APT29 Watering Hole Campaign Exploiting Microsoft Device Code Authentication
Summary
Hide β²
Show βΌ
Amazon has disrupted a watering hole campaign orchestrated by APT29, a Russia-linked threat actor also known as Midnight Blizzard. The campaign used compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow. The campaign targeted Microsoft 365 accounts and aimed to harvest credentials and gather intelligence. The campaign involved injecting JavaScript into legitimate websites to redirect visitors to actor-controlled domains mimicking Cloudflare verification pages. The ultimate goal was to trick victims into entering a legitimate device code generated by the threat actor, granting access to their Microsoft accounts and data. The campaign utilized various evasion techniques, including Base64 encoding and setting cookies to prevent repeated redirects. Amazon's intervention led to the actor migrating to new infrastructure, including a move off AWS to another cloud provider. The campaign reflects an evolution in APT29's tactics, no longer relying on domains impersonating AWS or social engineering to bypass multi-factor authentication (MFA).
Timeline
-
01.09.2025 18:35 π° 1 articles Β· β± 15d ago
APT29 attempts infrastructure migration and registers new domains
Following Amazon's disruption, APT29 attempted to move its infrastructure to another cloud provider and registered new domain names, such as cloudflare.redirectpartners.com. Amazon continued to track and disrupt the threat actor's efforts, emphasizing the ongoing evolution of APT29's tactics.
Show sources
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 β www.bleepingcomputer.com β 01.09.2025 18:35
-
29.08.2025 16:22 π° 2 articles Β· β± 18d ago
APT29 Watering Hole Campaign Exploiting Microsoft Device Code Authentication Disrupted
Amazon's threat intelligence team discovered the domain names used in the watering hole campaign by creating an analytic for APT29's infrastructure. The campaign involved injecting JavaScript into legitimate websites to redirect visitors to actor-controlled domains mimicking Cloudflare verification pages. The ultimate goal was to trick victims into entering a legitimate device code generated by the threat actor, granting access to their Microsoft accounts and data. The campaign utilized various evasion techniques, including Base64 encoding and setting cookies to prevent repeated redirects. Amazon isolated the EC2 instances used by the threat actor and partnered with Cloudflare and Microsoft to disrupt the identified domains. The campaign reflects an evolution in APT29's tactics, no longer relying on domains impersonating AWS or social engineering to bypass multi-factor authentication (MFA).
Show sources
- Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication β thehackernews.com β 29.08.2025 16:22
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 β www.bleepingcomputer.com β 01.09.2025 18:35
Information Snippets
-
APT29, also known as BlueBravo, Cloaked Ursa, CozyLarch, Cozy Bear, Earth Koshchei, ICECAP, Midnight Blizzard, and The Dukes, is linked to Russia's Foreign Intelligence Service (SVR).
First reported: 29.08.2025 16:22π° 2 sources, 2 articlesShow sources
- Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication β thehackernews.com β 29.08.2025 16:22
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 β www.bleepingcomputer.com β 01.09.2025 18:35
-
APT29 has been linked to attacks leveraging malicious Remote Desktop Protocol (RDP) configuration files to target Ukrainian entities and exfiltrate sensitive data.
First reported: 29.08.2025 16:22π° 1 source, 1 articleShow sources
- Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication β thehackernews.com β 29.08.2025 16:22
-
The campaign used compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow.
First reported: 29.08.2025 16:22π° 2 sources, 2 articlesShow sources
- Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication β thehackernews.com β 29.08.2025 16:22
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 β www.bleepingcomputer.com β 01.09.2025 18:35
-
The campaign involved injecting JavaScript into legitimate websites to redirect visitors to actor-controlled domains mimicking Cloudflare verification pages.
First reported: 29.08.2025 16:22π° 2 sources, 2 articlesShow sources
- Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication β thehackernews.com β 29.08.2025 16:22
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 β www.bleepingcomputer.com β 01.09.2025 18:35
-
The ultimate goal was to trick victims into entering a legitimate device code generated by the threat actor, granting access to their Microsoft accounts and data.
First reported: 29.08.2025 16:22π° 2 sources, 2 articlesShow sources
- Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication β thehackernews.com β 29.08.2025 16:22
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 β www.bleepingcomputer.com β 01.09.2025 18:35
-
The campaign utilized various evasion techniques, including Base64 encoding and setting cookies to prevent repeated redirects.
First reported: 29.08.2025 16:22π° 2 sources, 2 articlesShow sources
- Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication β thehackernews.com β 29.08.2025 16:22
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 β www.bleepingcomputer.com β 01.09.2025 18:35
-
Amazon's intervention led to the actor migrating to new infrastructure, including a move off AWS to another cloud provider.
First reported: 29.08.2025 16:22π° 2 sources, 2 articlesShow sources
- Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication β thehackernews.com β 29.08.2025 16:22
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 β www.bleepingcomputer.com β 01.09.2025 18:35
-
APT29, also known as Midnight Blizzard, has been linked to recent phishing attacks impacting European embassies, Hewlett Packard Enterprise, and TeamViewer.
First reported: 01.09.2025 18:35π° 1 source, 1 articleShow sources
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 β www.bleepingcomputer.com β 01.09.2025 18:35
-
APT29 used randomization to redirect roughly 10% of compromised website visitors to actor-controlled domains.
First reported: 01.09.2025 18:35π° 1 source, 1 articleShow sources
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 β www.bleepingcomputer.com β 01.09.2025 18:35
-
Amazon's threat intelligence team discovered the domain names used in the watering hole campaign by creating an analytic for APT29's infrastructure.
First reported: 01.09.2025 18:35π° 1 source, 1 articleShow sources
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 β www.bleepingcomputer.com β 01.09.2025 18:35
-
Amazon isolated the EC2 instances used by the threat actor and partnered with Cloudflare and Microsoft to disrupt the identified domains.
First reported: 01.09.2025 18:35π° 1 source, 1 articleShow sources
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 β www.bleepingcomputer.com β 01.09.2025 18:35
-
APT29 attempted to move its infrastructure to another cloud provider and registered new domain names.
First reported: 01.09.2025 18:35π° 1 source, 1 articleShow sources
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 β www.bleepingcomputer.com β 01.09.2025 18:35
-
The campaign reflects an evolution in APT29's tactics, no longer relying on domains impersonating AWS or social engineering to bypass multi-factor authentication (MFA).
First reported: 01.09.2025 18:35π° 1 source, 1 articleShow sources
- Amazon disrupts Russian APT29 hackers targeting Microsoft 365 β www.bleepingcomputer.com β 01.09.2025 18:35
Similar Happenings
SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids
A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).
FileFix Attack Using Steganography to Deploy StealC Infostealer
A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future.
UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns
The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.
Salty2FA Phishing Kit Demonstrates Enterprise-Level Sophistication
The Salty2FA phishing kit has evolved to incorporate enterprise-grade features, making it difficult to distinguish from legitimate software. The kit's advanced capabilities include subdomain rotation, abuse of legitimate platforms, dynamic corporate branding, MFA mimicry, and sophisticated defense evasion tactics. Ontinue researchers tracked a campaign using Salty2FA, observing its technical innovations and how it mimics legitimate enterprise systems. The campaign impersonated a known business using a trial account on Aha.io and deployed a OneDrive sharing page as the initial attack vector. The kit's infrastructure supports dynamic branding and advanced evasion techniques, making it challenging for security teams to detect and mitigate. The kit's advanced features include geo-blocking, ASN/IP filtering, and JavaScript-based anti-debugging, which hinder the efforts of security researchers and SOC teams. The Salty2FA phishing kit targets industries including finance, energy, healthcare, government, logistics, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to MarchβApril 2025. Salty2FA campaigns have been active since late July 2025, generating dozens of fresh analysis sessions daily. The kit uses a multi-stage execution chain, including email lures, redirects to fake login pages, credential theft, and 2FA bypass techniques. Salty2FA employs Cloudflare checks to bypass automated filters and uses fake Microsoft-branded login pages to steal credentials. The kit intercepts push, SMS, and voice-based 2FA codes, leading to account takeovers. ANY.RUN sandbox analysis provides full-chain visibility of Salty2FA attacks, revealing behavioral patterns and reducing analyst workload. Defenders are advised to adopt advanced, layered protection and a behavioral-oriented approach to counter these evolving threats.
MostereRAT Malware Campaign Targets Japanese Windows Users
A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.