Security researchers at Qualys have exposed a sophisticated cyber-espionage campaign, tracked as HazyBeacon (CL-STA-1020), that targets Southeast Asian government networks by abusing AWS Lambda Function URLs as covert command-and-control (C2) relays. The campaign represents a significant evolution in attacker tradecraft, shifting malicious infrastructure into legitimate cloud platforms to evade conventional network defenses.
What Is HazyBeacon?
HazyBeacon is a lightweight backdoor deployed against government networks in Southeast Asia. The malware profiles compromised systems, executes remote commands, and exfiltrates data including documents and keystrokes. What sets it apart from conventional malware is not its payload functionality but its communications infrastructure: all C2 traffic flows through legitimate AWS Lambda endpoints, making it appear benign to most network security tools.
Traditional malware relied on attacker-owned servers for communication, which defenders could block using IP reputation or domain blacklists. HazyBeacon represents a shift toward cloud-native C2, in which attackers deploy their infrastructure within legitimate cloud environments that organizations already trust and routinely allowlist.
How the AWS Lambda Abuse Works
At the core of the attack is the misuse of AWS Lambda Function URLs configured with AuthType: NONE, which allows public, unauthenticated HTTPS access to a Lambda function. These endpoints provide a simple interface without requiring API Gateway or load balancers, reducing the attacker’s operational footprint and visibility.
The attack chain unfolds in four stages:
- Credential Compromise: IAM keys are stolen from exposed code repositories, phishing campaigns, or misconfigured cloud environments.
- Infrastructure Deployment: Attackers use the stolen credentials to create Lambda functions in the compromised AWS accounts via legitimate AWS APIs.
- Relay Setup: Public Function URLs are enabled on the Lambda functions, creating a publicly accessible HTTPS endpoint at an address resembling
https://[id].lambda-url.[region].on.aws. Because this uses the trusted “on.aws” domain, traffic appears legitimate. - C2 Communication: Infected systems communicate with attacker infrastructure through the Lambda relay, which forwards encrypted communications to attacker-controlled servers and relays responses back. The true C2 destination is masked behind trusted AWS infrastructure.
Why This Is Difficult to Detect
The HazyBeacon approach creates a “lookalike” problem for defenders: malicious traffic is functionally indistinguishable from legitimate AWS API calls at the network level. Because the Lambda Function URL uses the on.aws domain, most network-layer controls, including web proxies, firewalls, and DNS filters, will not flag the traffic. Organizations that have allowlisted AWS domains wholesale are particularly exposed.
Furthermore, HazyBeacon exploits weak identity and configuration practices rather than any vulnerability in AWS itself. The attack succeeds because IAM credentials were stolen and Lambda Function URLs were not restricted by policy. This means signature-based detection largely misses the attack; behavioral and configuration-based controls are required.
Targeted Sectors and Attribution
The campaign (CL-STA-1020) has been observed targeting Southeast Asian government networks. The use of Lambda as a C2 relay is consistent with nation-state or advanced criminal group tactics, as the operational setup requires meaningful cloud infrastructure knowledge and access to stolen IAM credentials. The borrowed-infrastructure model — weaponizing third-party cloud environments — provides attackers with stealth, scalability, and plausible deniability.
Defensive Recommendations
Organizations running workloads in AWS should implement the following controls to detect and prevent HazyBeacon-style attacks:
- Enforce strong IAM hygiene: Rotate IAM keys regularly, enable MFA for all users, and audit for keys exposed in code repositories or CI/CD pipelines.
- Enable AWS CloudTrail logging across all regions to detect unauthorized API activity, including unexpected Lambda function creation or configuration changes.
- Monitor VPC flow logs to identify unusual proxy-like traffic patterns or high-volume Lambda invocations from internal hosts.
- Apply Service Control Policies (SCPs) to block Lambda Function URLs with public access unless explicitly approved by your security team.
- Track cost anomalies — large-scale C2 relays generate unusually high volumes of Lambda invocations, which will spike your AWS bill and can serve as an early detection signal.
- Do not allowlist AWS domains wholesale. Implement granular DNS and proxy policies that flag traffic to unexpected AWS service endpoints.
HazyBeacon highlights a growing trend where advanced threat actors repurpose legitimate cloud services as operational infrastructure. As organizations migrate more of their environment to AWS, Azure, and GCP, the same platforms become attractive targets for attacker infrastructure. Security teams must adapt by prioritizing identity-centric security, continuous cloud configuration monitoring, and behavioral analysis of cloud workloads rather than relying solely on network-level indicators of compromise.