Quasa
Use QUASA App
Join the pioneer of Web3 crypto freelancing today!
Open
Security and protection

Denonia: A First Crypto-Mining Malware Targeting AWS Lambda

|Author: Viacheslav Vasipenok|4 min read| 1882
Denonia: A First Crypto-Mining Malware Targeting AWS Lambda

Hello!

Discovery of Denonia: First Crypto-Mining Malware Targeting AWS Lambda

Cado Security researchers have discovered a new type of malware designed for AWS Lambda environments. Named Denonia, it represents the first known malware specifically created to deploy cryptocurrency-mining software on AWS Lambda.

Denonia: A First Crypto-Mining Malware Targeting AWS LambdaCado Security researchers identified the Denonia malware during routine analysis of cloud environments. Although it has not yet spread widely, its existence demonstrates growing interest among threat actors in cryptocurrency mining.

Background: Cryptojacking in Cloud Environments

TeamTNT began targeting Kubernetes clusters in February 2026 by exploiting misconfigured Kubelets for cryptojacking—illegally using victims’ computing resources to mine cryptocurrencies such as Bitcoin, Ethereum, Monero and others.

Cybersecurity researcher Tom Olzak notes that threat actors engaged in cryptojacking now target not only laptops, desktops and servers but also gaming consoles, IoT devices, Android and iOS smartphones, and environmental monitoring systems inside data centers.

This is not the first time cryptocurrency-mining malware has been found targeting AWS Lambda. TeamTNT previously released Hildegard, a crypto-malware specifically built for Kubernetes clusters. Trend Micro has observed that cryptocurrency miners remain the most common type of threat on Linux systems.

Denonia: A First Crypto-Mining Malware Targeting AWS LambdaTrend Micro’s Linux Threat Report H1 2026 highlights that coinmining on Linux continues to attract cybercriminals because Linux powers a substantial share of cloud environments.

Why Linux and the Cloud Are Attractive Targets

Linux runs on 100 % of supercomputers, powers 50 % of websites worldwide, supports 96.3 % of the top one million web servers and handles 90 % of cloud workloads. AWS Linux remains the most popular distribution, used in 17.58 % of environments compared with Ubuntu’s 15.77 %.

The cloud theoretically offers virtually unlimited computing power, making it an appealing target for threat actors seeking to mine cryptocurrency. Attackers are now extending these efforts to AWS Lambda.

AWS Lambda: A High-Value, Serverless Platform

AWS Lambda supports a wide range of computing tasks, including code execution, web-page processing and API handling. Because the service is fully managed and automatically scalable, customers do not need to manage servers, operating systems, network layers or other infrastructure components.

Matt Muir, a security researcher at Cado Security, stated that the emergence of Denonia shows how attackers are applying advanced, cloud-specific knowledge to exploit complex cloud infrastructure, hinting at potentially more sophisticated attacks in the future.

Technical Details of the Denonia Malware

Denonia: A First Crypto-Mining Malware Targeting AWS LambdaDenonia is written in Go and includes a customized version of XMRig, one of the most widely used cryptocurrency miners. Muir highlighted the increasing popularity of Go among malware authors.

He explained that Go appeals to malware developers because it produces cross-platform executables and allows efficient deployment through statically linked binaries.

Olzak observes that static analysis, while fast, is often limited by reliance on known malware signatures. Muir added: “Statically linked binaries are often larger than dynamically linked equivalents, which makes static analysis slightly more laborious.”

“Go also handles strings differently from C-like languages. Strings are not null-terminated; instead they are stored in large blobs accompanied by a structure containing both a pointer and an integer that defines length. This can confuse static-analysis tools,” Muir noted.

TeamTNT employed a similar technique in Hildegard, encoding the malicious payload inside the binary to evade automated static analysis and increase stealth.

Denonia: A First Crypto-Mining Malware Targeting AWS LambdaDynamic analysis showed that Denonia continues to operate outside AWS Lambda, including on standard Linux systems—an expected behavior given that AWS Lambda’s underlying runtime is Linux-based.

Denonia was also engineered to use DNS over HTTPS (DoH) instead of standard DNS. This reduces the likelihood of detection because AWS cannot inspect the encrypted DNS lookups for malicious domains.

Cado Security obtained a 64-bit ELF executable targeting the x86-64 architecture. Its SHA-256 hash is a31ae5b7968056d8d99b1b720a66a9a1aeee3637b97050d95d96ef3a265cbbca.

The method of initial compromise remains unclear. The relatively small file size (17.5 MB) suggests possible vectors such as remote-desktop-protocol exploits, phishing or social-engineering campaigns on social media.

Most phishing attacks against cryptocurrency target assets directly rather than mining operations; 50 % of such attacks are launched via social media.

Thank you!
Subscribe to our newsletter! Join us on social networks!
See you!

Share:

Subscribe to our newsletter

Get the latest Web3, AI, and crypto news delivered straight to your inbox.

0