The execution flow of Lambda URL abuse shows how every beacon from an infected workstation blends into legitimate *.on.aws traffic, giving defenders little visual distinction from sanctioned cloud workloads. Their reverse-engineering revealed that each beacon not only requests tasking from an attacker-controlled Lambda function but also retrieves auxiliary payloads—including bespoke Google Drive and Dropbox uploaders—continuing the “hide-in-plain-sight” strategy through every stage of the kill chain. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. A previously unreported Windows backdoor dubbed “HazyBeacon” has emerged in a stealthy espionage campaign that began in late 2024 and is still unfolding across several Southeast Asian government networks. The operators exploit the public URL feature of AWS Lambda—originally designed to simplify serverless deployments—to camouflage command-and-control (C2) traffic inside routine cloud operations. Continuous inspection of cloud egress, coupled with strict allow-lists for serverless endpoints, offers the most pragmatic defense until wider signature coverage matures. However, defenders can hunt for repeating GET requests to *.lambda-url.*.on.aws, unexpected invocations of mscorsvw.exe from C:\Windows\assembly, and rogue services whose display names mimic Microsoft networking utilities. Network teams should also baseline normal Lambda URL usage; any sudden spike from endpoints without development workloads warrants immediate triage. While HazyBeacon’s toolkit is compact, its fusion of serverless C2, DLL sideloading, and multi-cloud exfiltration marks a troubling evolution in state-aligned espionage. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Upon first execution, HazyBeacon spawns a new Windows service named msdnetsvc, ensuring revival after every reboot. Each slice is queued for exfiltration through Google Drive APIs; should those flows be blocked, a fallback Dropbox uploader, Dropbox.exe, activates automatically.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 15 Jul 2025 10:30:12 +0000