{"id":7448,"date":"2025-10-06T10:03:27","date_gmt":"2025-10-06T10:03:27","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/10\/06\/hackers-weaponize-aws-x-ray-service-to-work-as-covert-command-control-server\/"},"modified":"2025-10-06T10:03:27","modified_gmt":"2025-10-06T10:03:27","slug":"hackers-weaponize-aws-x-ray-service-to-work-as-covert-command-control-server","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/10\/06\/hackers-weaponize-aws-x-ray-service-to-work-as-covert-command-control-server\/","title":{"rendered":"Hackers Weaponize AWS X-Ray Service to Work as Covert Command & Control Server"},"content":{"rendered":"\n
Hackers Weaponize AWS X-Ray Service to Work as Covert Command & Control Server<\/div>\n

\t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A sophisticated technique uncovered where threat actors abuse Amazon Web Services<\/a>\u2018 X-Ray distributed tracing service to establish covert command and control (C2) communications, demonstrating how legitimate cloud infrastructure can be weaponized for malicious purposes.<\/p>\n

AWS X-Ray, designed to help developers analyze application performance through distributed tracing, has been repurposed by red team<\/a> researchers into a steganographic communication channel called XRayC2.\u00a0<\/p>\n

This technique leverages X-Ray\u2019s annotation system, which allows arbitrary key-value data storage, to transmit commands and exfiltrate data through legitimate AWS API calls to xray.[region].amazonaws.com endpoints.<\/p>\n

Weaponizing AWS X-Ray for Covert Command and Control<\/strong><\/h2>\n

According to Dhiraj, the attack methodology exploits X-Ray\u2019s trace segments functionality, where malicious payloads are embedded within seemingly benign monitoring data.\u00a0<\/p>\n

Attackers utilize the service\u2019s PutTraceSegments, GetTraceSummaries, and BatchGetTraces API endpoints to establish bidirectional communication channels that blend seamlessly with legitimate cloud traffic.<\/p>\n

The implant establishes presence through beacon markers containing system information encoded in trace annotations, including service type identifiers like \u201chealth_check\u201d and unique instance identifiers.\u00a0<\/p>\n

\n
\"Command
Command Delivery (Controller \u2192 Implant)<\/figcaption><\/figure>\n<\/div>\n

Command delivery occurs through base64-encoded payloads stored in configuration annotations, while result exfiltration leverages execution_result fields within trace data structures.<\/p>\n

This technique demonstrates<\/a> sophisticated evasion capabilities by implementing custom AWS Signature Version 4 (SigV4) authentication, creating legitimate AWS API traffic that integrates naturally with standard network logs.\u00a0<\/p>\n

The malicious communication employs randomized beacon intervals between 30 and 60 seconds and utilizes HMAC-SHA256 signing with access keys, following Amazon\u2019s canonical request format.<\/p>\n

\n
\"Result
Result Exfiltration (Implant \u2192 Controller)<\/figcaption><\/figure>\n<\/div>\n

The XRayC2 toolkit requires minimal AWS permissions, utilizing the AWSXRayDaemonWriteAccess policy alongside custom permissions for trace manipulation.\u00a0<\/p>\n

This approach significantly reduces the attack surface compared to traditional C2 infrastructure<\/a> while maintaining persistent access through cloud-native services.<\/p>\n

Detection of this technique presents challenges for security teams, as the malicious traffic appears as standard application performance monitoring activities.\u00a0<\/p>\n

Organizations should implement enhanced monitoring of X-Ray API usage patterns, establish baseline metrics for trace annotation data volumes, and scrutinize unusual service interactions within their AWS environments to identify potential abuse of legitimate cloud services<\/a> for covert communications.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Hackers Weaponize AWS X-Ray Service to Work as Covert Command & Control Server<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Florence Nightingale
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Hackers Weaponize AWS X-Ray Service to Work as Covert Command & Control Server A sophisticated technique uncovered where threat actors abuse Amazon Web Services\u2018 X-Ray distributed tracing service to establish covert command and control (C2) communications, demonstrating how legitimate cloud infrastructure can be weaponized for malicious purposes. AWS X-Ray, designed to help developers analyze application […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-7448","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7448"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=7448"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7448\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=7448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=7448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=7448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}