GuardDuty Extended Threat Detection uncovers cryptomining campaign on Amazon EC2 and Amazon ECS

This GuardDuty report describes an active, large-scale crypto-mining campaign beginning November 2, 2025, in which attackers used compromised AWS IAM credentials to rapidly enumerate quotas and deploy mining workloads across EC2 and ECS/Fargate (including GPU instances), employed persistence techniques such as disabling API termination and creating public unauthenticated Lambda URLs, and distributed a malicious Docker image (yenik65958/secret) connecting to rplant.xyz mining pools; the advisory includes IoCs, detection methods (GuardDuty findings, Runtime Monitoring), and remediation and prevention recommendations.