Behind the Clouds Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication
Since late 2024, Unit 42 researchers have been tracking a cluster of suspicious activity as CL-STA-1020, targeting governmental entities in Southeast Asia. The threat actors behind this cluster have been collecting sensitive information from government agencies, including recent tariffs and trade disputes.
This campaign is particularly noteworthy due to its novel tradecraft. The threat actors have developed a previously undocumented Windows backdoor, named HazyBeacon.
This backdoor leverages AWS Lambda URLs as command and control (C2) infrastructure, using legitimate cloud functionality to create a reliable, scalable and difficult-to-detect communication channel.
In this analysis, we aim to provide security teams with the necessary insights to detect and mitigate this emerging threat, while contributing to the broader understanding of how attackers exploit cloud services for malicious purposes.