A highly sophisticated cyber espionage campaign is quietly targeting government agencies in Southeast Asia, using a completely new Windows backdoor malware called HazyBeacon. This was a previously unrecorded threat, indicating serious investment and a clear target of the attack group behind the operation.

The operation was monitored by Unit 42 – the Palo Alto Networks threat research group – under the identifier CL – STA – 1020. According to initial analyses, the primary objective of the campaign was to collect sensitive information regarding tariff policy, trade disputes, and national strategic orientations. As Southeast Asia plays an increasingly important role in the global supply chain and has become a hotbed of competition between major powers, particularly the United States and China, the region has emerged as an ideal target for espionage activities to gain economic, military, and foreign policy advantages.

Currently, HazyBeacon’s original method of entry is not firmly established. However, technical evidence suggests that the attack team used the side – loading DLL technique – a common but highly effective method in intentional attack campaigns. Specifically, malicious code installs a malicious DLL library named mscorsvc.dll, which is located in the same directory as the Windows executable file mscorvw.exe. When this legitimate process is started, the malicious DLL will be loaded with it, thereby silently establishing a connection to the server controlled by the attacker. Through this channel, the attacker can execute commands remotely, deploying additional payloads and expanding the range of controls. To maintain its long-term existence, HazyBeacon also creates a system service that automatically boots the same operating system, ensuring that the malicious code always works after a reboot.

What makes HazyBeacon particularly dangerous is the way the control channel is set up. Instead of using traditional C2 infrastructure, malicious code takes advantage of AWS Lambda URLs – a legitimate feature in Amazon’s cloud ecosystem that allows calling of serverless functions via the HTTPS protocol. The use of legal and popular services such as AWS makes the traffic of malicious code intermixed with valid connections, making detection significantly more difficult. In the eyes of many surveillance systems, these connections are no different than the normal functioning of corporate applications.

In light of this trend, security experts recommend paying special attention to outbound traffic directed to less common domains such as .lambda-url..amazonaws.com, especially when those connections stem from unusual processes or system services of unknown origin. Surveillance based purely on IP or domain names is no longer effective. Instead, organizations need to adopt context – based detection methods, including analysis of paternity – child processes, monitoring of execution relationships between processes, and real – time monitoring of endpoint behavior. These techniques help to clearly distinguish which is a valid connection to AWS Lambda and which is the proprietary code – set camouflage control channel.

In addition to the backdoor function, HazyBeacon also downloads a data collection module. The module is capable of scanning and filtering common document files such as doc, docx, xls, xsx and pdf within a specified time frame, in order to search for documents containing sensitive information. Notably, some of the data targeted was directly related to the new U.S.tariff policies. After collection, the data is managed to exfiltrate through familiar cloud storage platforms such as Google Drive and Dropbox. Taking advantage of these popular services makes malicious traffic difficult to distinguish from valid user activity. In the case analyzed by Unit 42, the exfiltration process is blocked, but still reflects the attacker’s sophisticated tactics.

After completing the mission, HazyBeacon executes clean-up commands to remove traces, including temporary files and intermediate payloads. According to Unit 42, HazyBeacon plays a key role in maintaining a long-term presence and assisting in data theft at targeted organizations. The campaign is a clear example of the “living off trusted services” (LOTS) trend, in which groups threaten to increasingly abuse legitimate cloud services such as AWS, Google Workspace, Microsoft Teams or Dropbox to evade traditional defenses and prolong the time spent in the victim network.