| SYMBOL | COMMON_NAME | aka. SYNONYMS |
CL-STA-1020 targets Southeast Asian government networks, employing AWS Lambda Function URLs configured with AuthType: NONE for stealthy command-and-control communication. The actor has been observed collecting sensitive information from governmental entities, including data on tariffs and trade disputes. An investigation revealed a new Windows backdoor named HazyBeacon, which utilizes this novel C2 technique. This activity cluster has demonstrated significant efforts to remain undetected while executing its operations.
There are currently no families associated with this actor.
| 2026-06-02
⋅
Qualys
⋅
The HazyBeacon Protocol – How Malware Weaponizes Amazon Web Services (AWS) Lambda Function URLs CL-STA-1020 |
| 2025-07-14
⋅
Palo Alto Networks Unit 42
⋅
Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication CL-STA-1020 |