Locked Out of the Cloud: Hackers Use AWS Termination Protection to Hijack ECS for Unstoppable Crypto Mining

In a striking display of cloud-native tradecraft, cybercriminals have been caught turning legitimate AWS environments into illicit cryptocurrency mining farms, utilizing a “novel persistence technique” designed to lock defenders out of their own infrastructure.

A new report from Amazon GuardDuty reveals that starting November 2, 2025, a coordinated campaign began systematically hijacking Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Compute Cloud (Amazon EC2) resources using compromised Identity and Access Management (IAM) credentials.

Speed was the defining characteristic of this campaign. The attackers didn’t just stumble in; they arrived with a script. Operating from an external hosting provider, they executed a rapid-fire sequence of reconnaissance and deployment.

“Operating from an external hosting provider, the threat actor quickly enumerated Amazon EC2 service quotas and IAM permissions before deploying crypto mining resources,” the report states. The efficiency was ruthless: “Within 10 minutes of the threat actor gaining initial access, crypto miners were operational”.

Before launching a single miner, the attackers used a clever method to test the waters without making a splash. They utilized the DryRun flag on API calls—a feature normally used by developers to check permissions without actually creating resources.

“The DryRun flag was a deliberate reconnaissance tactic that allowed the actor to validate their ability to deploy crypto mining infrastructure before acting,” Amazon analysts noted. This allowed them to confirm they had the keys to the kingdom without triggering billing alarms or leaving a heavy footprint initially.

What sets this campaign apart is not just the theft of computing power, but the sophisticated method used to maintain it. Once the mining instances were spun up—using a malicious Docker image (yenik65958/secret) that had been pulled over 100,000 times—the attackers toggled a specific switch to complicate remediation.

“A key technique observed in this attack was the use of ModifyInstanceAttribute with disable API termination set to true,” the report highlights.

By enabling termination protection on their rogue instances, the attackers created a distinct hurdle for automated security scripts and human responders alike. “Disabling instance termination protection adds an additional consideration for incident responders and can disrupt automated remediation controls”. Essentially, even if a defender identified the rogue servers, they couldn’t simply delete them without first manually disabling the protection—buying the attackers precious time to mine more crypto.

The campaign didn’t stop at mining. In a pivot towards future attacks, the threat actors established a backdoor using AWS Lambda. They configured a function with a public URL (bypassing authentication) to maintain a persistent foothold.

Furthermore, they began setting the stage for a spam campaign. The report details how the actors created new IAM users and attached policies for Amazon Simple Email Service (SES), suggesting they were “attempting Amazon Simple Email Service (Amazon SES) phishing” using the trusted reputation of the compromised domains.

Amazon emphasized that this was not a hack of AWS itself, but a compromise of user credentials. “It’s important to note that these actions don’t take advantage of a vulnerability within an AWS service but rather require valid credentials that an unauthorized user uses in an unintended way”.

Related Posts:

• Google URL Shortener Ends Support: What You Need to Know Before August 2025
• ISC Warns of Cache Poisoning and Crash Risks in BIND: What You Need to Know About CVE-2025-40776 and CVE-2025-40777
• New Phishing Campaign Targets AWS Accounts: Security Experts Warn
• Critical Docker Desktop Vulnerability Exposes Host Systems to Container Abuse