A coordinated cryptocurrency mining campaign has been detected targeting Amazon Web Services (AWS) customers by exploiting compromised Identity and Access Management (IAM) credentials. The attackers used these credentials to gain unauthorized access to Amazon Elastic Compute Cloud (EC2) and Elastic Container Service (ECS) environments, rapidly deploying crypto mining operations within minutes of initial access. Amazon GuardDuty and AWS's automated security monitoring systems identified the campaign, which began on November 2, 2025, and observed the use of novel persistence techniques designed to disrupt incident response and prolong mining activities. The attackers operated from external hosting providers, quickly enumerating service quotas and permissions before launching mining resources, and in some cases, created dozens of ECS clusters in a single attack.
The threat actors employed advanced tactics such as using the "DryRun" flag with the RunInstances API to validate permissions without launching instances, minimizing their forensic footprint. They also created new IAM roles and attached policies to facilitate the deployment and persistence of mining workloads. AWS emphasized that the campaign did not exploit vulnerabilities in AWS services themselves but relied on the misuse of valid credentials, underscoring the importance of strong credential management and monitoring. AWS has provided mitigation guidance and detection recommendations to help customers defend against similar attacks in the future.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
AWS published technical details of the campaign, describing the attackers' automation, persistence methods, and recommended incident response steps. The disclosure emphasized that the activity relied on stolen credentials, not flaws in AWS services.
The Docker Hub image yenik65958/secret used in the campaign was taken down after being identified as part of the operation. AWS warned that similar attacks could continue using different images or accounts.
Amazon GuardDuty, including Extended Threat Detection and Runtime Monitoring, identified the coordinated activity and enabled AWS to notify affected customers. AWS advised actions such as credential rotation, stronger IAM controls, MFA, least privilege, and monitoring for suspicious API usage.
Beyond mining, the attackers created Lambda functions and sought SES access, indicating efforts to establish broader malicious infrastructure and possible phishing capability inside compromised AWS accounts. This showed the campaign extended beyond simple resource hijacking for mining.
The campaign introduced a notable persistence technique by modifying EC2 instance attributes to disable API termination, making compromised instances harder for defenders to shut down. Reporting also described this as abuse of AWS termination protection to sustain ECS-related mining operations.
After gaining access, the attackers enumerated victim resources and quickly launched large-scale cryptomining infrastructure using both ECS and EC2, including Spot and On-Demand instances and auto-scaling configurations. They used the Docker Hub image yenik65958/secret, which contained the SBRMiner-MULTI cryptominer.
A coordinated campaign targeting AWS customers began on 2025-11-02, with attackers using compromised IAM credentials rather than exploiting AWS service vulnerabilities. The activity focused on Amazon EC2 and Amazon ECS environments.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
securityonline.info
Open sourcebleepingcomputer.com
Open sourceaws.amazon.com
Open sourcethehackernews.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.