Sysdig reported observing an offensive operation against an AWS environment in which a threat actor progressed from initial access to administrative privileges in under 10 minutes, with multiple indicators suggesting large language models (LLMs) were used to accelerate reconnaissance, code generation, and decision-making. Initial access was obtained via valid credentials exposed in public S3 buckets, reportedly associated with AI/RAG-related data and an IAM user used to automate Amazon Bedrock tasks via AWS Lambda. The actor then escalated privileges via Lambda function code injection, moved laterally across 19 AWS principals, and abused Amazon Bedrock in an LLMjacking pattern while also provisioning GPU-capable compute instances for suspected model-related activity.
Dark Reading’s coverage echoed Sysdig’s findings, emphasizing the speed of the compromise, the role of AI as a force multiplier, and post-compromise activity including data collection/exfiltration and GPU instance provisioning. In contrast, TechTarget’s “must-have security technologies” piece and SecuritySenses’ discussion of borrowing financial risk models for security are general guidance/trend articles and do not describe this specific intrusion or provide incident-specific technical details, making them non-contributory to the reported AWS compromise.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
10 events from the most recent confirmed update back to the earliest known activity.
In response to coverage of the incident, AWS stated that its services and infrastructure were not impacted and attributed the compromise to customer-side misconfiguration, including public S3 exposure and leaked credentials. AWS reiterated best practices such as least privilege, secure credential handling, and monitoring with services like GuardDuty.
Sysdig Threat Research Team publicly disclosed the incident and its analysis, describing indicators of heavy LLM assistance such as rapid script iteration, hallucinated account IDs, Serbian-language comments, and references to non-existent repositories. The company also released detections and mitigation guidance focused on least privilege, Lambda hardening, S3 access controls, and Bedrock logging.
During the intrusion, the actor used IP rotation and role chaining to reduce detection and attempted to pivot further by guessing the default OrganizationAccountAccessRole in an AWS Organization. These actions showed an effort to expand reach beyond the initially compromised account.
The operation expanded into compute abuse when the actor attempted to provision expensive GPU-backed EC2 resources, including a p4d.24xlarge instance nicknamed "stevan-gpu-monster." The attacker also exposed a JupyterLab service publicly on port 8888, apparently to support AI or ML workloads.
The attacker verified that Bedrock model invocation logging was disabled and then used the victim's account to invoke multiple foundation models, including third-party and Amazon-hosted offerings. Reports also note use of cross-Region inference and acceptance of AWS Marketplace usage agreements on the victim's behalf.
With elevated access, the attacker gathered data from services such as Secrets Manager, SSM Parameter Store, CloudWatch, S3, Lambda source code, and CloudTrail. One report also noted data exfiltration during the incident.
Following privilege escalation, the intruder moved laterally through role assumptions and access-key creation across 19 AWS identities/principals. The actor also established persistence by creating a new administrative user referred to as "backdoor-admin."
The attacker escalated privileges by modifying the EC2-init Lambda function, abusing overly permissive update capabilities to create new access keys for an administrative user named "frick." Sysdig said the actor reached administrative privileges in roughly eight minutes.
After initial access, the attacker rapidly enumerated the victim's AWS environment across services including Secrets Manager, RDS, CloudWatch, SSM, S3, Lambda, and CloudTrail. Multiple reports say this reconnaissance was likely accelerated by large language models.
On November 28, 2025, an attacker obtained valid AWS test credentials from a publicly accessible S3 bucket containing AI-related/RAG data. The exposed credentials provided initial access with ReadOnlyAccess permissions.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
csoonline.com
Open sourcescworld.com
Open sourcego.theregister.com
Open sourcecybersecuritynews.com
Open sourcehackread.com
Open sourcesysdig.com
Open sourcedarkreading.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.