A highly sophisticated and ongoing campaign is actively targeting Amazon Web Services (AWS) customers, leveraging compromised Identity and Access Management (IAM) credentials to orchestrate a large-scale cryptocurrency mining operation. First brought to light by Amazon’s automated security monitoring systems on November 2, 2025, this threat actor employs novel persistence techniques specifically designed to frustrate incident response efforts and prolong their illicit activities. Operating from an external hosting provider, the attackers demonstrate a deep understanding of cloud architecture, managing to enumerate resources, assess permissions, and deploy crypto miners across both Elastic Container Service (ECS) and Elastic Compute Cloud (EC2) within a mere ten minutes of gaining initial access. The speed and efficiency of the operation, combined with its advanced evasion tactics, represent a significant evolution in the methodologies used by malicious actors targeting cloud environments, signaling a new level of threat for organizations relying on cloud infrastructure for their critical operations.
1. A Multi-Stage Attack Breakdown
The attack chain commences when the adversary gains access using stolen IAM user credentials that possess administrative or near-administrative privileges. Immediately following this initial breach, the attackers initiate a swift but thorough discovery phase to probe the compromised environment. Their primary objective is to determine the available EC2 service quotas and meticulously test the limits of their permissions. A key tactic in this stage is the invocation of the RunInstances API call with the “DryRun” flag intentionally enabled. This clever approach allows the attackers to validate their IAM permissions and assess the infrastructure’s suitability for mining without actually launching any instances. By doing so, they avoid accruing costs that might alert account owners and significantly minimize their forensic footprint, making early detection far more challenging. This calculated reconnaissance step ensures that they only proceed with the full-scale deployment on accounts that can support a profitable and sustained mining operation, showcasing a high degree of operational planning.
Once the environment is deemed suitable, the infection progresses to the deployment and resource escalation stage, where the threat actor moves to establish a resilient mining infrastructure. They begin by calling CreateServiceLinkedRole and CreateRole to create the necessary IAM roles for autoscaling groups and AWS Lambda, respectively, and then attach the “AWSLambdaBasicExecutionRole” policy to the Lambda role to grant it essential permissions. Following this setup, the attacker proceeds to create dozens of ECS clusters across the environment, in some observed cases exceeding 50 clusters in a single compromised account. They then register a malicious task definition using a DockerHub image, yenik65958/secret:user, which has since been removed. This container is configured to automatically execute a shell script upon deployment, launching a cryptocurrency miner that utilizes the RandomVIREL mining algorithm on ECS Fargate nodes. To maximize their illicit gains, the attackers also create autoscaling groups configured to scale from 20 to 999 instances, targeting a mix of high-performance GPU, machine learning, and general-purpose instances to exploit all available EC2 service quotas.
2. Evasion and Persistence Tactics
What truly distinguishes this campaign from previous crypto-mining attacks is its sophisticated use of built-in AWS features to ensure persistence and hinder remediation efforts. The threat actor employs the ModifyInstanceAttribute action, specifically setting the “disableApiTermination” parameter to “True” for the instances they deploy. This single change effectively prevents the compromised instances from being terminated through the Amazon EC2 console, the command-line interface (CLI), or standard API calls. This tactic directly impairs both manual and automated incident response capabilities, as security teams and their remediation scripts are blocked from removing the malicious resources. Victims are forced to first identify the locked instances and then manually re-enable API termination before they can proceed with deletion, a process that consumes valuable time and allows the mining operations to continue unimpeded. This technique reveals the attackers’ deep understanding of common security response procedures and their clear intent to maximize the duration and profitability of their campaign by directly countering established defense mechanisms.
Beyond disabling termination, the attackers focus on establishing long-term backdoors to maintain their foothold within the compromised AWS account for future malicious activities. The campaign involves the creation of a new Lambda function that is configured to be invokable by any principal, effectively opening a persistent and difficult-to-detect entry point into the environment. Furthermore, the attackers create a new IAM user, consistently named “user-x1x2x3x4,” and attach the AWS managed policy “AmazonSESFullAccess” to it. This grants the adversary complete and unrestricted control over the Amazon Simple Email Service (SES) for the account. The most probable motivation for this action is to leverage the victim’s trusted email service to carry out large-scale phishing attacks. By sending malicious emails from a legitimate and verified domain, the attackers can significantly increase their chances of success in compromising other targets. This dual-pronged approach of resource exploitation for immediate gain and backdoor creation for future campaigns demonstrates a strategic, long-term vision that elevates the overall risk posed by this threat actor.
3. Proactive Security and Mitigation Strategies
The scripted use of multiple compute services combined with these emerging persistence techniques represented a significant advancement in crypto-mining attack methodologies. To defend against such threats, organizations needed to adopt a multi-layered security posture focused on robust identity management and continuous monitoring. A foundational step was the enforcement of strong identity and access management controls, which included mandating multi-factor authentication (MFA) for all users without exception and prioritizing the use of temporary credentials over long-term access keys to limit the window of exposure if a key were compromised. Adherence to the principle of least privilege (PoLP) for all IAM principals was also critical, as it would have restricted an attacker’s ability to escalate privileges and move laterally within an environment. Additionally, implementing container security controls to scan for suspicious or unauthorized images and actively monitoring for unusual CPU allocation requests in ECS task definitions provided crucial signals for early detection. The comprehensive logging of events across all AWS services with AWS CloudTrail and the enablement of AWS GuardDuty were essential for facilitating the automated detection and response workflows necessary to counter these rapid, highly automated attacks.
