An ongoing campaign has been observed targeting Amazon Web Services (AWS) customers using compromised Identity and Access Management (IAM) credentials to enable cryptocurrency mining.
The activity, first detected by Amazon’s GuardDuty managed threat detection service and its automated security monitoring systems on November 2, 2025, employs never-before-seen persistence techniques to hamper incident response and continue unimpeded, according to a new report shared by the tech giant ahead of publication.
“Operating from an external hosting provider, the threat actor quickly enumerated resources and permissions before deploying crypto mining resources across ECS and EC2,” Amazon said. “Within 10 minutes of the threat actor gaining initial access, crypto miners were operational.”
The multi-stage attack chain essentially begins with the unknown adversary leveraging compromised IAM user credentials with admin-like…
https://thehackernews.com/2025/12/compromised-iam-credentials-power-large.html
