Now, another major cybersecurity threat is surfacing. Unlike other syndicates carrying out digital extortion, Purver is seeking to take aim AWS customers by prioritizing the compromise of Identity and Access Management (IAM) credentials. With counter-campaigns coming from across the political spectrum, this strategic campaign would be a win for big, unregulated crypto-mining. AWS’s GuardDuty managed threat detection service was the first to detect this malicious activity on November 2, 2025. It uses security monitoring automation tools that allow it to quickly detect future threats.
The methods used by the attackers show new persistence techniques that have not been previously observed in crypto mining campaigns. They have achieved a surprisingly high level of sophistication by deploying hundreds of Elastic Container Service (ECS) clusters. This deep disposition reaches into all of the impacted ecosystems. In all cases, the attackers attacked more than 50 ECS clusters at once, thus grossly increasing their resource usage impact.
Exploiting AWS Infrastructure
The attackers go after high-performance GPU and specifically ML enhanced virtual instances. They compete against compute, memory and general-purpose instances provided by AWS. That way they don’t need to create new autoscaling groups that front end can expand from 20-999 instances. Their starting goal is to maximize utilization of EC2 service quotas. This enables them to crunch resource use and costs by a factor of 10 or even 100.
The threat actor quickly enumerated resources and permissions from an external provider of hosting services. They soon afterward rolled crypto mining capabilities into ECS and EC2. This quick pace of deployment allows the attackers to set up their infrastructure early and get a long-term foothold within the compromised environments.
“Operating from an external hosting provider, the threat actor quickly enumerated resources and permissions before deploying crypto mining resources across ECS and EC2,” – Amazon
In our scenario, the attackers are creating a Lambda function that anyone can use/invoke. This pervasive fluidity across the outer permitting landscape just exacerbates detection and mitigation efforts. They enhance their ability to further control the hijacked accounts. This empowers them to continue to operate with impunity, despite security precautions taken by impacted users.
Persistence Techniques
Perhaps the most troubling part of this whole campaign is the example of never-before-seen persistence-optimization tactics. The threat actor has built in persistence with the IAM user “user-x1x2x3x4”, which has an AWS managed policy attached. This vulnerable user lets the attackers keep access even after other stolen credentials are changed or revoked.
Attackers can commandeer other user’s instances by being granted with the “ModifyInstanceAttribute” action. They exfiltrate instance role credentials and take control of the entire AWS account. With this level of access, you can run economic activities like crypto mining 24/7. At the same time, it jeopardizes the integrity and security of customer data residing within these environments.
“The threat actor’s scripted use of multiple compute services, in combination with emerging persistence techniques, represents a significant advancement in crypto mining attack methodologies,” – Amazon
Challenges in Mitigation
The sophistication of this attack creates many opportunities for incident response teams who are working to move from incident response to threat mitigation. Action taken AWS customers who use instance termination protection can affect incident response and further hamper automated remediation controls. This feature, though meant to protect important cases from accidental deletion, can make it difficult to move quickly and terminate a compromised resource.
As attacks grow in speed and complexity, organizations must be one step ahead and better prepared to protect their data and users. In addition to monitoring IAM credentials, regular monitoring of resource permissions is key to detect unusual activity as early as possible.
“Instance termination protection can impair incident response capabilities and disrupt automated remediation controls,” – Amazon