HazyBeacon Weaponizes AWS Lambda URLs for Stealth C2

HazyBeacon, a cyber-espionage campaign tracked as CL-STA-1020, is covertly targeting Southeast Asian government networks. This stealthy operation weaponizes AWS Lambda Function URLs, leveraging them as command-and-control (C2) relays.

Qualys Security researchers have observed attackers leveraging misconfigured serverless features and stolen cloud credentials to blend malicious traffic into trusted AWS infrastructure, making detection significantly harder.

Traditional malware relied on attacker-owned servers for communication, which defenders could block using IP or domain reputation.

HazyBeacon represents a shift toward cloud-native C2, in which attackers deploy their infrastructure within legitimate cloud environments. In this campaign, compromised systems communicate with AWS-hosted Lambda Function URLs.

Because the traffic flows through trusted AWS domains, it appears benign to most security tools, effectively bypassing conventional network defenses.

HazyBeacon Abuses AWS Lambda Function URLs

At the core of the attack is the misuse of AWS Lambda Function URLs configured with AuthType: NONE, which allows public, unauthenticated access.

These endpoints provide a simple HTTPS interface without requiring API Gateway or load balancers, reducing visibility and operational overhead.

Attackers exploit stolen IAM credentials to create Lambda functions in compromised AWS accounts. Configure public Function URLs. Use these functions as proxies to relay encrypted communications from malware.

A typical malicious endpoint resembles: https://.lambda-url..on.aws Because it uses the trusted “on.aws” domain, the traffic appears legitimate, creating a “lookalike” problem for defenders.

HazyBeacon follows a borrowed-infrastructure model, in which attackers weaponize third-party cloud environments. The attack chain includes:

Credential compromise: IAM keys are stolen from exposed repositories or phishing campaigns.

Infrastructure deployment: Attackers create Lambda functions using legitimate AWS APIs.

Relay setup: Public Function URLs are enabled for command transmission.

C2 communication: Malware sends encrypted requests to Lambda, which forwards them to attacker-controlled servers and relays responses back.

According to Qualys research, infected systems communicate with attacker infrastructure through AWS Lambda relays, masking the true command-and-control destination behind legitimate cloud traffic.

HazyBeacon is a lightweight backdoor that profiles systems, executes remote commands, and exfiltrates data, including documents and keystrokes.

Attackers used AWS Lambda to hide communications within normal cloud traffic, exploiting weak identity and configuration practices rather than AWS vulnerabilities.

Effective defenses focus on visibility and access control: Enforce strong IAM hygiene, including key rotation and multi-factor authentication.

Enable AWS CloudTrail logging across all regions to detect unauthorized API activity. Monitor VPC flow logs to identify unusual proxy-like traffic patterns.

Apply Service Control Policies (SCPs) to block Lambda Function URLs with public access unless explicitly approved. Track cost anomalies, as large-scale C2 relays generate high volumes of Lambda invocations.

HazyBeacon highlights a growing trend where attackers repurpose legitimate cloud services as operational infrastructure. By shifting C2 into trusted platforms like AWS, adversaries gain stealth, scalability, and plausible deniability.

Organizations must adapt by prioritizing identity-centric security, continuous configuration monitoring, and behavioral analysis of cloud workloads.

In cloud environments, every API call and configuration change is logged, leveraging the fact that visibility is key to detecting and stopping threats before they turn infrastructure into a weapon.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.