Cybersecurity researchers at Palo Alto Network’s Unit 42 have uncovered a highly targeted cyber espionage campaign, tracked as CL-STA-1020, aimed at government entities across Southeast Asia. The campaign, active since late 2024, appears focused on covert intelligence gathering, with particular interest in sensitive documents related to tariffs and trade disputes.
The campaign involves a new Windows backdoor, dubbed ‘HazyBeacon’, that utilizes AWS Lambda URLs for command and control (C2) communication. By leveraging legitimate cloud services like AWS, Google Drive, and Dropbox, the attackers have effectively cloaked their operations within normal network traffic.
The HazyBeacon backdoor was deployed via DLL sideloading, with a malicious DLL file being placed alongside a legitimate Windows executable mscorsvw.exe. When executed, it loaded the malicious DLL and initiated communication with a Lambda URL controlled by the attackers. To ensure persistence, the threat actor registered a Windows service named msdnetsvc, allowing HazyBeacon to survive system reboots.
The attackers attempted to exfiltrate stolen data through Google Drive and Dropbox using tools such as GoogleGet.exe, although those efforts were reportedly unsuccessful. Before abandoning the compromised systems, they issued cleanup commands to delete payloads, temporary archives, and logs in an effort to erase their digital footprints.
