An ongoing campaign has been observed targeting Amazon Web Services (AWS) customers using compromised Identity and Access Management (IAM) credentials to enable cryptocurrency mining.
The activity, first detected by Amazon’s GuardDuty managed threat detection service and its automated security monitoring systems on November 2, 2025, employs never-before-seen persistence techniques to hamper incident response and continue unimpeded, according to a new report shared by the tech giant ahead of publication.
“Operating from an external hosting provider, the threat actor quickly enumerated resources and permissions before deploying crypto mining resources across ECS and EC2,” Amazon said. “Within 10 minutes of the threat actor gaining initial access, crypto miners were operational.”
The multi-stage attack chain essentially begins with the unknown adversary leveraging compromised IAM user credentials with admin-like privileges to initiate a discovery phase designed to probe the environment for EC2 service quotas and test their permissions by invoking the RunInstances API with the “DryRun” flag set.
This enabling of the “DryRun” flag is crucial and intentional as it enables the attackers to validate their IAM permissions without actually launching instances, thereby avoiding racking up costs and minimizing their forensic trail. The end goal of the step is to determine if the target infrastructure is suitable for deploying the miner program.
The infection proceeds to the next stage when the threat actor calls CreateServiceLinkedRole and CreateRole to create IAM roles for autoscaling groups and AWS Lambda, respectively. Once the roles are created, the “AWSLambdaBasicExecutionRole” policy is attached to the Lambda role.
In the activity observed to date, the threat actor is said to have created dozens of ECS clusters across the environment, in some cases exceeding 50 ECS clusters in a single attack.
“They then called RegisterTaskDefinition with a malicious DockerHub image yenik65958/secret:user,” Amazon said. “With the same string used for the cluster creation, the actor then created a service, using the task definition to initiate crypto mining on ECS Fargate nodes.”
The DockerHub image, which has since been taken down, is configured to run a shell script as soon as it’s deployed to launch cryptocurrency mining using the RandomVIREL mining algorithm. Additionally, the threat actor has been observed creating autoscaling groups that are set to scale from 20 to 999 instances in an effort to exploit EC2 service quotas and maximize resource consumption.
The EC2 activity has targeted both high-performance GPU and machine learning instances and compute, memory, and general-purpose instances.
What makes this campaign stand apart is its use of the ModifyInstanceAttribute action with the “disableApiTermination” parameter set to “True,” which prevents an instance from being terminated using the Amazon EC2 console, command line interface, or API. This, in turn, has the effect of requiring victims to re-enable API termination before deleting the impacted resources.
“Instance termination protection can impair incident response capabilities and disrupt automated remediation controls,” Amazon said. “This technique demonstrates an understanding of common security response procedures and intent to maximize the duration of mining operations.”
This is not the first time the security risk associated with ModifyInstanceAttribute has come to light. In April 2024, security researcher Harsha Koushik demonstrated a proof-of-concept (PoC) that detailed how the action can be abused to take over instances, exfiltrate instance role credentials, and even seize control of the entire AWS account.
Furthermore, the attacks entail the creation of a Lambda function that can be invoked by any principal and setting up persistence using an IAM user “user-x1x2x3x4” to which the AWS managed policy “AmazonSESFullAccess” is attached. This grants the adversary complete access over the Amazon Simple Email Service (SES) to likely carry out phishing attacks.
AWS told The Hacker News that the outlined activity does not constitute a vulnerability within the cloud service, but rather necessitates that the threat actor is already in possession of valid credentials. It also said it proactively detected the ongoing campaign and swiftly alerted customers despite these actions occurring in the “customer domain of the shared responsibility model.”
To secure against the threat, Amazon is urging AWS customers to follow the steps below –
- Enforce strong identity and access management controls
- Implement temporary credentials instead of long-term access keys
- Use multi-factor authentication (MFA) for all users
- Apply the principle of least privilege (PoLP) to IAM principals to restrict access
- Add container security controls to scan for suspicious images
- Monitor unusual CPU allocation requests in ECS task definitions
- Use AWS CloudTrail to log events across AWS services
- Ensure AWS GuardDuty is enabled to facilitate automated response workflows
“The threat actor’s scripted use of multiple compute services, in combination with emerging persistence techniques, represents a significant advancement in crypto mining attack methodologies,” Amazon concluded.
(The story was updated after publication to emphasize the fact that the campaign doesn’t leverage any security vulnerability within AWS.)
