HazyBeacon: New Windows Backdoor Uses AWS Lambda for Stealthy Cyber-Espionage in Southeast Asia

Government institutions across Southeast Asia have found themselves at the center of a new cyber-espionage campaign aimed at harvesting sensitive information through a previously unknown Windows malware tool known as HazyBeacon. Tracked by Palo Alto Networks Unit 42 under the designation CL-STA-1020—where “CL” denotes a threat cluster and “STA” implies suspected state sponsorship—this activity underscores the evolving tactics of advanced threat actors.

According to analyst Lior Rochberger, the attackers are targeting data related to governmental operations, including documentation on tariff measures and international trade disputes. In recent years, Southeast Asia has increasingly become a focal point for such incursions due to its strategic role in global diplomacy, military alliances, and its delicate balancing act between U.S. and Chinese interests. Gaining access to insights into domestic policy, infrastructure developments, and trade regulations provides adversaries with a substantial geopolitical edge.

The precise vector through which HazyBeacon infiltrates devices remains undetermined, but researchers have identified the use of DLL sideloading techniques. Attackers deploy a malicious version of “mscorsvc.dll” adjacent to the legitimate Windows binary “mscorsvw.exe.” Once executed, the infected DLL initiates communication with a command-and-control server, enabling the download of additional modules and execution of arbitrary commands. Persistence is achieved via a system service that ensures the DLL is automatically invoked upon reboot.

What distinguishes HazyBeacon is its use of AWS Lambda cloud URLs as a channel for command and control. This tactic enables the malware to blend in with legitimate cloud traffic, greatly complicating detection. Lambda functions operating over HTTPS provide adversaries with a resilient and virtually invisible control mechanism, leveraging Amazon’s trusted infrastructure.

Detection efforts benefit from monitoring anomalous calls to domains such as “.lambda-url..amazonaws.com,” especially if initiated by unfamiliar processes. While the use of AWS alone is not inherently malicious, contextual analysis—such as examining process origins, parent-child relationships, and behavioral anomalies—can illuminate covert activity.

One of the downloaded modules functions as a document harvester, specifically searching for files with extensions like .doc, .docx, .xls, .xlsx, and .pdf. Notably, data collection is confined to a predefined time range, allowing attackers to surgically extract only recent and relevant documents. Analysts have recorded attempts to access information pertaining to recent U.S. tariff decisions.

To exfiltrate data, the attackers exploit popular cloud storage platforms such as Google Drive and Dropbox. This approach allows the transfer of stolen files to masquerade as routine user activity. However, in the instance analyzed by Unit 42, these efforts were thwarted by active security measures.

In the final phase of the intrusion, the perpetrators execute commands to erase their digital footprints—removing temporary archives, downloaded payloads, and other artifacts generated during the operation.

Experts assess that HazyBeacon serves as a primary tool for persistence and data exfiltration. The campaign exemplifies how threat actors are increasingly harnessing legitimate cloud platforms as covert communication and control channels.

This strategy aligns with the broader trend known as Living-off-Trusted-Sites (LoTS), wherein malicious actors leverage legitimate APIs—such as those from Google Workspace, Microsoft Teams, or Dropbox—to circumvent security mechanisms and maintain long-term access within target environments.