Denonia cryptominer malware targets the AWS Lambda landscape

Denonia Cryptominer Malware AWS Lambda Landscape Cryptocurrency

A newly discovered Denonia malware targets the AWS Lambda environment with crypto stealer campaigns. Researchers stated that this new malware threat exploits several servers to execute cryptocurrency miners.

Last week, security researchers published their findings on the Denonia malware, revealing that it is being utilised by its developers to operate targeted attacks against Lambda.

Lambda is an Amazon Web Services (AWS) that offers a scalable compute service for operating codes, Operating System maintenance, logging, running multiple backend services, and capacity provisioning. Moreover, this cloud service used by SMBs and enterprise entities worldwide are now prone to infection by the new Denonia malware strain.

The security researchers also assumed that this is the first known public sample of Denonia despite the Lambda ransomware. The malware is written in Golang despite having a file name python.

A sample then caught the researcher’s attention after the analysis of Denonia logged as an error that says, “[_LAMBDA_SERVER_PORT AWS _LAMBDA_RUNTIME_API] is not defined.” It has provided an idea for the researchers on which environment it targets since its variables are exclusive to Lambda.


The Denonia malware is dependent on GitHub libraries to initiate its attacks.


The malware samples were a 64-bit ELF executable based on the analysis conducted by researchers. It heavily depends on third-party GitHub libraries, including those for coding Lambda features and recovery data from Lambda invoke requests.

Another interesting finding for the malware is the usage of DNS instead of HTTPS through the doh-go library. The research team assumes that the hackers could have employed it to obstruct AWS from detecting lookups for compromised domains.

There is still confusion among the researchers about which Denonia used the attack vector. However, they think that the usage of scripts is the main reason for grabbing access credentials against the target or secret keys from poorly-coded setups.

The malware operates a modified variant of XMRig in memory, a miner utilised by threat actors to mine the Monero cryptocurrency. This finding implies that the malware developer’s main objective is to gain financial profit.

About the author

Leave a Reply