Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

APT29 opportunistic watering-hole device-code phishing campaign

Campaign
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

APT29 is running an opportunistic watering-hole campaign that redirects visitors from compromised websites to attacker infrastructure and lures them into authorizing Microsoft device codes, increasing the risk of account takeover and intelligence collection. The operation broadened its reach by cycling infrastructure such as findcloudflare[.]com and cloudflare.redirectpartners[.]com, and it targeted visitors rather than a single named victim.

Related Happenings

GitHub fake VS Code alert spam campaign

Campaign
First: 27.03.2026 18:51 Last: 27.03.2026 18:51 Sources 1

About this happening: A coordinated **GitHub Discussions** spam campaign is posting fake **Visual Studio Code** security alerts to lure developers into **malware downloads**, reaching **thousands of re...

Open Happening

Ip6.arpa reverse-DNS phishing campaign using IPv6 tunneling

Campaign
First: 08.03.2026 16:12 Last: 08.03.2026 16:12 Sources 1

About this happening: A **phishing campaign** is abusing **ip6.arpa reverse DNS** and **IPv6 tunneling** to slip past domain reputation checks and **email security gateways**, making malicious links ha...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

TamperedChef malvertising campaign distributing backdoor malware through trojanized PDFs

Campaign
First: 16.01.2026 14:05 Last: 16.01.2026 14:05 Sources 1

About this happening: The **TamperedChef** campaign is a **malvertising** operation that used **Google ads** and **more than 50 domains** to push a fake **AppSuite PDF Editor** and deliver the **Tamper...

Open Happening

Npm registry spear-phishing campaign targeting sales personnel

Campaign
First: 29.12.2025 11:44 Last: 29.12.2025 11:44 Sources 1

About this happening: **Unknown threat actors** ran a **five-month** spear-phishing campaign that abused **27 npm packages** as browser-hosting infrastructure, turning a software registry into a resili...

Open Happening

Timeline

  1. 29.08.2025 16:22 2 articles · 9mo ago

    Amazon disrupts APT29 watering-hole campaign abusing Microsoft device code authentication

    Initial Disclosure

    Amazon flagged and disrupted an opportunistic watering-hole campaign attributed to APT29 that used compromised websites and injected JavaScript to redirect visitors to actor-controlled domains such as findcloudflare[.]com and cloudflare.redirectpartners[.]com. The redirects mimicked Cloudflare verification pages and steered users into Microsoft device code authentication workflows designed to grant attacker-controlled access to Microsoft accounts and data.

    Show sources
    Open in new tab