An ongoing campaign has been observed targeting Amazon Web Services (AWS) customers using compromised Identity and Access Management (IAM) credentials to enable cryptocurrency mining.
The activity was first detected by Amazon’s managed threat detection service GuardDuty and its automated security monitoring systems on November 2, 2025, and employs never-before-seen persistence techniques to disrupt incident response and continue unimpeded, according to a new report shared by the tech giant ahead of publication.
“The attacker, operating from an external hosting provider, quickly enumerated resources and permissions before deploying cryptocurrency mining resources across ECS and EC2,” Amazon said. “The cryptocurrency miner was up and running within 10 minutes of the threat actor gaining initial access.”
The multi-stage attack chain essentially begins with an unknown attacker leveraging compromised IAM user credentials with administrator-like privileges to begin a discovery phase designed to probe the EC2 service quota environment and test privileges by calling the RunInstances API with the “DryRun” flag set.
Enabling this “DryRun” flag is important and intentional as it allows an attacker to verify IAM permissions without actually launching an instance. This avoids increased costs and minimizes forensic footprint. The ultimate goal of this step is to determine whether the target infrastructure is suitable for deploying the miner program.
The infection progresses to the next stage, where the threat actor calls CreateServiceLinkedRole and CreateRole to create an autoscaling group and an IAM role for AWS Lambda, respectively. When the role is created, the “AWSLambdaBasicExecutionRole” policy is attached to the Lambda role.
In observed activity to date, threat actors are said to have created dozens of ECS clusters across environments, and in some cases more than 50 ECS clusters in a single attack.
“They then used the malicious DockerHub image yenik65958/secret:user to call RegisterTaskDefinition,” Amazon said. “Using the same strings used to create the cluster, the attacker used the task definition to create a service and begin crypto mining on the ECS Fargate nodes.”
The DockerHub image, which has since been removed, was configured to run a shell script and begin cryptocurrency mining using the RandomVIREL mining algorithm as soon as it was deployed. Additionally, threat actors have been observed creating autoscaling groups configured to scale from 20 to 999 instances in order to exploit EC2 service quotas and maximize resource consumption.
EC2 activities target both high-performance GPU and machine learning instances as well as compute, memory, and general-purpose instances.
What makes this campaign stand out is the use of the ModifyInstanceAttribute action with the ‘disableApiTermination’ parameter set to ‘True’. This prevents you from terminating your instance using the Amazon EC2 console, command line interface, or API. This will require victims to re-enable API termination before deleting the affected resource.
“Instance termination protection can impair incident response capabilities and disrupt automated remediation controls,” Amazon said. “This methodology demonstrates an understanding of common security response procedures and the intent to maximize the duration of mining operations.”
This is not the first time security risks associated with ModifyInstanceAttribute have been revealed. In April 2024, security researcher Harsha Koushik demonstrated a proof of concept (PoC) detailing how this action could be exploited to take over an instance, steal instance role credentials, and even seize control of an entire AWS account.
Additionally, this attack involves creating a Lambda function that can be invoked by any principal and IAM user “user-x1x2x3x4” with the AWS managed policy “AmazonSESFullAccess” attached, allowing the attacker full access through Amazon Simple Email Service (SES) to potentially conduct phishing attacks.
To protect yourself from this threat, Amazon recommends that AWS customers follow these steps:
- Apply strong identity and access management controls
- Implement temporary credentials instead of long-term access keys
- Use multi-factor authentication (MFA) for all users
- Apply the principle of least privilege (PoLP) to IAM principals to restrict access
- Add container security controls to scan for suspicious images
- Monitor abnormal CPU allocation requests in ECS task definitions
- Log events across AWS services using AWS CloudTrail
- Verify that AWS GuardDuty is enabled to facilitate automated response workflows
“Threat actors’ use of multiple scripted computing services, combined with new persistence techniques, represents a significant advancement in cryptocurrency mining attack techniques.”
