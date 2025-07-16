Attacks with the novel HazyBeacon Windows backdoor have been launched by state-sponsored threat cluster CL-STA-1020 against government agencies across Southeast Asia as the region has been increasingly targeted in cyberespionage operations, according to The Hacker News. Threat actors leveraged a malicious iteration of "mscorsvc.dll" and the Windows executable "mscorsvw.exe" to deploy a binary, which will be followed by the DLL connecting with an attacker-controlled URL for arbitrary command execution and payload execution, a report from Palo Alto Networks Unit 42 researchers showed. Further analysis revealed HazyBeacon to be exploiting Amazon Web Services Lambda URLs for command-and-control and illicit activity obfuscation, as well as Google Drive and Dropbox for covert data exfiltration. Such findings emphasize advanced persistent threat operations' increasing exploitation of legitimate and trusted platforms in their attacks. "The threat actors used HazyBeacon as the main tool for maintaining a foothold and collecting sensitive information from the affected governmental entities. This campaign highlights how attackers continue to find new ways to abuse legitimate, trusted cloud services," said researcher Lior Rochberger.
