Amazon Web Services (AWS) has identified an ongoing cryptocurrency mining campaign using compromised IAM credentials to target Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Compute Cloud (Amazon EC2). GuardDuty Extended Threat Detection uncovered the operation, which began on November 2, 2025. The campaign employed a novel persistence technique designed to disrupt incident response and extend mining operations.
The threat actor used ModifyInstanceAttribute with disable API termination set to true, forcing victims to re-enable API termination before deleting impacted resources. This technique adds an additional consideration for incident responders and can disrupt automated remediation controls.
To protect against similar crypto mining attacks, AWS customers should prioritize strong identity and access management controls. Implement temporary credentials instead of long-term access keys, enforce multi-factor authentication (MFA) for all users, and apply least privilege to IAM principals limiting access to only required permissions.
Confirm GuardDuty is enabled across all accounts and Regions with Runtime Monitoring enabled for comprehensive coverage. Integrate GuardDuty with AWS Security Hub and Amazon EventBridge or third-party tooling to enable automated response workflows and rapid remediation of high-severity findings. Establish specific incident response procedures for crypto mining attacks, including documented steps to handle instances with disabled API termination.
AWS is sharing relevant findings and mitigation guidance to help customers take appropriate action on this ongoing campaign. Organizations can use AWS CloudTrail logs to log events across AWS services and combine them into a single account to make them available to security teams to access and monitor.
Source: https://aws.amazon.com/blogs/security/cryptomining-campaign-targeting-amazon-ec2-and-amazon-ecs