logo

The HazyBeacon Protocol – How Malware Weaponizes Amazon Web Services (AWS) Lambda Function URLs

ID: b2a0eff6-e4a6-5dd3-9909-1e7b7ac56fdf

STIX ID: report--b2a0eff6-e4a6-5dd3-9909-1e7b7ac56fdf

Feed Name: Qualys Blog

Threat Score
75/100

Date Published: 2026-06-02

Date Updated: 2026-06-03

Author: Aniket Harne

...
...

HazyBeacon is a cloud-enabled Windows backdoor campaign that leverages stolen AWS IAM credentials to create public AWS Lambda Function URLs (AuthType:NONE) as stealth C2 relays, making malicious traffic appear as trusted AWS HTTPS traffic; the report outlines the credential-harvest-to-deploy kill chain, malware capabilities (system enumeration, remote task execution, data exfiltration), MITRE ATT&CK mappings, and prioritized mitigations including strong identity hygiene, global CloudTrail logging, Service Control Policies to block public Function URLs, VPC flow telemetry, and cost/invocation anomaly monitoring.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.