Covert Espionage: State-Backed Actors Deploy HazyBeacon in SEA Campaign

𝗣𝗮𝗹𝗼 𝗔𝗹𝘁𝗼 𝗡𝗲𝘁𝘄𝗼𝗿𝗸𝘀’ 𝗨𝗻𝗶𝘁 𝟰𝟮 has uncovered a new state-backed cyber espionage campaign dubbed CL-STA-1020, actively 𝘵𝘢𝘳𝘨𝘦𝘵𝘪𝘯𝘨 𝘨𝘰𝘷𝘦𝘳𝘯𝘮𝘦𝘯𝘵𝘢𝘭 𝘣𝘰𝘥𝘪𝘦𝘴 in Southeast Asia. Central to this operation is a newly identified Windows backdoor named 𝗛𝗮𝘇𝘆𝗕𝗲𝗮𝗰𝗼𝗻, believed to be leveraged by a state-aligned threat group with strong geopolitical motives.

This campaign primarily seeks intelligence related to tariff policies, trade negotiations, and regulatory decisions—key levers in the Southeast Asian region’s strategic importance in U.S.–China dynamics. The operation underlines the growing trend of leveraging legitimate cloud infrastructure to conduct stealthy cyber intrusions.

🔍 𝗧𝗧𝗣𝘀: 𝗧𝗿𝗮𝗱𝗲𝗰𝗿𝗮𝗳𝘁 & 𝗧𝗲𝗰𝗵𝗻𝗶𝗰𝗮𝗹 𝗜𝗻𝘀𝗶𝗴𝗵𝘁𝘀

While the initial access vector remains unconfirmed, telemetry suggests that HazyBeacon is delivered via DLL side-loading:

  • 🧪 Malicious mscorsvc.dll dropped alongside legitimate mscorsvw.exe

  • 🟢 Executed to initiate the HazyBeacon infection chain

  • 🖥️ Persistence via service registration (autostarts with reboot)

Once active, HazyBeacon establishes outbound C2 over AWS Lambda URLs, allowing:

  • 🔄 Encrypted command execution via *.lambda-url.*.amazonaws.com

  • 📦 Download of additional payloads, including a file collector module

  • 🗃️ Harvesting of sensitive file types (e.g., .doc, .xls, .pdf) modified within a specific time frame

  • ☁️ Exfiltration attempts via Dropbox and Google Drive

  • 🧹 Cleanup stage to remove artifacts and cover tracks

This technique of abusing cloud-native functions is an evolving tactic in modern APT operations—known as living-off-trusted-services (LOTS).

🌐 𝗢𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗜𝗺𝗽𝗮𝗰𝘁

The HazyBeacon campaign 𝗽𝗿𝗶𝗺𝗮𝗿𝗶𝗹𝘆 𝘁𝗮𝗿𝗴𝗲𝘁𝘀 𝗴𝗼𝘃𝗲𝗿𝗻𝗺𝗲𝗻𝘁 𝗺𝗶𝗻𝗶𝘀𝘁𝗿𝗶𝗲𝘀, 𝘁𝗿𝗮𝗱𝗲 𝗱𝗲𝗽𝗮𝗿𝘁𝗺𝗲𝗻𝘁𝘀, and 𝗽𝗼𝗹𝗶𝗰𝘆-𝗺𝗮𝗸𝗶𝗻𝗴 𝗯𝗼𝗱𝗶𝗲𝘀 across Southeast Asia, suggesting a clear intent 𝘁𝗼 𝗴𝗮𝘁𝗵𝗲𝗿 𝗶𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 𝘁𝗶𝗲𝗱 𝘁𝗼 𝗿𝗲𝗴𝗶𝗼𝗻𝗮𝗹 𝗴𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲 𝗮𝗻𝗱 𝗲𝗰𝗼𝗻𝗼𝗺𝗶𝗰 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝘆. Exfiltrated data is believed to 𝘪𝘯𝘤𝘭𝘶𝘥𝘦 𝘴𝘦𝘯𝘴𝘪𝘵𝘪𝘷𝘦 𝘮𝘢𝘵𝘦𝘳𝘪𝘢𝘭𝘴 such as unpublished tariff documents, internal policy briefs, and strategic negotiation content. By leveraging legitimate services like AWS Lambda, Dropbox, and Google Drive for command-and-control and data exfiltration, the attackers successfully 𝗯𝘆𝗽𝗮𝘀𝘀 𝗰𝗼𝗻𝘃𝗲𝗻𝘁𝗶𝗼𝗻𝗮𝗹 𝗻𝗲𝘁𝘄𝗼𝗿𝗸 𝗱𝗲𝗳𝗲𝗻𝘀𝗲𝘀, making detection and attribution more difficult. This operation underscores a broader intelligence-gathering agenda likely linked to state interests, particularly those navigating the geopolitical complexities of U.S.–China influence, regional trade alignments, and defense modernization efforts.

🔎 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗥𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱𝗮𝘁𝗶𝗼𝗻𝘀:

  • Monitor outbound traffic to AWS Lambda endpoints (*.lambda-url.*.amazonaws.com) for unusual or nonstandard use cases

  • Deploy behavior-based detection to flag DLL side-loading activity and abnormal service creation

  • Analyze parent-child process relationships for mscorsvw.exe

⚙️ 𝗗𝗲𝗳𝗲𝗻𝘀𝗶𝘃𝗲 𝗔𝗰𝘁𝗶𝗼𝗻𝘀:

  • Block unauthorized use of cloud storage services (Dropbox, Google Drive) at perimeter

  • Use cloud traffic inspection tools capable of decrypting and logging cloud API usage

  • Implement endpoint controls to restrict DLL loading from user-writable directories

🧩 𝗖𝗼𝗻𝗰𝗹𝘂𝘀𝗶𝗼𝗻

The HazyBeacon malware campaign 𝗲𝘅𝗲𝗺𝗽𝗹𝗶𝗳𝗶𝗲𝘀 𝘁𝗵𝗲 𝘀𝗼𝗽𝗵𝗶𝘀𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗼𝗳 𝗺𝗼𝗱𝗲𝗿𝗻 𝗰𝘆𝗯𝗲𝗿 𝗲𝘀𝗽𝗶𝗼𝗻𝗮𝗴𝗲—where trusted platforms are co-opted to hide state-sponsored operations in plain sight. For defenders, traditional IOCs are no longer enough. The emphasis must shift to context-aware baselining, cloud telemetry visibility, and adaptive controls that detect when familiar tools are used for unfamiliar purposes.

Resources: https://thehackernews.com/2025/07/state-backed-hazybeacon-malware-uses.html

https://unit42.paloaltonetworks.com/windows-backdoor-for-novel-c2-communication/ https://www.scworld.com/brief/southeast-asia-targeted-by-new-state-sponsored-hazybeacon-malware https://cisoseries.com/cybersecurity-news-chinese-engineers-at-pentagon-hazybeacon-malware-mitre-framework-aadapt/