Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A cluster of suspicious activity, tracked as CL-STA-1020, has been targeting governmental entities in Southeast Asia since late 2024. The threat actors have developed a new Windows backdoor called HazyBeacon, which uses AWS Lambda URLs for command and control communication. This technique leverages legitimate cloud functionality to create a covert, scalable, and hard-to-detect communication channel. The attackers' primary goal appears to be covert intelligence gathering, focusing on sensitive government data related to trade disputes. They also use Google Drive and Dropbox for data exfiltration, blending with normal network traffic. The attack involves DLL sideloading, persistence through a Windows service, and various payloads for file collection and exfiltration.
OPENCTI LABELS :
dropbox,dll sideloading,google drive,governmental entities,hazybeacon
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication