CL-STA-1020
CL-STA-1020 is a state-backed threat cluster tracked by Palo Alto Networks Unit 42 and associated with the HazyBeacon malware campaign. The campaign targets government networks across Southeast Asia. HazyBeacon is described as a lightweight Windows backdoor that collects host information including hostname, IP address, and user privileges; receives encrypted commands to execute shell instructions or download additional payloads; and exfiltrates stolen documents and captured keystrokes. The activity abuses compromised Amazon Web Services accounts as command-and-control relay infrastructure rather than exploiting AWS vulnerabilities directly. According to the provided content, the operators obtain static IAM access keys from exposed GitHub repositories or phishing, validate them with low-noise AWS API calls, and deploy Lambda Function URLs configured with AuthType: NONE as public HTTPS relays on trusted on.aws domains. Malware traffic is sent via encrypted HTTP POST requests to these Lambda endpoints, which forward payloads to attacker-controlled backend servers and return responses through the same relay path, helping communications blend in as normal encrypted HTTPS traffic to Amazon infrastructure. The content identifies HazyBeacon as the malware/campaign name and CL-STA-1020 as the Unit 42 cluster identifier.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Government & Administration
Tradecraft
12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Cloud-native intrusion campaign targeting government networks in Southeast Asia by abusing compromised AWS accounts and Lambda Function URLs as covert command-and-control relays for a lightweight backdoor.
State-backed cluster targeting Southeast Asian government organizations using the HazyBeacon backdoor and AWS Lambda for data theft.
State-backed threat actor conducting cyber espionage against Southeast Asian government agencies using a Windows backdoor (HazyBeacon) to steal sensitive information.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.