Threat Actors Utilize Legitimate Cloud Services to Evade Detection and Steal Sensitive Information

In a disturbing revelation, Palo Alto Networks’ Unit 42 researchers have uncovered a sophisticated attack campaign targeting government entities in Southeast Asia. The malicious actors, who have been operating under the cluster name CL-STA-1020 since late 2024, have developed a novel technique for covert malware command and control (C2) communication via AWS Lambda function URLs.

According to the researchers, the threat actors have been collecting sensitive information from government agencies, including details about recent tariffs and trade disputes. The malicious actors have leveraged a previously undocumented Windows backdoor, dubbed HazyBeacon, to maintain a foothold and exfiltrate data from compromised systems.

The HazyBeacon backdoor utilizes a serverless architecture, blending its C2 traffic with legitimate AWS communications to evade traditional network detection. Once the malware establishes a connection with the actor-controlled Lambda URL endpoint, it begins receiving commands to execute and additional payloads to download.

The researchers observed that the threat actors used legitimate cloud storage services, such as Google Drive and Dropbox, to exfiltrate the collected files. However, their attempts were correctly flagged by the detection mechanism and blocked. The attackers then executed cleanup commands to remove evidence of their activities.

The CL-STA-1020 cluster is a significant concern for security teams, as it highlights how attackers continue to find new ways to abuse legitimate, trusted cloud services. The researchers emphasize the importance of enhanced monitoring of cloud resource usage and developing detection strategies that can identify suspicious patterns of communication with trusted cloud services.

Palo Alto Networks customers are better protected from the threats discussed above through the Unit 42 Cloud Security Assessment and the Unit 42 Incident Response team. The company has shared its findings with fellow Cyber Threat Alliance (CTA) members, who use this intelligence to rapidly deploy protections to their customers and disrupt malicious cyber actors.

The exposure of this novel C2 communication technique serves as a reminder of the evolving tactics employed by threat actors. As security teams continue to adapt to these new threats, it is essential to prioritize enhanced monitoring of cloud resource usage and develop effective detection strategies to prevent such attacks in the future.