Perceptive Security
SOC/SIEM Consultancy
Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign
Published:
16 december 2025 om 16:35:00
Alert date:
16 december 2025 om 18:02:03
Source:
thehackernews.com
Cloud & Virtualization, Identity & Access, Ransomware & Malware
An ongoing campaign targeting AWS customers using compromised IAM credentials for cryptocurrency mining operations. The attack was first detected by Amazon's GuardDuty service on November 2, 2025. The campaign employs novel persistence techniques to maintain access and evade detection. Attackers leverage compromised Identity and Access Management credentials to deploy crypto mining infrastructure on AWS resources. The campaign represents a significant threat to cloud security and demonstrates advanced evasion capabilities.
Technical details
Multi-stage attack campaign targeting AWS customers using compromised IAM credentials with admin-like privileges. Attack begins with discovery phase using RunInstances API with DryRun flag to validate permissions without launching instances. Threat actors create IAM roles for autoscaling groups and Lambda, attach AWSLambdaBasicExecutionRole policy, then create dozens of ECS clusters (exceeding 50 in single attack). Deploys malicious DockerHub image yenik65958/secret:user that runs cryptocurrency mining using RandomVIREL algorithm. Creates autoscaling groups scaling from 20 to 999 instances targeting GPU, ML, compute, memory, and general-purpose instances. Uses ModifyInstanceAttribute with disableApiTermination set to True for persistence, preventing instance termination. Creates Lambda function invokable by any principal and IAM user user-x1x2x3x4 with AmazonSESFullAccess policy for potential phishing attacks.
Mitigation steps:
Enforce strong identity and access management controls
Implement temporary credentials instead of long-term access keys
Use multi-factor authentication (MFA) for all users
Apply the principle of least privilege (PoLP) to IAM principals to restrict access
Add container security controls to scan for suspicious images
Monitor unusual CPU allocation requests in ECS task definitions
Use AWS CloudTrail to log events across AWS services
Ensure AWS GuardDuty is enabled to facilitate automated response workflows
Affected products:
Amazon Web Services (AWS)
AWS Identity and Access Management (IAM)
Amazon EC2
Amazon ECS
AWS Lambda
Amazon Simple Email Service (SES)
AWS GuardDuty
Related links:
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
https://aws.amazon.com/blogs/security/cryptomining-campaign-targeting-amazon-ec2-and-amazon-ecs/
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html
https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html
https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html
https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
https://github.com/virel-project/randomvirel
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html
https://medium.com/kernel-space/the-dangers-of-modifyinstanceattribute-d4290ca7a457
https://docs.aws.amazon.com/lambda/latest/dg/welcome.html
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSESFullAccess.html
Related CVE's:
Related threat actors:
IOC's:
yenik65958/secret:user (malicious DockerHub image), user-x1x2x3x4 (IAM user created by attackers), RandomVIREL mining algorithm usage, Creation of 20-999 instance autoscaling groups, ModifyInstanceAttribute with disableApiTermination=True, Creation of dozens of ECS clusters (>50 per attack), RegisterTaskDefinition API calls with malicious images
This article was created with the assistance of AI technology by Perceptive.