AWS Crypto Mining Campaign Exploits Compromised IAM Credentials

First reported

16.12.2025 18:35

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A campaign targeting AWS customers uses compromised IAM credentials to deploy cryptocurrency mining operations. The attackers employ sophisticated persistence techniques, including disabling instance termination, to evade detection and maximize resource consumption. The activity was first detected on November 2, 2025, and involves the creation of multiple ECS clusters and Lambda functions to facilitate mining operations. The attackers leverage the 'DryRun' flag to validate permissions without incurring costs, and use the 'ModifyInstanceAttribute' action to prevent instance termination. The campaign also involves the creation of autoscaling groups to exploit EC2 service quotas and maximize resource consumption.

Timeline

16.12.2025 18:35 1 articles · 5h ago

AWS Crypto Mining Campaign Detected on November 2, 2025
The campaign targeting AWS customers using compromised IAM credentials was first detected on November 2, 2025. The attackers employ sophisticated persistence techniques, including disabling instance termination, to evade detection and maximize resource consumption. The activity involves the creation of multiple ECS clusters and Lambda functions to facilitate mining operations.
Show sources

Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign — thehackernews.com — 16.12.2025 18:35
Open in new tab

Information Snippets

The campaign was first detected on November 2, 2025, by Amazon's GuardDuty and automated security monitoring systems.
First reported: 16.12.2025 18:35

1 source, 1 article
Show sources
- Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign — thehackernews.com — 16.12.2025 18:35
The attackers use compromised IAM credentials with admin-like privileges to initiate the attack.
First reported: 16.12.2025 18:35

1 source, 1 article
Show sources
- Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign — thehackernews.com — 16.12.2025 18:35
The 'DryRun' flag is used to validate IAM permissions without launching instances, minimizing the forensic trail.
First reported: 16.12.2025 18:35

1 source, 1 article
Show sources
- Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign — thehackernews.com — 16.12.2025 18:35
The attackers create IAM roles for autoscaling groups and AWS Lambda, attaching the 'AWSLambdaBasicExecutionRole' policy.
First reported: 16.12.2025 18:35

1 source, 1 article
Show sources
- Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign — thehackernews.com — 16.12.2025 18:35
The campaign involves the creation of dozens of ECS clusters, with some attacks exceeding 50 clusters.
First reported: 16.12.2025 18:35

1 source, 1 article
Show sources
- Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign — thehackernews.com — 16.12.2025 18:35
The attackers use a malicious DockerHub image to deploy cryptocurrency mining using the RandomVIREL mining algorithm.
First reported: 16.12.2025 18:35

1 source, 1 article
Show sources
- Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign — thehackernews.com — 16.12.2025 18:35
The 'ModifyInstanceAttribute' action with the 'disableApiTermination' parameter is used to prevent instance termination.
First reported: 16.12.2025 18:35

1 source, 1 article
Show sources
- Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign — thehackernews.com — 16.12.2025 18:35
The campaign also involves the creation of a Lambda function with the 'AmazonSESFullAccess' policy attached, likely for phishing attacks.
First reported: 16.12.2025 18:35

1 source, 1 article
Show sources
- Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign — thehackernews.com — 16.12.2025 18:35

Summary

Timeline

AWS Crypto Mining Campaign Detected on November 2, 2025

Information Snippets