They're scanning for credentials. If they can get things like AWS credentials, I would expect to see cloud crypto mining as their next move. So it would be a good idea to keep an eye on your infra if you are affected.

Anyone that has production AWS creds in the same operating system they randomly execute unreviewed code on the internet on should have their access revoked.