Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

HazyBeacon

HazyBeacon is a previously undocumented lightweight Windows backdoor associated with the activity cluster CL-STA-1020. It has been reported targeting governmental organizations and government networks in Southeast Asia, with reporting assessing the campaign as focused on covert intelligence collection, including sensitive information related to tariffs and trade disputes. The malware uses AWS Lambda Function URLs as command-and-control infrastructure, causing beaconing and tasking traffic to blend in with legitimate encrypted HTTPS communications to Amazon infrastructure, including on.aws domains. Reporting states the operators abused compromised AWS accounts and public Lambda Function URLs configured with AuthType: NONE as relays rather than exploiting vulnerabilities in AWS itself.

On infected Windows systems, HazyBeacon collects host information including hostname, IP address, and user privileges, receives encrypted commands, executes shell instructions, downloads additional payloads, and uploads stolen documents and captured keystrokes. Reported delivery and execution included DLL sideloading, with a malicious mscorsvc.dll placed at C:\Windows\assembly\mscorsvc.dll and loaded by the legitimate mscorsvw.exe process. Persistence was established via a Windows service named msdnetsvc. One reported C2 endpoint pattern was a Lambda URL in the ap-southeast-1 region ending in lambda-url.ap-southeast-1.on.aws.

The malware was also reported downloading follow-on tooling into C:\ProgramData, including 7z.exe, a file collector named igfx.exe, GoogleGet.exe, multiple custom Google Drive uploaders (google.exe, GoogleDrive.exe, GoogleDriveUpload.exe), and a Dropbox uploader (Dropbox.exe). The file collector reportedly accepted a time range and file extensions and created ZIP archives named after the victim machine, while 7-Zip was used to split archives into 200 MB chunks. Operators conducted targeted searches for trade-related documents, including the query "letter to US President on Tariffs measures," and attempted exfiltration via Google Drive and Dropbox. Reported cleanup activity included deletion of created archives and payloads after exfiltration attempts were blocked.

High-confidence indicators and artifacts mentioned in the reporting include the malware name HazyBeacon; cluster identifier CL-STA-1020; malicious DLL path C:\Windows\assembly\mscorsvc.dll; legitimate loader mscorsvw.exe; persistence service msdnetsvc; staging directory C:\ProgramData; payload names 7z.exe, igfx.exe, GoogleGet.exe, google.exe, GoogleDrive.exe, GoogleDriveUpload.exe, and Dropbox.exe; and Lambda URL C2 infrastructure using on.aws domains.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
CL-STA-1020

...previously undocumented Windows backdoor dubbed HazyBeacon.

via cloudatg insightscloudatg.com
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583.006Web ServicesEvidence1
TacticResource Development

Attackers compromise AWS accounts belonging to unrelated organizations and plant lightweight serverless functions inside them as hidden relay points.

Initial Access

2 techniques
T1078.004Cloud AccountsEvidence1
TacticsInitial AccessPersistencePrivilege EscalationStealth

Attackers validate stolen keys with quiet API calls, upload a zipped Python or Node.js payload as a Lambda function with a benign name like “UpdateWorker,” and deploy it in a low-scrutiny AWS region to avoid detection.

T1566PhishingEvidence1
TacticInitial Access

Attackers steal static IAM access keys from exposed GitHub repositories or phishing campaigns, then use those keys to build a relay inside a compromised cloud account.

Execution

2 techniques
T1059.003Windows Command ShellEvidence1
TacticExecution

It receives encrypted commands to run shell instructions or pull down further payloads.

T1648Serverless ExecutionEvidence1
TacticExecution

The core of this attack is the abuse of AWS Lambda Function URLs... Attackers choose this option to spin up a public HTTPS relay inside AWS infrastructure within seconds.

Persistence

1 technique
T1078.004Cloud AccountsEvidence1
TacticsInitial AccessPersistencePrivilege EscalationStealth

Attackers validate stolen keys with quiet API calls, upload a zipped Python or Node.js payload as a Lambda function with a benign name like “UpdateWorker,” and deploy it in a low-scrutiny AWS region to avoid detection.

Privilege Escalation

1 technique
T1078.004Cloud AccountsEvidence1
TacticsInitial AccessPersistencePrivilege EscalationStealth

Attackers validate stolen keys with quiet API calls, upload a zipped Python or Node.js payload as a Lambda function with a benign name like “UpdateWorker,” and deploy it in a low-scrutiny AWS region to avoid detection.

Stealth

1 technique
T1078.004Cloud AccountsEvidence1
TacticsInitial AccessPersistencePrivilege EscalationStealth

Attackers validate stolen keys with quiet API calls, upload a zipped Python or Node.js payload as a Lambda function with a benign name like “UpdateWorker,” and deploy it in a low-scrutiny AWS region to avoid detection.

Credential Access

2 techniques
T1056.001KeyloggingEvidence1
TacticsCredential AccessCollection

It silently uploads stolen documents and captured keystrokes to the attackers.

T1528Steal Application Access TokenEvidence1
TacticCredential Access

Attackers steal static IAM access keys from exposed GitHub repositories or phishing campaigns, then use those keys to build a relay inside a compromised cloud account.

Discovery

1 technique
T1082System Information DiscoveryEvidence1
TacticDiscovery

Once HazyBeacon installs on a victim’s Windows machine, it works as a lightweight backdoor. It collects system details like hostname, IP address, and user privileges.

Collection

1 technique
T1056.001KeyloggingEvidence1
TacticsCredential AccessCollection

It silently uploads stolen documents and captured keystrokes to the attackers.

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence1
TacticCommand and Control

To any security team watching traffic, the communications look like routine, encrypted HTTPS connections to Amazon’s own infrastructure.

T1090ProxyEvidence1
TacticCommand and Control

The relay works as a silent middleman. Malware sends an encrypted HTTP POST to a Lambda URL inside a different compromised AWS account. That function strips the headers and forwards the payload to the attacker’s real backend server, which responds through the same path.

T1105Ingress Tool TransferEvidence1
TacticCommand and Control

It receives encrypted commands to run shell instructions or pull down further payloads.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1
TacticExfiltration

It silently uploads stolen documents and captured keystrokes to the attackers.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
cyber security newsNews
Jun 3, 2026
HazyBeacon Camapign Weaponizes Amazon Web Services for Stealthy Communications

A lightweight Windows backdoor used in a campaign targeting government networks in Southeast Asia. It collects host details, receives encrypted commands to execute shell instructions or download additional payloads, and uploads stolen documents and captured keystrokes. Its command-and-control traffic is relayed through attacker-abused AWS Lambda Function URLs hosted in compromised AWS accounts.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

State-backed Windows backdoor using AWS Lambda for data theft from Southeast Asian government targets (per summary).

Read more
palo alto networks unit 42 blogNews
Jul 14, 2025
Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication

Previously undocumented Windows backdoor deployed via DLL sideloading (malicious mscorsvc.dll loaded by legitimate mscorsvw.exe) that uses AWS Lambda Function URLs for HTTPS C2. It beacons to an actor-controlled *.lambda-url.*.on.aws endpoint, receives commands, and downloads additional payloads used for file collection, archiving/splitting, and exfiltration via legitimate cloud storage services (Google Drive, Dropbox). Persistence is established via a Windows service (msdnetsvc).

Read more
the hacker newsNews
Dec 4, 2025
AWS — Latest News, Reports & Analysis | The Hacker News

A Windows backdoor used in state-backed cyber espionage campaigns to steal sensitive data from Southeast Asian government agencies, leveraging AWS Lambda for data exfiltration.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.