A sophisticated cyber espionage operation is quietly targeting government agencies in Southeast Asia with a backdoor malware never recorded before on Windows, named HazyBeacon.

HazyBeacon.png

The campaign was followed by the Palo Alto Networks group Unit 42 with the identifier CL-STA-1020, which aimed to steal confidential information related to tariff policy, trade disputes and national strategic direction. As Southeast Asia has become increasingly a focus of competition between major powers, particularly the United States and China, the region has emerged as an attractive target of espionage campaigns to gain advantages in global trade, military, and foreign policy.

It is not clear how HazyBeacon entered the system, but evidence suggests that the attack team used side-loading DLL techniques. Malicious code installed a malicious DLL version named mscorsvc.dll along with the Windows executable is mscorsvw.exe. When enabled, the malicious DLL establishes a connection to an attacker-controlled control server, allowing arbitrary commands to be executed and additional payloads to be downloaded to the compromised device. To ensure long-term survival on the system, malicious code establishes a service that reboots automatically with the operating system.

The highlight that makes HazyBeacon dangerous is the fact that he uses AWS Lambda URLs as control channel. This is a legitimate function in Amazon’s cloud platform that allows calling serverless functions via HTTPS. The attacker took advantage of this feature to camouflage C2 traffic, making it look like valid operations and difficult to detect. The use of popular cloud services such as AWS creates a communication channel that is both reliable and difficult to distinguish from normal traffic, allowing malicious code to quietly operate under a legal veneer.

1752648818335.png

Experts recommend special monitoring of outbound traffic to less common domains such as *.lambda-url.*.amazonaws.comespecially if these connections originate from an unusual process or system service of unknown origin. Surveillance by IP address or domain name alone is no longer effective. Instead, context – based detection techniques should be applied, including analysis of the paternity – child process sequence, tracing of the execution relationships between processes, and real – time monitoring of endpoint behavior. These methods help determine whether a connection to the AWS Lambda service is valid application behavior or a sophisticated camouflage control channel set up by malicious code. In an environment where cloud services are increasingly common, the ability to clearly distinguish between normal activity and skillfully designed avoidance behavior is key to early detection of subtle threats such as HazyBeacon.

HazyBeacon also downloads a data collection module, which scans and filters common file formats such as doc, docx, xls, xsx and pdf, limited to a certain amount of time. The goal was to track documents containing sensitive information, including those related to new U.S.tariff policies. After collection, the data is managed to exfiltrate through familiar cloud storage services such as Google Drive and Dropbox. Taking advantage of common platforms allows malicious traffic to blend into valid network operations, making traditional surveillance systems difficult. During the incident analyzed by Unit 42, attempts to upload data out of these services were blocked, but still revealed the attacker’s sophisticated tactics of actively taking advantage of reliable cloud infrastructure to conceal behavior and avoid surveillance systems.

Once the data theft is complete, the malicious code performs cleanup operations to erase all traces on the system, including the files’ archives and intermediate payloads. According to Unit 42’s analysis, HazyBeacon is the primary tool that helps the attack team maintain a presence and steal data at targeted organizations.

This campaign is a clear testament to the growing popularity of these tactics among sophisticated threat groups. Taking advantage of legitimate infrastructure and cloud services to evade security defenses is becoming a priority option. This trend, often referred to as “living off trusted services” (LOTS) has also emerged in campaigns using Google Workspace, Microsoft Teams or Dropbox APIs to maintain access to and avoid traditional detection systems.

The Hacker News