AWS IAM credential-abuse crypto-mining campaign
Campaign
Summary
Hide ▲
Show ▼
The AWS-targeting campaign is using compromised IAM credentials to deploy cryptocurrency mining resources across customer environments, creating immediate cost and response risk. First seen by GuardDuty on November 2, 2025, the operation rapidly moved from access to active mining. It uses AWS API calls such as RunInstances DryRun, role creation, and ECS/EC2 provisioning to validate permissions and expand access. The actor also abuses disableApiTermination to slow remediation and prolong mining.
Related Happenings
AWS environment hit by data theft breach
Incident
H score26
First: 08.07.2026 15:30
Last: 08.07.2026 15:30
Sources 1
About this happening:
An **AWS environment** was **compromised** in an **AI-assisted intrusion** that enabled **extortion**, creating immediate risk of data theft and operational disruption. The actor...
AWS environment hit by data theft breach
IncidentAbout this happening: An **AWS environment** was **compromised** in an **AI-assisted intrusion** that enabled **extortion**, creating immediate risk of data theft and operational disruption. The actor...
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
H score37
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
XM Cyber maps eight validated AWS Bedrock attack vectors across connected enterprise integrations
Technical Analysis
H score26
First: 23.03.2026 13:55
Last: 23.03.2026 13:55
Sources 1
About this happening:
**XM Cyber** mapped **eight validated attack vectors** in **AWS Bedrock**, showing how over-privileged permissions can expose logs, knowledge bases, agents, flows, guardrails, and...
XM Cyber maps eight validated AWS Bedrock attack vectors across connected enterprise integrations
Technical AnalysisAbout this happening: **XM Cyber** mapped **eight validated attack vectors** in **AWS Bedrock**, showing how over-privileged permissions can expose logs, knowledge bases, agents, flows, guardrails, and...
Victim organization's AWS environment hit by data theft breach
Incident
H score36
First: 11.03.2026 09:31
Last: 11.03.2026 09:31
Sources 1
About this happening:
**UNC6426** breached a victim organization's **AWS environment** and escalated to **administrator access** in **less than 72 hours**, creating immediate risk of **data theft** and...
Victim organization's AWS environment hit by data theft breach
IncidentAbout this happening: **UNC6426** breached a victim organization's **AWS environment** and escalated to **administrator access** in **less than 72 hours**, creating immediate risk of **data theft** and...
Fake IT support Havoc campaign
Campaign
H score32
First: 03.03.2026 19:15
Last: 03.03.2026 19:15
Sources 1
About this happening:
A **fake IT support** campaign is using **email spam**, phone-based social engineering, and **Havoc C2** to gain initial access, putting targeted organizations at risk of **data e...
Fake IT support Havoc campaign
CampaignAbout this happening: A **fake IT support** campaign is using **email spam**, phone-based social engineering, and **Havoc C2** to gain initial access, putting targeted organizations at risk of **data e...
Timeline
-
16.12.2025 18:35 2 articles · 6mo ago
AWS crypto mining campaign detected by GuardDuty
Initial DisclosureGuardDuty and Amazon’s automated security monitoring systems detected an ongoing campaign targeting AWS customers with compromised IAM credentials on November 2, 2025, after an external-hosted threat actor rapidly enumerated permissions and resources, validated access with RunInstances DryRun, created IAM roles and Lambda/ECS resources, launched cryptocurrency mining on ECS Fargate and EC2, and used disableApiTermination to slow cleanup and extend mining operations.
Show sources
- Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign — thehackernews.com — 16.12.2025 18:35
- Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign — thehackernews.com — 16.12.2025 18:35