Hackers Exploit AWS Lambda URL Endpoints to Target Government Organizations

Researchers from Unit 42 at Palo Alto Networks have been monitoring a complex cluster of malicious behavior known as CL-STA-1020 since late 2024. This activity has been specifically targeting Southeast Asian government organizations.

The goal of these attackers appears to be covert intelligence gathering, with particular interest in sensitive data related to recent tariffs and trade disputes.

The campaign has been marked by advanced tactics and the deployment of a previously undocumented Windows backdoor, named HazyBeacon, which demonstrates innovative abuse of public cloud infrastructure for command-and-control (C2) operations.

HazyBeacon Backdoor Leverages AWS Lambda

The standout feature of this campaign is HazyBeacon’s use of AWS Lambda URL endpoints as a C2 channel.

AWS Lambda URLs, introduced in 2022, allow HTTPS invocation of serverless functions without complex API Gateway configuration.

The attackers established a Lambda URL endpoint in the ap-southeast-1 AWS region, enabling them to issue commands and receive exfiltrated data from compromised machines, all camouflaged within legitimate AWS network traffic.

This blend-in approach makes traditional network detection substantially more challenging for defenders, as communication with AWS domains is a common and generally trusted business operation.

The threat actors gained entry by deploying HazyBeacon via a DLL sideloading technique. A malicious DLL (mscorsvc.dll) was placed in the Windows system directory alongside the legitimate executable (mscorsvw.exe).

When triggered, the executable loaded the trojanized DLL, establishing persistence through a newly created service (‘msdnetsvc’).

Once active, HazyBeacon connected to the attacker-controlled Lambda URL, initiated beaconing, and began receiving payloads and further instructions.

Cloud Storage Abused for Exfiltration

The attackers further obfuscated their activity by exfiltrating data through legitimate cloud storage platforms, including Google Drive and Dropbox.

Payloads delivered by HazyBeacon included utilities to collect and compress targeted files, such as documents on trade disputes, and custom tools to upload these archives to attacker-controlled cloud repositories.

These utilities imitated normal business operations, complicating detection amid routine cloud traffic.

After compressing and segmenting the stolen files, HazyBeacon attempted uploads using several dedicated uploaders.

In the instances analyzed, defensive mechanisms succeeded in flagging and blocking these exfiltration attempts.

The attackers then ran cleanup commands to erase forensic traces, including payloads and intermediate data, underscoring the operational maturity of the campaign.

According to the Report, Unit 42’s analysis of CL-STA-1020 underscores a growing trend: threat actors are increasingly exploiting trusted cloud services for both C2 and exfiltration, taking advantage of services like AWS Lambda URLs to create flexible, scalable, and difficult-to-detect attack infrastructure.

Security teams are urged to prioritize enhanced monitoring for anomalous communications with cloud endpoints and review endpoint protection strategies to detect patterns associated with serverless C2 abuse and unauthorized data uploads.

Palo Alto Networks has updated detection strategies across its product lines, including Advanced WildFire and Cortex XDR, to address tactics associated with HazyBeacon.

Unit 42 recommends regular cloud security assessments and collaboration with incident response teams in the event of compromise.

The findings have been shared with the Cyber Threat Alliance (CTA) to facilitate rapid, industry-wide defensive action.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates