The HazyBeacon Protocol – How Malware Weaponizes Amazon Web Services (AWS) Lambda Function URLs
ID: b2a0eff6-e4a6-5dd3-9909-1e7b7ac56fdf
STIX ID: report--b2a0eff6-e4a6-5dd3-9909-1e7b7ac56fdf
Feed Name: Qualys Blog
HazyBeacon is a cloud-enabled Windows backdoor campaign that leverages stolen AWS IAM credentials to create public AWS Lambda Function URLs (AuthType:NONE) as stealth C2 relays, making malicious traffic appear as trusted AWS HTTPS traffic; the report outlines the credential-harvest-to-deploy kill chain, malware capabilities (system enumeration, remote task execution, data exfiltration), MITRE ATT&CK mappings, and prioritized mitigations including strong identity hygiene, global CloudTrail logging, Service Control Policies to block public Function URLs, VPC flow telemetry, and cost/invocation anomaly monitoring.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
