HazyBeacon Espionage Campaign Abuses AWS Lambda Function URLs as Covert C2 Relays
Qualys researchers have uncovered HazyBeacon, a cyber-espionage campaign targeting Southeast Asian governments that weaponizes AWS Lambda Function URLs as stealthy command-and-control relays.
Qualys Security researchers have identified a sophisticated cyber-espionage campaign dubbed HazyBeacon (tracked as CL-STA-1020) that is actively targeting government networks in Southeast Asia. The campaign marks a significant evolution in adversary tradecraft by abusing AWS Lambda Function URLs as covert command-and-control (C2) relays, allowing attackers to blend malicious traffic into trusted cloud infrastructure and evade conventional network defenses.
At the heart of the attack is the misuse of AWS Lambda Function URLs configured with AuthType: NONE, which enables public, unauthenticated access to these serverless endpoints. Attackers first compromise IAM credentials—often stolen from exposed repositories or phishing campaigns—and then use legitimate AWS APIs to create Lambda functions within the victim's own AWS accounts. These functions are configured with public Function URLs that serve as proxies, relaying encrypted communications between compromised systems and attacker-controlled servers. A typical malicious endpoint takes the form of https://<random>.lambda-url.<region>.on.aws, leveraging the trusted "on.aws" domain to appear benign to security tools.
HazyBeacon follows a "borrowed-infrastructure" model, where adversaries weaponize third-party cloud environments rather than hosting their own servers. The attack chain begins with credential compromise, followed by infrastructure deployment via AWS APIs, relay setup with public Function URLs, and finally C2 communication where malware sends encrypted requests through the Lambda relay. This approach creates a "lookalike" problem for defenders, as traffic flows through legitimate AWS domains that are typically trusted by network monitoring systems.
The HazyBeacon backdoor itself is a lightweight implant that profiles infected systems, executes remote commands, and exfiltrates sensitive data including documents and keystrokes. By routing communications through AWS Lambda, attackers mask the true destination of C2 traffic behind normal cloud traffic patterns. Qualys researchers emphasize that the campaign exploits weak identity and configuration practices rather than vulnerabilities in AWS services themselves.
Defenders are advised to enforce strong IAM hygiene, including regular key rotation and multi-factor authentication, enable AWS CloudTrail logging across all regions to detect unauthorized API activity, and monitor VPC flow logs for unusual proxy-like traffic patterns. Service Control Policies (SCPs) should be applied to block Lambda Function URLs with public access unless explicitly approved, and organizations should track cost anomalies that may indicate large-scale C2 relay operations generating high volumes of Lambda invocations.
HazyBeacon represents a growing trend where adversaries repurpose legitimate cloud services as operational infrastructure, gaining stealth, scalability, and plausible deniability. By shifting C2 into trusted platforms like AWS, attackers force defenders to adapt with identity-centric security, continuous configuration monitoring, and behavioral analysis of cloud workloads. As Qualys notes, in cloud environments every API call and configuration change is logged—visibility is the key to detecting and stopping threats before they turn infrastructure into a weapon.