An active cloud abuse campaign is hitting Amazon Web Services (AWS) tenants by abusing stolen Identity and Access Management (IAM) credentials with the goal of spinning up infrastructure for cryptocurrency mining.

The behavior, initially surfaced by Amazon’s GuardDuty managed threat detection service and supporting automated monitoring on November 2, 2025, makes use of new persistence techniques that slow down incident response and allow mining workloads to run longer, according to a new analysis shared by Amazon ahead of wider release.

“Operating from an external hosting provider, the threat actor quickly enumerated resources and permissions before deploying crypto mining resources across ECS and EC2,” Amazon said. “Within 10 minutes of the threat actor gaining initial access, crypto miners were operational.”

The multi-stage intrusion flow starts with the actor using compromised IAM user credentials with effective administrative permissions to run discovery, checking EC2 service quotas and validating access by calling the RunInstances API with the “DryRun” flag enabled.

Using the “DryRun” flag is a deliberate choice: it lets the attacker confirm that their IAM permissions support instance creation without actually provisioning instances, which avoids immediate billing spikes and reduces obvious forensic artifacts. The purpose of this step is to confirm that the victim environment can support large-scale miner deployment.

The compromise then moves to the next phase when the actor invokes CreateServiceLinkedRole and CreateRole to stand up IAM roles for EC2 Auto Scaling and AWS Lambda. After the roles are in place, the “AWSLambdaBasicExecutionRole” policy is attached to the Lambda role.

In observed incidents, the actor has provisioned large numbers of ECS clusters in victim accounts, in some environments creating more than 50 ECS clusters during a single intrusion.

“They then called RegisterTaskDefinition with a malicious DockerHub image yenik65958/secret:user,” Amazon said. “With the same string used for the cluster creation, the actor then created a service, using the task definition to initiate crypto mining on ECS Fargate nodes.”

The DockerHub image, which has since been removed, is configured to immediately execute a shell script at deployment time that starts cryptocurrency mining using the RandomVIREL mining algorithm. In parallel, the threat actor has been seen creating Auto Scaling groups configured to scale from 20 up to 999 instances, attempting to fully consume available EC2 service quotas and maximize compute usage for mining.

The EC2 component of the activity targets a broad set of instance families, including GPU and machine learning instances as well as compute-optimized, memory-optimized, and general-purpose instances.

The aspect most relevant for SOC and incident response teams is the use of the ModifyInstanceAttribute action with “disableApiTermination” set to “True.” This setting blocks termination of an instance from the Amazon EC2 console, CLI, or API. In practice, this forces responders to first re-enable API termination before they can tear down impacted instances.

“Instance termination protection can impair incident response capabilities and disrupt automated remediation controls,” Amazon said. “This technique demonstrates an understanding of common security response procedures and intent to maximize the duration of mining operations.”

This control path is a known risk. In April 2024, security researcher Harsha Koushik demonstrated a proof-of-concept (PoC) showing how ModifyInstanceAttribute can be abused to take over instances, steal instance role credentials, and potentially pivot to full AWS account compromise.

The campaign also includes configuration changes that matter for email abuse and lateral activity: the attackers create a Lambda function that any principal can invoke, and an IAM user “user-x1x2x3x4” with the AWS managed policy “AmazonSESFullAccess” attached. This gives the actor unrestricted control over Amazon Simple Email Service (SES), which can be used to send high-volume phishing or other malicious email traffic from a trusted AWS domain.

From a defensive standpoint, Amazon recommends that AWS customers implement the following controls and monitoring patterns –

• Enforce strong identity and access management controls
• Implement temporary credentials instead of long-term access keys
• Use multi-factor authentication (MFA) for all users
• Apply the principle of least privilege (PoLP) to IAM principals to restrict access
• Add container security controls to scan for suspicious images
• Monitor unusual CPU allocation requests in ECS task definitions
• Use AWS CloudTrail to log events across AWS services
• Ensure AWS GuardDuty is enabled to facilitate automated response workflows

“The threat actor’s scripted use of multiple compute services, in combination with emerging persistence techniques, represents a significant advancement in crypto mining attack methodologies.”