An ongoing cybersecurity campaign is targeting Amazon Web Services (AWS) customers by exploiting compromised Identity and Access Management (IAM) credentials to facilitate cryptocurrency mining. The campaign was first identified by Amazon’s GuardDuty on November 2, 2025, and has since showcased unique persistence techniques aimed at hindering incident response efforts.
According to a report from Amazon, adversaries quickly assessed resources and permissions at an external hosting provider before setting up crypto mining operations across AWS’s Elastic Container Service (ECS) and Elastic Compute Cloud (EC2). Just 10 minutes after gaining access, crypto miners were operational.
The attack begins when the threat actor uses compromised IAM user credentials that possess admin-like privileges to explore the target environment for EC2 service quotas, validating their permissions without incurring costs through the utilization of a "DryRun" flag. This method allows attackers to determine whether the infrastructure is ideally set up for deploying their miner program.
As the attack progresses, the threat actor invokes specific AWS actions to establish IAM roles for autoscaling groups and AWS Lambda. Following this, they attach necessary policies to these roles and begin creating numerous ECS clusters—sometimes even exceeding 50 clusters in a single operation. They then deploy a malicious DockerHub image to initiate crypto mining operations.
A notable aspect of this campaign is the use of the "ModifyInstanceAttribute" API action, with the "disableApiTermination" parameter set to "True." This measure prevents instances from being terminated via the AWS console, command line, or API, thereby complicating incident response protocols. Victims must disable this feature to remove affected resources, significantly extending the time the mining operation can remain active.
Moreover, the attackers set up Lambda functions that could be invoked by any principal and created IAM users with full access to Amazon Simple Email Service (SES), likely for carrying out phishing attacks.
To protect against these threats, Amazon is recommending several steps for AWS users: enforce strong identity and access management protocols, utilize temporary credentials in place of long-term access keys, implement multi-factor authentication (MFA), apply the principle of least privilege to IAM access, monitor unusual CPU usage on ECS definitions, and ensure proper logging of events through AWS CloudTrail.
Overall, the threat actor’s methodical exploitation of multiple AWS services reflects a sophisticated advancement in cryptocurrency mining attack strategies, underscoring the importance of comprehensive security measures.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.