TruffleNet AWS SES credential-abuse campaign
Campaign
Summary
Hide ▲
Show ▼
The TruffleNet campaign is abusing stolen AWS credentials and AWS SES to validate access, recon cloud environments, and fuel downstream BEC fraud. The operation spans more than 800 unique hosts across 57 Class C networks, showing infrastructure built for scale rather than a one-off intrusion. Attackers use TruffleHog, GetCallerIdentity, and GetSendQuota to test credentials and probe email-sending quotas. Related activity also leveraged Portainer and a BEC vendor onboarding W-9 scam tied to cfp-impactaction.com and zoominfopay[.]com.
Related Happenings
Amadey and StealC MaaS ecosystem and affiliate model
Threat Actor Meta
H score73
First: 24.06.2026 18:59
Last: 24.06.2026 18:59
Sources 1
About this happening:
The **Amadey** and **StealC** ecosystems now operate as **malware-as-a-service (MaaS)** offerings, widening access to loader and stealer capabilities for paying customers and affi...
Amadey and StealC MaaS ecosystem and affiliate model
Threat Actor MetaAbout this happening: The **Amadey** and **StealC** ecosystems now operate as **malware-as-a-service (MaaS)** offerings, widening access to loader and stealer capabilities for paying customers and affi...
PCPJack covert SMTP relay campaign
Campaign
H score37
First: 05.06.2026 08:34
Last: 05.06.2026 08:34
Sources 1
About this happening:
The **PCPJack** campaign converted hijacked **AWS, Google Cloud, and Microsoft Azure** servers into a covert **SMTP relay network**, enabling large-scale email delivery through ve...
PCPJack covert SMTP relay campaign
CampaignAbout this happening: The **PCPJack** campaign converted hijacked **AWS, Google Cloud, and Microsoft Azure** servers into a covert **SMTP relay network**, enabling large-scale email delivery through ve...
PCPJack worm-like credential theft framework
Malware Activity
H score27
First: 07.05.2026 20:45
Last: 07.05.2026 20:45
Sources 1
About this happening:
The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...
PCPJack worm-like credential theft framework
Malware ActivityAbout this happening: The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...
FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers
Campaign
H score44
First: 10.03.2026 18:21
Last: 10.03.2026 18:21
Sources 1
About this happening:
A **new FortiGate abuse campaign** is using **FortiGate NGFW appliances** as entry points to breach victim networks, creating immediate risk for **healthcare**, **government**, an...
FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers
CampaignAbout this happening: A **new FortiGate abuse campaign** is using **FortiGate NGFW appliances** as entry points to breach victim networks, creating immediate risk for **healthcare**, **government**, an...
Operation PCPcat credential-exfiltration campaign
Campaign
H score89
First: 16.12.2025 10:21
Last: 16.12.2025 10:21
Sources 1
About this happening:
The **Operation PCPcat** campaign is now linked to **industrial-scale data exfiltration**, with defenders estimating **59,128 servers** already breached. The operation leverages *...
Operation PCPcat credential-exfiltration campaign
CampaignAbout this happening: The **Operation PCPcat** campaign is now linked to **industrial-scale data exfiltration**, with defenders estimating **59,128 servers** already breached. The operation leverages *...
Timeline
-
03.11.2025 12:59 2 articles · 8mo ago
TruffleNet abuses stolen AWS credentials to probe SES and fuel BEC
Initial DisclosureFortinet AI identified TruffleNet, an attack infrastructure built around TruffleHog, that abuses Amazon Web Services' (AWS) Simple Email Service (SES) by using stolen credentials, GetCallerIdentity, and GetSendQuota to test access and perform reconnaissance across AWS environments; one incident involved more than 800 unique hosts across 57 distinct Class C networks, and downstream BEC activity used cfp-impactaction.com and zoominfopay[.]com to target the oil and gas sector with a $50,000 ACH payment request.
Show sources
- ‘TruffleNet’ Attack Wields Stolen Credentials Against AWS — www.darkreading.com — 03.11.2025 12:59
- ‘TruffleNet’ Attack Wields Stolen Credentials Against AWS — www.darkreading.com — 03.11.2025 12:59