Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication

July 15, 2025, 9:51 a.m.

Description

A cluster of suspicious activity, tracked as CL-STA-1020, has been targeting governmental entities in Southeast Asia since late 2024. The threat actors have developed a new Windows backdoor called HazyBeacon, which uses AWS Lambda URLs for command and control communication. This technique leverages legitimate cloud functionality to create a covert, scalable, and hard-to-detect communication channel. The attackers' primary goal appears to be covert intelligence gathering, focusing on sensitive government data related to trade disputes. They also use Google Drive and Dropbox for data exfiltration, blending with normal network traffic. The attack involves DLL sideloading, persistence through a Windows service, and various payloads for file collection and exfiltration.

External References

https://unit42.paloaltonetworks.com/windows-backdoor-for-novel-c2-communication
https://otx.alienvault.com/pulse/68750ec13f19d97610df9787
Tags
dropbox
dll sideloading
google drive
2025-07-14
governmental entities
hazybeacon

Date

  • Created: July 14, 2025, 2:05 p.m.
  • Published: July 14, 2025, 2:05 p.m.
  • Modified: July 15, 2025, 9:51 a.m.

Indicators

  • f0c9481513156b0cdd216d6dfb53772839438a2215d9c5b895445f418b64b886
  • d961aca6c2899cc1495c0e64a29b85aa226f40cf9d42dadc291c4f601d6e27c3
  • d20b536c88ecd326f79d7a9180f41a2e47a40fcf2cc6a2b02d68a081c89eaeaa
  • 4931df8650521cfd686782919bda0f376475f9fc5f1fee9d7cf3a4e0d9c73e30
  • 3255798db8936b5b3ae9fed6292413ce20da48131b27394c844ecec186a1e92f
  • 304c615f4a8c2c2b36478b693db767d41be998032252c8159cc22c18a65ab498
  • 279e60e77207444c7ec7421e811048267971b0db42f4b4d3e975c7d0af7f511e
Download all indicators here!

Attack Patterns

  • HazyBeacon
  • CL-STA-1020

Additional Informations

  • Government