CyberHappenings logo
☰

APT29 Watering Hole Campaign Targeting Microsoft Device Code Authentication

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

Amazon disrupted an APT29 watering hole campaign targeting Microsoft device code authentication. The campaign compromised websites to redirect visitors to malicious infrastructure, aiming to trick users into authorizing attacker-controlled devices. The operation leveraged various phishing methods and evasion techniques to harvest credentials and gather intelligence. APT29, a Russia-linked state-sponsored hacking group, used compromised websites to inject JavaScript that redirected visitors to actor-controlled domains mimicking Cloudflare verification pages. The campaign aimed to entice victims into entering a legitimate device code into a sign-in page, granting attackers access to Microsoft accounts and data. The activity involved Base64 encoding to conceal malicious code, setting cookies to prevent repeated redirects, and shifting to new infrastructure when blocked. Amazon's intervention led to the registration of additional domains by the actor, continuing the campaign's objectives. The campaign reflects an evolution in APT29's technical approach, no longer relying on domains that impersonate AWS or social engineering attempts to bypass multi-factor authentication (MFA).

Timeline

  1. 29.08.2025 16:22 πŸ“° 2 articles

    APT29 Watering Hole Campaign Disrupted by Amazon

    Amazon identified and disrupted an APT29 watering hole campaign targeting Microsoft device code authentication. The campaign compromised websites to redirect visitors to malicious infrastructure, aiming to trick users into authorizing attacker-controlled devices. The operation leveraged various phishing methods and evasion techniques to harvest credentials and gather intelligence. The activity involved Base64 encoding to conceal malicious code, setting cookies to prevent repeated redirects, and shifting to new infrastructure when blocked. Amazon's intervention led to the registration of additional domains by the actor, continuing the campaign's objectives. Amazon's threat intelligence team discovered the campaign by creating an analytic for APT29's infrastructure. The threat actors used a cookies-based system to prevent repeated redirects. Amazon isolated the EC2 instances used by the threat actor and partnered with Cloudflare and Microsoft to disrupt the identified domains. The campaign reflects an evolution in APT29's technical approach, no longer relying on domains that impersonate AWS or social engineering attempts to bypass multi-factor authentication (MFA).

    Show sources

Information Snippets

Similar Happenings

APT41 Targets U.S. Trade Officials in Cyber Espionage Campaign

The House Select Committee on China has issued a warning about ongoing cyber espionage campaigns by China-linked APT41 targeting U.S. trade officials and related organizations. The attacks involve phishing emails impersonating U.S. officials to steal sensitive information. The campaign coincides with contentious U.S.-China trade negotiations. The threat actors exploit software and cloud services to cover their tracks. The attacks aim to steal valuable data and gain unauthorized access to systems. The committee has noted similar tactics used in previous campaigns, including a January 2025 spear-phishing attempt targeting committee staffers. The FBI is investigating the ongoing cyber espionage campaign. APT41 has been known to conduct financially motivated activities in addition to state-sponsored espionage. The group has targeted various sectors, including logistics, utilities, healthcare, high-tech, and telecommunications. The committee recommends user awareness phishing training, mandatory multifactor authentication, FIDO keys, and appropriate email gateway and endpoint security tools to mitigate such attacks.

Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns

Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to March–April 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.

MostereRAT Malware Disables Security Tools, Targets Japanese Windows Users

A new malware campaign, tracked as MostereRAT, targets Japanese Windows users with sophisticated evasion techniques. MostereRAT disables antivirus and endpoint defenses, uses an obscure programming language, and abuses legitimate remote access tools to maintain persistent control over compromised systems. The malware's capabilities include privilege escalation, keylogging, data exfiltration, and the creation of hidden administrator accounts. The campaign's long-term objectives and the full extent of its impact remain unclear. MostereRAT employs Easy Programming Language (EPL) to evade detection and uses Windows Filtering Platform (WFP) filters to block security telemetry. The malware deploys legitimate remote access tools like AnyDesk, TigerVNC, and TightVNC, making it difficult to detect. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools to reduce the attack surface. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can run as TrustedInstaller, a built-in Windows system account with elevated permissions. MostereRAT can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool, facilitate RDP logins, and create hidden administrator accounts.

SVG Files Used to Deploy Phishing Pages in Colombian Judicial System Impersonation Campaign

A malware campaign leveraging SVG files to deploy Base64-encoded phishing pages impersonating the Colombian judicial system has been identified. The SVG files, distributed via email, execute JavaScript payloads to inject phishing pages and download ZIP archives. The campaign involves 523 unique SVG files that have evaded detection by antivirus engines. The earliest sample dates back to August 14, 2025. The campaign highlights the evolving tactics used by threat actors to bypass security measures and target macOS systems with information stealers like Atomic macOS Stealer (AMOS). This campaign also coincides with broader trends in cyber threats targeting macOS and gamers.

GhostRedirector Compromises 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module

GhostRedirector, a previously undocumented threat cluster, has compromised at least 65 Windows servers primarily in Brazil, Thailand, and Vietnam. The attacks, active since at least August 2024, deployed the Rungan backdoor and Gamshen IIS module. Rungan executes commands on compromised servers, while Gamshen manipulates search engine results for SEO fraud. The threat actor targets various sectors, including education, healthcare, technology, transportation, insurance, and retail, using SQL injection vulnerabilities for initial access. The group is assessed with medium confidence to be China-aligned. The operation involves using PowerShell to download malware tools and exploits like EfsPotato and BadPotato for privilege escalation.