A sophisticated cloud-native malware campaign, tracked as HazyBeacon (CL-STA-1020), is exploiting Amazon Web Services (AWS) Lambda Function URLs to build covert command-and-control (C2) infrastructure, marking a significant evolution in how threat actors abuse legitimate cloud services to evade detection.
Documented by Qualys, the campaign primarily targets government entities across Southeast Asia, leveraging misconfigured serverless infrastructure to blend malicious traffic seamlessly with trusted cloud activity.
Unlike traditional C2 architectures that rely on attacker-owned VPS servers or compromised domains, HazyBeacon adopts a “borrowed infrastructure” model deploying malicious components directly within legitimate AWS environments.
HazyBeacon Malware Hijacks AWS Lambda
Attackers gain initial access using stolen Identity and Access Management (IAM) credentials, typically harvested from exposed GitHub repositories, phishing campaigns, or compromised developer environments.
With these credentials, threat actors deploy Lambda functions and expose them via public Function URLs configured with AuthType set to NONE, effectively disabling all authentication at the infrastructure level.
Once deployed, the Lambda function acts as a transparent HTTPS proxy, relaying encrypted traffic between infected endpoints and the attacker’s backend server.
Because all traffic appears to originate from trusted AWS domains ending in on.aws, conventional network defenses and domain reputation systems fail to flag or block the activity, granting operators sustained, low-visibility access to compromised networks.
Introduced in 2022, AWS Lambda Function URLs allow developers to expose serverless functions through HTTPS endpoints without requiring API Gateway or a load balancer.
While this reduces operational overhead for legitimate use cases, unauthenticated public endpoints provide attackers with an instant, scalable C2 mechanism that inherits AWS’s trusted global reputation, making network-perimeter blocking largely impractical for enterprise security teams.
The attack lifecycle is rooted in identity and configuration failures rather than zero-day exploitation. After a credential compromise, attackers validate account permissions using low-noise API calls such as get-caller-identity and IAM policy enumeration to confirm privileges without triggering alerts.
Lambda functions are then deployed in less-monitored AWS regions under benign naming conventions, and persistence is established by attaching public Function URLs, transforming the compromised account into an unwitting C2 node capable of processing thousands of malicious requests per hour.
Mapped to the MITRE ATT&CK framework, the campaign leverages valid account abuse (T1078.004), serverless execution (T1648), regional artifact hiding (T1564), and web service-based C2 (T1102).
Qualys emphasizes that HazyBeacon exploits no inherent AWS vulnerability; it capitalizes entirely on weak identity governance and insufficient monitoring.
Enforcing multi-factor authentication and regularly rotating access keys significantly reduces the risk of unauthorized infrastructure deployment. Enabling AWS CloudTrail logging across all regions provides visibility into suspicious API activity, including unauthorized Lambda creation and Function URL configuration events.
Organizations should also monitor VPC flow logs for anomalous Lambda traffic patterns, particularly near one-to-one inbound-to-outbound connection ratios that are characteristic of proxy behavior.
Implementing Service Control Policies at the AWS Organization level to restrict the creation of public Function URLs unless explicitly approved enforces a zero-trust model for serverless exposure and removes one of the primary prerequisites for this class of attack.
HazyBeacon reflects a broader industry shift toward cloud-native attack surfaces, where adversaries weaponize legitimate platforms to evade detection and complicate attribution.
As cloud adoption accelerates globally, infrastructure misconfigurations and identity weaknesses can silently convert trusted services into active components of cyber espionage operations reinforcing that cloud security hygiene is now a frontline defensive priority.
No Comment! Be the first one.