TruffleNet Attack Campaign Targeting AWS Environments
Summary
Hide ▲
Show ▼
The TruffleNet attack campaign leverages stolen credentials to target AWS environments, particularly Amazon's Simple Email Service (SES). The campaign uses the open-source scanning tool TruffleHog and exploits legitimate tools like Portainer to perform reconnaissance and execute downstream business email compromise (BEC) attacks. The campaign involved over 800 unique hosts across 57 distinct Class C networks. Attackers use legitimate AWS APIs to test stolen credentials and perform reconnaissance. The campaign also includes BEC attacks targeting the oil and gas sector, using compromised WordPress sites to establish sending identities.
Timeline
-
03.11.2025 12:59 1 articles · 7d ago
TruffleNet Attack Campaign Targets AWS Environments
The TruffleNet attack campaign leverages stolen credentials to target AWS environments, particularly Amazon's Simple Email Service (SES). The campaign uses the open-source scanning tool TruffleHog and exploits legitimate tools like Portainer to perform reconnaissance and execute downstream business email compromise (BEC) attacks. The campaign involved over 800 unique hosts across 57 distinct Class C networks. Attackers use legitimate AWS APIs to test stolen credentials and perform reconnaissance. The campaign also includes BEC attacks targeting the oil and gas sector, using compromised WordPress sites to establish sending identities.
Show sources
- ‘TruffleNet’ Attack Wields Stolen Credentials Against AWS — www.darkreading.com — 03.11.2025 12:59
Information Snippets
-
TruffleNet uses stolen credentials to target AWS SES via the open-source scanning tool TruffleHog.
First reported: 03.11.2025 12:591 source, 1 articleShow sources
- ‘TruffleNet’ Attack Wields Stolen Credentials Against AWS — www.darkreading.com — 03.11.2025 12:59
-
The campaign involved over 800 unique hosts across 57 distinct Class C networks.
First reported: 03.11.2025 12:591 source, 1 articleShow sources
- ‘TruffleNet’ Attack Wields Stolen Credentials Against AWS — www.darkreading.com — 03.11.2025 12:59
-
Attackers use legitimate AWS APIs, such as GetCallerIdentity and GetSendQuota, to test stolen credentials and perform reconnaissance.
First reported: 03.11.2025 12:591 source, 1 articleShow sources
- ‘TruffleNet’ Attack Wields Stolen Credentials Against AWS — www.darkreading.com — 03.11.2025 12:59
-
The campaign includes BEC attacks targeting the oil and gas sector, using compromised WordPress sites to establish sending identities.
First reported: 03.11.2025 12:591 source, 1 articleShow sources
- ‘TruffleNet’ Attack Wields Stolen Credentials Against AWS — www.darkreading.com — 03.11.2025 12:59
-
Attackers exploit Portainer, an open-source management UI for Docker and Kubernetes, to coordinate large numbers of nodes.
First reported: 03.11.2025 12:591 source, 1 articleShow sources
- ‘TruffleNet’ Attack Wields Stolen Credentials Against AWS — www.darkreading.com — 03.11.2025 12:59
-
The campaign demonstrates the use of identity compromise as a pressing threat to cloud infrastructure.
First reported: 03.11.2025 12:591 source, 1 articleShow sources
- ‘TruffleNet’ Attack Wields Stolen Credentials Against AWS — www.darkreading.com — 03.11.2025 12:59