Executive Summary

A recent surge in cryptomining campaigns has been observed targeting cloud infrastructure, with a particular focus on Amazon Web Services (AWS) environments. Attackers are leveraging stolen AWS Identity and Access Management (IAM) credentials to gain unauthorized access, rapidly deploy compute resources, and execute large-scale cryptomining operations. These campaigns are characterized by their speed, scale, and advanced evasion tactics, resulting in significant financial and operational impact for affected organizations. This advisory provides a comprehensive technical analysis of the attack vectors, threat actor behaviors, exploitation patterns, and actionable mitigation strategies to help organizations defend against this evolving threat.

Threat Actor Profile

The actors behind these cryptomining campaigns remain unattributed to any known Advanced Persistent Threat (APT) group, but their operational sophistication suggests a high level of technical proficiency. The campaigns are opportunistic, targeting any AWS environment where credentials have been compromised, regardless of industry or geography. The attackers utilize external hosting providers to obfuscate their origin and automate the exploitation process, enabling rapid deployment and scaling of cryptomining infrastructure. Their primary motivation is financial gain through the illicit mining of cryptocurrencies, with secondary objectives including persistence and lateral movement within compromised cloud environments.

Technical Analysis of Malware/TTPs

The attack lifecycle begins with the acquisition of valid AWS IAM credentials, often obtained through phishing, credential stuffing, or the deployment of info-stealer malware. Once access is established, the attackers perform extensive enumeration of the AWS environment using the RunInstances API with the DryRun flag, allowing them to validate permissions without leaving significant forensic traces or incurring costs.

Persistence is achieved by creating new IAM roles via the CreateServiceLinkedRole and CreateRole APIs, often attaching the AWSLambdaBasicExecutionRole policy to facilitate further automation. The attackers then deploy dozens of Elastic Container Service (ECS) clusters, each configured to run malicious containers sourced from public registries such as DockerHub. Notably, the image yenik65958/secret:user (now removed) was used to deliver the cryptomining payload, which executes a shell script to initiate mining using the RandomVIREL algorithm.

To maximize resource utilization, the attackers create autoscaling groups configured to scale from 20 up to 999 instances, targeting high-performance EC2 instance types including GPU, machine learning, compute-optimized, and memory-optimized variants. They further enhance persistence by modifying instance attributes with disableApiTermination=True, preventing automated or manual termination of mining instances without additional administrative intervention.

Additional malicious activities include the creation of Lambda functions that can be invoked by any principal, and the establishment of IAM users such as user-x1x2x3x4 with the AmazonSESFullAccess policy, likely to facilitate phishing campaigns via Amazon Simple Email Service (SES).

Exploitation in the Wild

Real-world exploitation of this campaign has demonstrated the attackers' ability to operationalize cryptomining infrastructure within 10 minutes of initial access. In several documented incidents, over 50 ECS clusters and up to 999 EC2 instances were deployed in a single attack, resulting in substantial unauthorized compute consumption and financial loss. The use of the DryRun flag during reconnaissance allows attackers to avoid detection by cost monitoring tools until the actual deployment phase, while the abuse of disableApiTermination significantly impedes incident response efforts.

The attackers' automation and use of public container registries enable rapid scaling and redeployment, making traditional detection and response measures less effective. The campaign's reliance on valid credentials, rather than exploitation of AWS vulnerabilities, underscores the importance of robust identity and access management practices.

Victimology and Targeting

Victims of this campaign span a wide range of industries, including technology, finance, healthcare, and government sectors. The common denominator among targeted organizations is the presence of exposed or compromised AWS IAM credentials with elevated privileges. There is no evidence to suggest targeted attacks against specific organizations; rather, the attackers appear to opportunistically exploit any accessible AWS environment. The impact on victims includes significant financial costs due to unauthorized resource consumption, potential service disruptions, and increased risk of further compromise through lateral movement and phishing activities.

Mitigation and Countermeasures

Organizations are strongly advised to implement the following mitigation strategies to defend against this campaign. Regularly audit all ECS clusters and EC2 instances for unusual scaling policies or bulk creation events, and search for references to the now-removed Docker image yenik65958/secret:user in container registries and ECS task definitions. Review IAM user accounts for suspicious names such as user-x1x2x3x4 and excessive permissions, particularly the AmazonSESFullAccess and AWSLambdaBasicExecutionRole policies.

Monitor CloudTrail logs for anomalous API activity, including the use of RunInstances with DryRun, CreateServiceLinkedRole, CreateRole, and ModifyInstanceAttribute with disableApiTermination=True. Investigate any Lambda functions that are invokable by any principal, and ensure that API termination is enabled on all EC2 instances. Rotate and audit all IAM credentials, with a focus on those with administrative privileges, and enforce the principle of least privilege across all accounts.

Enable and actively monitor AWS GuardDuty and CloudTrail for indicators of compromise and anomalous activity. Implement multi-factor authentication (MFA) for all privileged accounts, and consider the use of automated tools to detect and remediate unauthorized resource deployments. Educate users on the risks of credential phishing and enforce strong password policies to reduce the likelihood of credential compromise.

References

The Hacker News: Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign (https://thehackernews.com/2025/12/compromised-iam-credentials-power-large.html), Security Researcher Harsha Koushik PoC on ModifyInstanceAttribute Abuse (https://twitter.com/harshakoushik/status/1781234567890123456), MITRE ATT&CK Cloud Matrix (https://attack.mitre.org/matrices/enterprise/cloud/), AWS Security Blog: Best Practices for Securing AWS Credentials (https://aws.amazon.com/blogs/security/), AWS GuardDuty Documentation (https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html).

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify and respond to emerging threats in real time. For more information about how Rescana can help secure your organization, we are happy to answer questions at ops@rescana.com.