariff-related documents.
What makes this campaign especially dangerous is its use of legitimate cloud services, including AWS Lambda, Google Drive, and Dropbox, to remain stealthy and blend malicious activity into routine network traffic.
“This cluster took significant effort to remain undetected, hiding in plain sight,” Unit 42 reported in their executive summary.
At the core of the attack is HazyBeacon, a previously undocumented Windows backdoor that leverages a novel command-and-control (C2) technique using AWS Lambda URLs. This innovative abuse of serverless infrastructure allows malware communications to piggyback on trusted Amazon Web Services (AWS) traffic.
“This backdoor leverages AWS Lambda URLs as command and control (C2) infrastructure,” the report notes. “This technique uses legitimate cloud functionality to hide in plain sight.”
Instead of relying on a traditional C2 server—which could be blacklisted or sinkholed—HazyBeacon communicates with AWS-hosted endpoints like:
This makes detection much more difficult in enterprise environments that depend on AWS for legitimate business operations.
HazyBeacon doesn’t arrive via phishing or drive-by downloads. Instead, attackers use DLL sideloading to deploy the malware:
- They plant a malicious DLL (mscorsvc.dll) in C:\Windows\assembly\
- It is sideloaded by a legitimate Windows binary: mscorsvw.exe
- A Windows service named msdnetsvc is created to persist the malware across reboots
Once loaded, the malicious DLL beacons out to the actor-controlled AWS Lambda URL and awaits instructions, including downloading further payloads.
Once connected, HazyBeacon downloads and stages multiple tools under C:\ProgramData, including:
| File | Function |
|---|---|
7z.exe |
Archives stolen data |
igfx.exe |
File collector |
GoogleGet.exe, google.exe, GoogleDrive.exe, Dropbox.exe |
Cloud uploaders |
These tools are used to collect, compress, and exfiltrate sensitive documents, including those related to trade policy and communications with foreign governments.
“The first payload executed was igfx.exe — the file collector… creating ZIP archives of targeted files, including government communications on trade disputes.”
To avoid suspicion, attackers sent stolen data via cloud services. The malware:
- Connected to Google Drive using a custom uploader
- Used Dropbox to attempt additional uploads
- Executed cleanup routines to remove evidence, including deleting payloads and archive files
Though detection mechanisms eventually blocked some of the upload attempts, the operation showed clear intent to exploit trusted cloud platforms for stealthy exfiltration.
AWS Lambda URLs, introduced in 2022, allow developers to expose serverless functions via direct HTTPS links. They do not require complex API Gateway setups, making them easy to deploy—even by threat actors.
“When put to malicious use, a Lambda function that a threat actor controls can operate as a dynamic C2 server,” Unit 42 warned.
This misuse of trusted domains like on.aws and amazonaws.com enables threat actors to bypass traditional detection, especially when these services are already whitelisted in enterprise firewalls.
Related Posts:
- RCE Vulnerability in ReportLab Python Library
- Sophisticated Attacks Employ Cobalt Strike, DLL Sideloading, and Evolving Tactics
- Python Developers Beware: Attackers Sneak Malware into Popular Package Manager
- New Phishing Campaign Targets AWS Accounts: Security Experts Warn
- DLL Sideloading & Proxying: New Campaign Delivers Sliver Implants to German Targets
Donate