A previously unreported Windows backdoor dubbed “HazyBeacon” has emerged in a stealthy espionage campaign that began in late 2024 and is still unfolding across several Southeast Asian government networks.
The operators exploit the public URL feature of AWS Lambda—originally designed to simplify serverless deployments—to camouflage command-and-control (C2) traffic inside routine cloud operations.
The execution flow of Lambda URL abuse shows how every beacon from an infected workstation blends into legitimate *.on.aws traffic, giving defenders little visual distinction from sanctioned cloud workloads.
.webp)
Initial footholds appear to stem from highly targeted spear-phishing lures that drop a compressed bundle containing both a signed Microsoft utility (mscorsvw.exe) and its weaponized counterpart, mscorsvc.dll.
Once the archive is unpacked, Windows automatically prioritizes the malicious DLL when the service executable launches, establishing an unobtrusive backdoor.
Infections have been traced to ministries handling tariff negotiations and cross-border trade documents, underscoring a clear intelligence-gathering motive.
Palo Alto Networks analysts identified the campaign in early 2025 while investigating anomalous DNS patterns in a regional agency’s telemetry.
Their reverse-engineering revealed that each beacon not only requests tasking from an attacker-controlled Lambda function but also retrieves auxiliary payloads—including bespoke Google Drive and Dropbox uploaders—continuing the “hide-in-plain-sight” strategy through every stage of the kill chain.
While the DLL sideloading of the HazyBeacon DLL depicts the exact load hijack, but it is the malware’s persistence logic that cements its foothold.
.webp){kind=tracking}
Upon first execution, HazyBeacon spawns a new Windows service named msdnetsvc, ensuring revival after every reboot.
The workflow is compact enough to survive most host-based heuristics:-
sc create msdnetsvc binPath= "C:\Windows\assembly\mscorsvw.exe" start= auto
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v netupd /t REG_SZ /d "C:\Windows\assembly\mscorsvw.exe"In tandem, the backdoor siphons sensitive files with a lightweight collector (igfx.exe) that zips documents by extension and timestamp before chunking them into 200 MB slices via an embedded 7z.exe.
Each slice is queued for exfiltration through Google Drive APIs; should those flows be blocked, a fallback Dropbox uploader, Dropbox.exe, activates automatically.
The full execution flow in the original report maps this cascading logic in detail.
.webp)
Detection remains challenging because outbound traffic terminates at legitimate AWS and consumer storage domains.
However, defenders can hunt for repeating GET requests to *.lambda-url.*.on.aws, unexpected invocations of mscorsvw.exe from C:\Windows\assembly, and rogue services whose display names mimic Microsoft networking utilities.
Network teams should also baseline normal Lambda URL usage; any sudden spike from endpoints without development workloads warrants immediate triage.
While HazyBeacon’s toolkit is compact, its fusion of serverless C2, DLL sideloading, and multi-cloud exfiltration marks a troubling evolution in state-aligned espionage.
Continuous inspection of cloud egress, coupled with strict allow-lists for serverless endpoints, offers the most pragmatic defense until wider signature coverage matures.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Account Takeover Protection Tools in 2025")
