- A campaign targets Amazon Web Services (AWS) customers using stolen Identity and Access Management (IAM) credentials to run cryptocurrency mining.
- The attackers employ new persistence methods, including disabling instance termination to avoid detection and prolong mining activity.
- The multi-stage attack involves validating permissions using the DryRun flag, creating roles, and launching malicious Docker images for mining across ECS and EC2.
- The threat actor also creates roles with full access to Amazon Simple Email Service (SES), possibly to conduct phishing campaigns.
- AWS recommends enforcing strong access controls, using multi-factor authentication, applying least privilege principles, monitoring unusual resource use, and enabling GuardDuty for detection and automated response.
An ongoing campaign discovered on November 2, 2025, targets AWS customers by exploiting compromised Identity and Access Management (IAM) credentials to conduct unauthorized cryptocurrency mining. The threat actor quickly scans the environment after gaining access and deploys crypto mining operations using Elastic Container Service (ECS) and Elastic Compute Cloud (EC2) resources.
The attacker begins by using IAM credentials with admin-like permissions to perform a discovery phase. This involves invoking the RunInstances API with the DryRun flag, allowing validation of permissions without launching instances or incurring costs. This step ensures the infrastructure is suitable for mining deployment.
Next, the adversary creates IAM roles through CreateServiceLinkedRole and CreateRole APIs to enable autoscaling groups and AWS Lambda functions. The attacker attaches the AWSLambdaBasicExecutionRole policy to these Lambda roles.
During observed attacks, dozens of ECS clusters were created, sometimes exceeding 50 per incident. The threat actor registers a malicious DockerHub image named yenik65958/secret:user—now removed—which runs a shell script to mine cryptocurrency using the RandomVIREL algorithm. Autoscaling groups scaling between 20 and 999 instances also maximize resource consumption. Both high-performance GPU and general-purpose EC2 instances are targeted.
This campaign uses the ModifyInstanceAttribute action to set the “disableApiTermination” parameter to “True,” preventing affected instances from being terminated via the EC2 console, CLI, or API. This disables common incident response and automated defenses, increasing mining duration. A previous proof-of-concept detailed this method’s risk in April 2024.
Additionally, the attacker creates a Lambda function that can be invoked by any principal and an IAM user named “user-x1x2x3x4” with the AmazonSESFullAccess managed policy attached, granting full access to Amazon Simple Email Service (SES). This capability may support phishing campaigns.
To protect against these attacks, AWS advises customers to enforce strong IAM controls, use temporary credentials instead of long-term access keys, enable multi-factor authentication, and apply the principle of least privilege. Additional recommendations include scanning container images for suspicious content, monitoring unusual ECS CPU demands, logging events via AWS CloudTrail, and activating the GuardDuty threat detection service for automated responses.
“The threat actor’s scripted use of multiple compute services, in combination with emerging persistence techniques, represents a significant advancement in crypto mining attack methodologies,” according to AWS on the campaign.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Microsoft Eyes $5T Market Cap in 2026 on AI, Cloud Surge
- Hedera Block Nodes Enter Private Preview, Launching in 2026
- Pudgy Penguins’ PENGU Token Falls 85% Despite $500K Vegas Ad Deal
- Bitcoin Battles $87K Resistance Amid Mixed US Jobs Data
- Circle Buys Axelar Developer, Investors Furious Over Token Exclusion
