An ongoing campaign has been observed targeting Amazon Web Services (AWS) customers using compromised Identity and Access Management (IAM) credentials to enable cryptocurrency mining.
The activity, first detected by Amazon’s GuardDuty managed threat detection service and its automated security monitoring systems on November 2, 2025, employs never-before-seen persistence techniques to hamper incident response and continue unimpeded, according to a new report shared by the tech giant ahead of publication.
“Operating from an external hosting provider, the threat actor quickly enumerated resources and permissions before deploying crypto mining resources across ECS and EC2,” Amazon said. “Within 10 minutes of the threat actor gaining initial access, crypto miners were operational.”
The multi-stage attack chain essentially begins with the unknown adversary leveraging compromised IAM user credentials with admin-like privileges to initiate a discovery phase designed to probe the environment for EC2 service quotas and test their permissions by invoking the RunInstances API with the “DryRun” flag set.
This enabling of the “DryRun” flag is crucial and intentional as it enables the attackers to validate their IAM permissions without actually launching instances, thereby avoiding racking up costs and minimizing their forensic trail. The end goal of the step is to determine if the target infrastructure is suitable for deploying the miner program.
The infection proceeds to the next stage when the threat actor calls CreateServiceLinkedRole and CreateRole to create IAM roles for autoscaling groups and AWS Lambda, respectively. Once the roles are created, the “AWSLambdaBasicExecutionRole” policy is attached to the Lambda role.
In the activity observed to date, the threat actor is said to have created dozens of ECS clusters across the environment, in some cases exceeding 50 ECS clusters in a single attack.
“They then called RegisterTaskDefinition with a malicious DockerHub image yenik65958/secret:user,” Amazon said. “With the same string used for the cluster creation, the actor then created a service, using the task definition to initiate crypto mining on ECS Fargate nodes.”
The DockerHub image, which has since been taken down, is configured to run a shell script as soon as it’s deployed to launch cryptocurrency mining using the RandomVIREL mining algorithm. Additionally, the threat actor has been observed creating autoscaling groups that are set to scale from 20 to 999 instances in an effort to exploit EC2 service quotas and maximize resource consumption.
The EC2 activity has targeted both high-performance GPU and machine learning instances and compute, memory, and general-purpose instances.
What makes this campaign stand apart is its use of the ModifyInstanceAttribute action with the “disableApiTermination” parameter set to “True,” which prevents an instance from being terminated using the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
