{ "id": "455b0406-4119-4dfd-bbdf-20319c2751f8", "created_at": "2026-04-06T00:18:11.313429Z", "updated_at": "2026-04-10T03:21:26.935735Z", "deleted_at": null, "sha1_hash": "f708a5787cc8c02a0253d962b5fe11ff9066b19d", "title": "First Malware Targeting AWS Lambda Serverless Platform Discovered", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 224102, "plain_text": "First Malware Targeting AWS Lambda Serverless Platform\r\nDiscovered\r\nBy The Hacker News\r\nPublished: 2022-04-07 · Archived: 2026-04-05 18:22:51 UTC\r\nA first-of-its-kind malware targeting Amazon Web Services' (AWS) Lambda serverless computing platform has\r\nbeen discovered in the wild.\r\nDubbed \"Denonia\" after the name of the domain it communicates with, \"the malware uses newer address\r\nresolution techniques for command and control traffic to evade typical detection measures and virtual network\r\naccess controls,\" Cado Labs researcher Matt Muir said.\r\nThe artifact analyzed by the cybersecurity company was uploaded to the VirusTotal database on February 25,\r\n2022, sporting the name \"python\" and packaged as a 64-bit ELF executable.\r\nHowever, the filename is a misnomer, as Denonia is programmed in Go and harbors a customized variant of the\r\nXMRig cryptocurrency mining software. That said, the mode of initial access is unknown, although it's suspected\r\nit may have involved the compromise of AWS Access and Secret Keys.\r\nhttps://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html\r\nPage 1 of 3\n\nAnother notable feature of the malware is its use of DNS over HTTPS (DoH) for communicating with its\r\ncommand-and-control server (\"gw.denonia[.]xyz\") by concealing the traffic within encrypted DNS queries.\r\nIn a statement shared with The Hacker News, Amazon stressed that \"Lambda is secure by default, and AWS\r\ncontinues to operate as designed,\" and that users violating its acceptable use policy (AUP) will be prohibited from\r\nusing its services.\r\nWhile Denonia has been clearly designed to target AWS Lambda since it checks for Lambda environment\r\nvariables prior to its execution, Cado Labs also found that it can be run outside of it in a standard Linux server\r\nenvironment.\r\n\"The software described by the researcher does not exploit any weakness in Lambda or any other AWS service,\"\r\nthe company said. \"Since the software relies entirely on fraudulently obtained account credentials, it is a distortion\r\nof facts to even refer to it as malware because it lacks the ability to gain unauthorized access to any system by\r\nitself.\"\r\nHowever, \"python\" isn't the only sample of Denonia unearthed so far, what with Cado Labs finding a second\r\nsample (named \"bc50541af8fe6239f0faa7c57a44d119.virus\") that was uploaded to VirusTotal on January 3, 2022.\r\nhttps://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html\r\nPage 2 of 3\n\n\"Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how\r\nattackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative\r\nof potential future, more nefarious attacks,\" Muir said.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html\r\nhttps://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html" ], "report_names": [ "first-malware-targeting-aws-lambda.html" ], "threat_actors": [], "ts_created_at": 1775434691, "ts_updated_at": 1775791286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f708a5787cc8c02a0253d962b5fe11ff9066b19d.pdf", "text": "https://archive.orkl.eu/f708a5787cc8c02a0253d962b5fe11ff9066b19d.txt", "img": "https://archive.orkl.eu/f708a5787cc8c02a0253d962b5fe11ff9066b19d.jpg" } }