AWS IAM credential-abuse crypto-mining campaign
Campaign
Summary
Hide ▲
Show ▼
The AWS-targeting campaign is using compromised IAM credentials to deploy cryptocurrency mining resources across customer environments, creating immediate cost and response risk. First seen by GuardDuty on November 2, 2025, the operation rapidly moved from access to active mining. It uses AWS API calls such as RunInstances DryRun, role creation, and ECS/EC2 provisioning to validate permissions and expand access. The actor also abuses disableApiTermination to slow remediation and prolong mining.
Related Happenings
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
XM Cyber maps eight validated AWS Bedrock attack vectors across connected enterprise integrations
Technical Analysis
First: 23.03.2026 13:55
Last: 23.03.2026 13:55
Sources 1
About this happening:
**XM Cyber** mapped **eight validated attack vectors** in **AWS Bedrock**, showing how over-privileged permissions can expose logs, knowledge bases, agents, flows, guardrails, and...
XM Cyber maps eight validated AWS Bedrock attack vectors across connected enterprise integrations
Technical AnalysisAbout this happening: **XM Cyber** mapped **eight validated attack vectors** in **AWS Bedrock**, showing how over-privileged permissions can expose logs, knowledge bases, agents, flows, guardrails, and...
Victim organization's AWS environment hit by data theft breach
Incident
First: 11.03.2026 09:31
Last: 11.03.2026 09:31
Sources 1
About this happening:
**UNC6426** breached a victim organization's **AWS environment** and escalated to **administrator access** in **less than 72 hours**, creating immediate risk of **data theft** and...
Victim organization's AWS environment hit by data theft breach
IncidentAbout this happening: **UNC6426** breached a victim organization's **AWS environment** and escalated to **administrator access** in **less than 72 hours**, creating immediate risk of **data theft** and...
Fake IT support Havoc campaign
Campaign
First: 03.03.2026 19:15
Last: 03.03.2026 19:15
Sources 1
About this happening:
A **fake IT support** campaign is using **email spam**, phone-based social engineering, and **Havoc C2** to gain initial access, putting targeted organizations at risk of **data e...
Fake IT support Havoc campaign
CampaignAbout this happening: A **fake IT support** campaign is using **email spam**, phone-based social engineering, and **Havoc C2** to gain initial access, putting targeted organizations at risk of **data e...
Russian-speaking hacker AI-assisted FortiGate breach campaign
Campaign
First: 21.02.2026 15:50
Last: 21.02.2026 15:50
Sources 1
About this happening:
The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Russian-speaking hacker AI-assisted FortiGate breach campaign
CampaignAbout this happening: The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Timeline
-
16.12.2025 18:35 2 articles · 5mo ago
AWS crypto mining campaign detected by GuardDuty
Initial DisclosureGuardDuty and Amazon’s automated security monitoring systems detected an ongoing campaign targeting AWS customers with compromised IAM credentials on November 2, 2025, after an external-hosted threat actor rapidly enumerated permissions and resources, validated access with RunInstances DryRun, created IAM roles and Lambda/ECS resources, launched cryptocurrency mining on ECS Fargate and EC2, and used disableApiTermination to slow cleanup and extend mining operations.
Show sources
- Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign — thehackernews.com — 16.12.2025 18:35
- Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign — thehackernews.com — 16.12.2025 18:35