HazyBeacon Campaign Abuses AWS for Stealthy C2 Communications

HazyBeacon (CL-STA-1020) is a targeted cloud-native espionage campaign abusing stolen AWS IAM keys to create unauthenticated Lambda Function URLs as covert HTTPS C2 relays, masking attacker infrastructure and targeting government networks in Southeast Asia; the malware conducts system enumeration, remote commands, data exfiltration and keystroke capture, and mitigations focus on stricter IAM controls, credential rotation, global logging and continuous configuration audits.