CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

TruffleNet Attack Campaign Targeting AWS Environments

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The TruffleNet attack campaign, initially documented in late 2025, continues to evolve with observed phishing campaigns leveraging Amazon SES to bypass security controls and execute business email compromise (BEC) attacks. Researchers report a surge in SES abuse tied to exposed AWS credentials in public repositories, enabling automated credential scanning via TruffleHog and large-scale phishing campaigns. Attackers craft convincing phishing emails with custom HTML templates and fabricated email threads to deceive victims, including fake DocuSign notifications and invoice scams targeting finance departments.

Timeline

  1. 03.11.2025 12:59 2 articles · 6mo ago

    TruffleNet Attack Campaign Targets AWS Environments

    The TruffleNet attack campaign leverages stolen credentials to target AWS environments, particularly Amazon's Simple Email Service (SES). The campaign uses the open-source scanning tool TruffleHog and exploits legitimate tools like Portainer to perform reconnaissance and execute downstream business email compromise (BEC) attacks. The campaign involved over 800 unique hosts across 57 distinct Class C networks. Attackers use legitimate AWS APIs to test stolen credentials and perform reconnaissance. The campaign also includes BEC attacks targeting the oil and gas sector, using compromised WordPress sites to establish sending identities. Recent developments show TruffleNet operators increasingly abusing Amazon SES to send high-quality phishing emails that bypass authentication checks such as SPF, DKIM, and DMARC. The abuse is driven by automated discovery of exposed AWS IAM access keys in public assets (e.g., GitHub, .ENV files, Docker images, S3 buckets), with attackers using TruffleHog to streamline credential validation and email distribution. Phishing campaigns now feature custom HTML templates mimicking real services, fabricated email threads, and BEC attacks with fake document-signing notifications (e.g., DocuSign) and invoice scams targeting finance departments.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Vishing Attacks Target Okta SSO Accounts for Data Theft

Threat actors are using vishing attacks to steal Okta SSO credentials, bypassing MFA and gaining access to enterprise cloud services. The attacks involve real-time manipulation of phishing pages and social engineering to trick employees into revealing their credentials and MFA codes. Once access is gained, attackers exfiltrate data from integrated platforms like Salesforce and demand extortion payments. The phishing kits used in these attacks are sold as a service and are actively employed by multiple hacking groups targeting identity providers and cryptocurrency platforms. Okta recommends using phishing-resistant MFA methods to mitigate these threats. Attackers use Telegram channels to receive stolen credentials and adapt their campaign based on the MFA or authentication solution the target is using. Phishing kits allow attackers to generate fake MFA notifications to bypass MFA protections.

Open in new tab

OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Microsoft recently warned of phishing campaigns using OAuth URL redirection mechanisms to bypass conventional phishing defenses. These campaigns target government and public-sector organizations, redirecting victims to attacker-controlled infrastructure without stealing their tokens. Attackers abuse OAuth's standard behavior by crafting URLs with manipulated parameters or associated malicious applications to redirect users to malicious destinations. The attack starts with a malicious application created by the threat actor, configured with a redirect URL pointing to a rogue domain hosting malware. The malicious payloads are distributed as ZIP archives, leading to PowerShell execution, DLL side-loading, and pre-ransom or hands-on-keyboard activity. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Threat actors are now targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes. Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages. The attacks target government and public-sector organizations with phishing links that prompt users to authenticate to a malicious application. The malicious OAuth applications are registered with an identity provider, such as Microsoft Entra ID, and leverage the OAuth 2.0 protocol to obtain delegated or application-level access to user data and resources. The attackers create malicious OAuth applications in a tenant they control and configure them with a redirect URI pointing to their infrastructure. The researchers say that even if the URLs for Entra ID look like legitimate authorization requests, the endpoint is invoked with parameters for silent authentication without an interactive login and an invalid scope that triggers authentication errors. This forces the identity provider to redirect users to the redirect URI configured by the attacker. In some cases, the victims are redirected to phishing pages powered by attacker-in-the-middle frameworks such as EvilProxy, which can intercept valid session cookies to bypass multi-factor authentication (MFA) protections. Microsoft found that the 'state' parameter was misused to auto-fill the victim’s email address in the credentials box on the phishing page, increasing the perceived sense of legitimacy. In other instances, the victims are redirected to a 'download' path that automatically delivers a ZIP file with malicious shortcut (.LNK) files and HTML smuggling tools. Opening the .LNK launches PowerShell, which performs reconnaissance on the compromised host and extracts the components required for the next step, DLL side-loading. A malicious DLL (crashhandler.dll) decrypts and loads the final payload (crashlog.dat) into memory, while a legitimate executable (stream_monitor.exe) loads a decoy to distract the victim. Microsoft suggests that organizations should tighten permissions for OAuth applications, enforce strong identity protections and Conditional Access policies, and use cross-domain detection across email, identity, and endpoints.

Open in new tab

AWS Crypto Mining Campaign Exploits Compromised IAM Credentials

A campaign targeting AWS customers uses compromised IAM credentials to deploy cryptocurrency mining operations. The attackers employ sophisticated persistence techniques, including disabling instance termination, to evade detection and maximize resource consumption. The activity was first detected on November 2, 2025, and involves the creation of multiple ECS clusters and Lambda functions to facilitate mining operations. The attackers leverage the 'DryRun' flag to validate permissions without incurring costs, and use the 'ModifyInstanceAttribute' action to prevent instance termination. The campaign also involves the creation of autoscaling groups to exploit EC2 service quotas and maximize resource consumption. The campaign started cryptomining within 10 minutes of initial access, using a Docker Hub image that had over 100,000 pulls. Each task was configured with 16,384 CPU units and 32GB of memory, with a desired count of 10 for ECS Fargate tasks. The attacker created two launch templates with startup scripts that automatically initiated cryptomining, and configured 14 auto-scaling groups to deploy at least 20 instances each, with a maximum capacity of up to 999 machines.

Open in new tab

Crimson Collective Targets AWS Environments

The emerging threat group Crimson Collective, linked to the Red Hat breach, targets AWS environments to steal data and extort organizations. The group uses open-source tools to find leaked AWS credentials and escalate privileges. They have ties to Scattered Spider and LAPSUS$ collectives and operate as an extortion-as-a-service (EaaS) group. Crimson Collective has been observed compromising long-term access keys and leveraging privileges attached to compromised IAM accounts. They create new users, escalate privileges, and exfiltrate valuable data via AWS services. Successful data exfiltration often results in extortion demands.

Open in new tab

AI-Driven Phishing Campaign Targeting U.S. Organizations

A sophisticated phishing campaign targeting U.S. organizations uses AI-generated SVG files to evade security defenses. The attack leverages compromised business email accounts to send phishing messages, redirecting users to fake login pages to harvest credentials. The campaign employs advanced obfuscation techniques, including business-related language and complex code structures, to disguise malicious intent. The phishing messages use a self-addressed email tactic to bypass basic detection heuristics. The SVG files, which are text-based and scriptable, embed JavaScript and other dynamic content to deliver interactive phishing payloads. The campaign was detected on August 28, 2025, and effectively blocked by Microsoft's security systems. The use of AI in this campaign highlights the evolving tactics of threat actors, who are increasingly adopting AI tools to craft more convincing phishing lures and automate malware obfuscation.

Open in new tab