This ongoing threat campaign targets Amazon Web Services (AWS) customers by exploiting compromised Identity and Access Management (IAM) credentials that possess admin-like privileges. The attackers initiate a reconnaissance phase using the RunInstances API with the DryRun flag to validate permissions without incurring costs or raising alarms. Upon confirming suitable targets, they create IAM roles for autoscaling groups and AWS Lambda functions, attaching broad policies such as AWSLambdaBasicExecutionRole and AmazonSESFullAccess. The adversary deploys malicious Docker images from DockerHub (now removed) to ECS Fargate clusters, launching cryptocurrency mining operations using the RandomVIREL algorithm. They create dozens of ECS clusters and autoscaling groups configured to scale from 20 up to 999 EC2 instances, including GPU, machine learning, compute, memory, and general-purpose instances, to maximize resource exploitation. A notable persistence technique involves setting the EC2 instance attribute disableApiTermination to True, preventing easy termination of compromised instances and complicating incident response. The attackers also create Lambda functions invokable by any principal, increasing their foothold and enabling further abuse such as phishing via Amazon SES. This multi-stage attack chain leverages AWS native services and APIs in a scripted, automated manner, demonstrating advanced knowledge of AWS security mechanisms and operational procedures. The campaign was first detected by AWS GuardDuty on November 2, 2025, highlighting the importance of continuous monitoring and automated threat detection in cloud environments. The threat actor’s use of multiple compute services and emerging persistence techniques represents a significant evolution in crypto mining attack methodologies within cloud infrastructures.

For European organizations, this threat can lead to substantial financial losses due to unauthorized consumption of cloud resources, especially expensive EC2 instances with GPUs and machine learning capabilities. The large-scale deployment of crypto miners can degrade legitimate workloads, causing operational disruptions and potential service outages. The persistence mechanisms employed hinder rapid incident response, increasing the duration and cost of remediation. Additionally, the creation of Lambda functions with broad permissions and SES access raises the risk of phishing campaigns originating from compromised AWS accounts, potentially leading to further credential theft or reputational damage. Organizations with extensive AWS deployments, particularly in sectors like finance, technology, and research that rely on high-performance computing, are at heightened risk. The threat also underscores the risk of privilege escalation and lateral movement within cloud environments, which could be leveraged for more damaging attacks beyond crypto mining. Compliance with European data protection regulations may be impacted if attackers access or exfiltrate sensitive data during their operations. Overall, the campaign poses a multifaceted risk affecting confidentiality, integrity, availability, and financial stability of cloud-reliant European enterprises.

European organizations should implement stringent IAM policies enforcing the principle of least privilege, ensuring no user or role has excessive permissions, especially admin-level access. Transition from long-term static access keys to temporary credentials using AWS Security Token Service (STS) to reduce credential exposure risk. Enforce multi-factor authentication (MFA) for all users to add an additional security layer. Regularly audit and monitor IAM roles and policies for anomalous changes or privilege escalations. Deploy container security solutions to scan and block suspicious or untrusted Docker images before deployment. Utilize AWS CloudTrail to maintain comprehensive logs of API activity and configure alerts for unusual actions such as mass ECS cluster creation or changes to instance termination protection. Enable and fine-tune AWS GuardDuty and AWS Config rules to detect and automatically respond to suspicious behaviors. Implement resource tagging and cost anomaly detection to quickly identify unexpected spikes in resource usage. Restrict the use of the ModifyInstanceAttribute API or monitor its usage closely, especially changes to disableApiTermination settings. Conduct regular penetration testing and red team exercises focused on cloud environments to identify gaps in detection and response capabilities. Finally, educate cloud administrators and security teams on emerging attack techniques and ensure incident response plans include cloud-specific scenarios.