Amazon Web Services (AWS) users that have their Identity and Access Management (IAM) credentials hijacked in order to facilitate bitcoin mining have been the target of an ongoing campaign that has been detected.
According to a new report that was shared by the tech giant prior to publication, the activity, which was discovered for the first time on November 2, 2025 by Amazon's GuardDuty managed threat detection service and its automated security monitoring systems, makes use of techniques that have never been seen before in order to impede incident response and continue unimpeded.
"Operating from an external hosting provider, the threat actor quickly enumerated resources and permissions before deploying crypto mining resources across ECS and EC2," Amazon stated in its announcement. "Within 10 minutes of the threat actor gaining initial access, crypto miners were operational."
The unknown adversary uses compromised IAM user credentials with administrative-like privileges to initiate a discovery phase that is designed to probe the environment for EC2 service quotas and test their permissions. This is accomplished by invoking the RunInstances API with the "DryRun" flag set. This is the beginning of the multi-stage attack chain.
This activation of the "DryRun" option is essential and deliberate since it enables the attackers to confirm their IAM rights without actually starting instances. As a result, they are able to avoid incurring costs and reduce the amount of forensic trail they leave behind. The last objective of the stage is to ascertain whether or not the infrastructure that is being targeted is suitable for the deployment of the miner software.
During the next step of the infection, the threat actor will call CreateServiceLinkedRole and CreateRole in order to generate IAM roles for autoscaling groups and AWS Lambda, respectively. This will cause the infection to progress even further. Following the creation of the roles, the policy known as "AWSLambdaBasicExecutionRole" is subsequently associated to the Lambda role.
It is believed that the threat actor has built dozens of ECS clusters across the environment, with some instances topping fifty ECS clusters in a single attack. This information is based on the activity that has been seen up to this point.
"They then called RegisterTaskDefinition with a malicious DockerHub image yenik65958/secret:user," Amazon stated in its statement. "With the same string used for the cluster creation, the actor then created a service, using the task definition to initiate crypto mining on ECS Fargate nodes."
After the DockerHub image was taken down, it was configured to execute a shell script as soon as it was deployed. This script would commence bitcoin mining using the RandomVIREL mining algorithm. However, the image has since been removed. Furthermore, it has been noted that the threat actor is constructing autoscaling groups that are configured to scale from 20 to 999 instances. This is done in an effort to take advantage of EC2 service quotas and maximize resource consumption.
The EC2 activity has targeted both high-performance GPU and machine learning instances and compute, memory, and general-purpose instances.
By utilizing the ModifyInstanceAttribute action with the "disableApiTermination" parameter set to "True," this campaign is able to distinguish itself from others. This action prohibits an instance from being terminated by utilizing the Amazon EC2 console, command line interface, or API. This, in turn, has the effect of requiring victims to re-enable API termination before deleting the resources that were affected by the vulnerability.
"Instance termination protection can impair incident response capabilities and disrupt automated remediation controls," Amazon stated in its announcement. "This technique demonstrates an understanding of common security response procedures and intent to maximize the duration of mining operations."
The security issue that is connected with ModifyInstanceAttribute has been brought to light on multiple occasions, including this one. Harsha Koushik, a security researcher, presented a proof-of-concept (PoC) in April 2024. The PoC outlined how the action may be exploited to take control of instances, exfiltrate instance role credentials, and even take control of the entire Amazon Web Services account.
Furthermore, the attacks involve the creation of a Lambda function that can be invoked by any principal and an IAM user called "user-x1x2x3x4" to which the AWS managed policy known as "AmazonSESFullAccess" is attached. This provides the adversary with full access to the Amazon Simple Email Service (SES), which allows them to likely carry out phishing attacks.
AWS users are being urged by Amazon to take the following precautions in order to protect themselves from the threat:
Implement stringent controls for the management of identities and access.
As an alternative to long-term access keys, you should use ephemeral credentials.
All users should be required to use multi-factor authentication (MFA).
The principle of least privilege, often known as PoLP, should be applied to IAM principals in order to restrict access.
Install security controls on the container in order to search for suspicious photos.
Keep an eye out for any odd requests for CPU allocation in the ECS job definitions.
In order to log events across all AWS services, you can use AWS CloudTrail.
Ensure AWS GuardDuty is enabled to permit automatic response procedures
"The threat actor's scripted use of multiple compute services, in combination with emerging persistence techniques, represents a significant advancement in crypto mining attack methodologies," Amazon stated in its conclusion.
