The activity, tracked as CL-STA-1020, has been linked to intelligence-gathering operations focused on sensitive state information, including material tied to tariffs, trade disputes and government policy discussions. Security researchers have identified the campaign as part of a wider movement by advanced threat actors away from easily blocked attacker-owned servers and toward cloud-native infrastructure that is trusted by corporate and public-sector networks.
HazyBeacon’s most notable feature is its use of AWS Lambda Function URLs for command-and-control communications. Lambda Function URLs allow developers to expose serverless functions directly through HTTPS endpoints. When configured with weak access controls or public invocation settings, these endpoints can be used as relays between infected systems and attacker-controlled infrastructure.
This technique presents a problem for defenders because traffic to AWS domains is common in government, enterprise and contractor environments. Conventional network controls that rely on blocking suspicious IP addresses or unfamiliar domains may struggle to distinguish malicious beaconing from legitimate cloud activity. Encrypted HTTPS traffic further reduces visibility unless organisations have strong endpoint telemetry, cloud logging and behavioural detection in place.
The campaign does not appear to exploit a flaw in AWS itself. Instead, it abuses legitimate cloud features and poor security hygiene around identity, permissions and public endpoints. Lambda Function URLs support authentication settings that either require AWS identity-based access or allow unauthenticated public access where policies permit it. Attackers can exploit overly permissive configurations or compromised credentials to create infrastructure that looks benign from the outside.
HazyBeacon has been observed as a malicious DLL, with execution aided by DLL side-loading. The malware has used a file named mscorsvc. dll and has been associated with a legitimate-looking executable, mscorsvw. exe, to help evade casual scrutiny. Once running, the backdoor communicates with an AWS Lambda URL, receives commands and supports further payload delivery.
The operators also used legitimate file-sharing services during later stages of the intrusion. Google Drive and Dropbox were used for data movement, helping the campaign hide exfiltration activity among routine workplace traffic. Tools connected with the operation included archive utilities and custom upload components placed under system directories, enabling the collection, compression and transfer of targeted files.
Government entities in Southeast Asia are attractive targets because of the region’s role in trade negotiations, supply-chain policy, maritime disputes, economic security and strategic competition among major powers. Access to tariff-related material and policy documents can provide intelligence value well beyond the immediate victim, especially when negotiations involve multiple states, investors and industrial sectors.
The operation shows how espionage groups are adapting to the cloud era. Earlier command-and-control infrastructure often depended on rented virtual private servers, compromised websites or newly registered domains. Those assets could be identified through reputation systems, takedown requests or threat-intelligence feeds. Cloud-native C2 changes that equation by using legitimate platforms that defenders may be reluctant to block because of business disruption risks.
Serverless infrastructure adds another layer of difficulty. Lambda functions can be created quickly, scaled automatically and discarded with little operational footprint. A function URL can act as a lightweight proxy, forwarding requests between malware and a backend system while presenting defenders with traffic that appears to terminate at a trusted cloud provider. This makes identity controls and control-plane monitoring as important as traditional perimeter defence.
The risk is not confined to the HazyBeacon campaign. Security teams have warned for years that trusted services are increasingly being repurposed for malware delivery, payload hosting, command routing and data theft. Attackers have used cloud storage, collaboration platforms, content delivery networks and developer tools to reduce the chance of detection. HazyBeacon extends that pattern into serverless functions, underlining how legitimate application features can be turned into espionage infrastructure.
Defensive measures include enforcing least-privilege access for cloud identities, restricting public Lambda Function URLs, reviewing resource-based policies, enabling CloudTrail across regions and alerting on unusual function creation or invocation patterns. Monitoring should also cover unexpected use of regions that do not match an organisation’s normal operations, abnormal outbound traffic from sensitive systems and unauthorised use of file-sharing services.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
