Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

AWS EC2 and ECS cryptomining campaign using compromised IAM credentials

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

An ongoing crypto-mining campaign is abusing compromised IAM credentials to mine on AWS EC2 and ECS, draining customer compute and slowing response. The operation began on November 2 and reached mining activity within 10 minutes of initial access. It uses a Docker Hub image containing SBRMiner-MULTI and scales through launch templates and auto-scaling groups. The attacker also disabled instance termination to make remediation harder and prolong profit.

Related Happenings

Victim organization's AWS environment hit by data theft breach

Incident
First: 11.03.2026 09:31 Last: 11.03.2026 09:31 Sources 1

About this happening: **UNC6426** breached a victim organization's **AWS environment** and escalated to **administrator access** in **less than 72 hours**, creating immediate risk of **data theft** and...

Open Happening

Russian-speaking hacker AI-assisted FortiGate breach campaign

Campaign
First: 21.02.2026 15:50 Last: 21.02.2026 15:50 Sources 1

About this happening: The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...

Open Happening

TeamPCP cloud-native exploitation campaign

Campaign
First: 09.02.2026 10:37 Last: 09.02.2026 10:37 Sources 1

About this happening: **TeamPCP** is a **cloud-native supply-chain campaign** that abuses exposed **Docker APIs**, **Kubernetes clusters**, **Ray dashboards**, **Redis servers**, and **React2Shell (CVE...

Latest development: 23.03.2026 10:31

Researchers uncovered malicious Trivy Docker Hub image tags 0.69.4, 0.69.5, and 0.69.6 tied to TeamPCP; 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. The same reporting says TeamPCP used a compromised service account token to deface all 44 internal repositories in Aqua Security's aquasec-com GitHub organization by renaming them with the tpcp-docs- prefix and exposing them publicly.

Open Happening

Exposed security-training web apps exploitation wave

Exploitation Wave
First: 21.01.2026 16:00 Last: 21.01.2026 16:00 Sources 1

About this happening: **DVWA**, **OWASP Juice Shop**, **Hackazon**, and **bWAPP** instances exposed in cloud environments are being **actively exploited**, putting **Fortune 500 companies** and securit...

Open Happening

SBRMiner-MULTI cryptominer delivered through a malicious Docker Hub image

Malware Activity
First: 17.12.2025 23:48 Last: 17.12.2025 23:48 Sources 1

How related: This was possible by registering a task definition pointing to the Docker Hub image yenik65958/secret, created on October 29, which included an SBRMiner-MULTI cryptominer and a startup script to launch it automatically when the container started.

About this happening: A **SBRMiner-MULTI** cryptominer was delivered through a **malicious Docker Hub image** that auto-launched on container startup, enabling illicit mining on **AWS EC2** and **ECS**...

Open Happening

Timeline

  1. 17.12.2025 23:48 1 articles · 5mo ago

    Compromised IAM access starts cryptomining on AWS EC2 and ECS

    Exploitation Observed

    Compromised IAM credentials gave access to AWS EC2 and ECS workloads, after which the actor reconnoitered EC2 service quotas and IAM permissions and began cryptomining within 10 minutes of initial access. The activity used an ECS task definition pointing to the Docker Hub image yenik65958/secret, which contained SBRMiner-MULTI and a startup script to launch mining automatically.

    Show sources
    Open in new tab
  2. 17.12.2025 23:48 1 articles · 5mo ago

    Termination protection and scaling extend the AWS mining operation

    Technical Analysis Update

    On the same campaign day, the actor expanded mining on Amazon EC2 by creating two launch templates with startup scripts and 14 auto-scaling groups configured to deploy at least 20 instances each, with maximum capacity up to 999 machines. The actor also used ModifyInstanceAttribute across launched EC2 instances to disable API termination, forcing responders to disable instance termination protection before shutting down the instances.

    Show sources
    Open in new tab
  3. 17.12.2025 23:48 2 articles · 5mo ago

    Amazon warns affected customers and advises credential rotation

    Initial Disclosure

    Amazon's AWS GuardDuty team warned that the campaign was ongoing, said the attacker used valid credentials in customer accounts rather than a vulnerability, alerted affected customers about the cryptomining activity, and advised rotating the compromised IAM credentials. Amazon also removed the malicious Docker Hub image from the platform and warned similar images could reappear under different names or publisher accounts.

    Show sources
    Open in new tab