HazyBeacon targets governmental organizations in Southeast Asia to collect sensitive information, particularly regarding tariffs and trade disputes. This campaign, tracked as CL-STA-1020 by Palo Alto Networks Unit 42, reflects the region's strategic importance in global trade and power dynamics. The initial access vector for HazyBeacon remains unknown, but it employs DLL side-loading methods for deployment. Once active, the malware can execute commands and maintain persistence through a service. It notably utilizes AWS Lambda URLs for command-and-control, utilizing legitimate services to evade detection.
The threat actors behind this cluster of activity have been collecting sensitive information from government agencies, including information about recent tariffs and trade disputes.
Southeast Asia has increasingly become a focal point for cyber espionage due to its role in sensitive trade negotiations, military modernization, and strategic alignment in the U.S.-China power dynamic.
HazyBeacon is notable for the fact that it leverages Amazon Web Services (AWS) Lambda URLs for command-and-control (C2) purposes, demonstrating threat actors' continued abuse of legitimate services to fly under the radar and escape detection.
The exact initial access vector used to deliver the malware is currently not known, although evidence shows the use of DLL side-loading techniques to deploy it on compromised hosts.
Collection
[
|
...
]