Find notable cyber news and cases, enriched with sources, timelines, and signals.

TruffleNet AWS SES credential-abuse campaign

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The TruffleNet campaign is abusing stolen AWS credentials and AWS SES to validate access, recon cloud environments, and fuel downstream BEC fraud. The operation spans more than 800 unique hosts across 57 Class C networks, showing infrastructure built for scale rather than a one-off intrusion. Attackers use TruffleHog, GetCallerIdentity, and GetSendQuota to test credentials and probe email-sending quotas. Related activity also leveraged Portainer and a BEC vendor onboarding W-9 scam tied to cfp-impactaction.com and zoominfopay[.]com.

Related Happenings

Amadey and StealC MaaS ecosystem and affiliate model

Threat Actor Meta
H score73 First: 24.06.2026 18:59 Last: 24.06.2026 18:59 Sources 1

About this happening: The **Amadey** and **StealC** ecosystems now operate as **malware-as-a-service (MaaS)** offerings, widening access to loader and stealer capabilities for paying customers and affi...

PCPJack covert SMTP relay campaign

Campaign
H score37 First: 05.06.2026 08:34 Last: 05.06.2026 08:34 Sources 1

About this happening: The **PCPJack** campaign converted hijacked **AWS, Google Cloud, and Microsoft Azure** servers into a covert **SMTP relay network**, enabling large-scale email delivery through ve...

PCPJack worm-like credential theft framework

Malware Activity
H score27 First: 07.05.2026 20:45 Last: 07.05.2026 20:45 Sources 1

About this happening: The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...

FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers

Campaign
H score44 First: 10.03.2026 18:21 Last: 10.03.2026 18:21 Sources 1

About this happening: A **new FortiGate abuse campaign** is using **FortiGate NGFW appliances** as entry points to breach victim networks, creating immediate risk for **healthcare**, **government**, an...

Operation PCPcat credential-exfiltration campaign

Campaign
H score89 First: 16.12.2025 10:21 Last: 16.12.2025 10:21 Sources 1

About this happening: The **Operation PCPcat** campaign is now linked to **industrial-scale data exfiltration**, with defenders estimating **59,128 servers** already breached. The operation leverages *...

Timeline

  1. 03.11.2025 12:59 2 articles · 8mo ago

    TruffleNet abuses stolen AWS credentials to probe SES and fuel BEC

    Initial Disclosure

    Fortinet AI identified TruffleNet, an attack infrastructure built around TruffleHog, that abuses Amazon Web Services' (AWS) Simple Email Service (SES) by using stolen credentials, GetCallerIdentity, and GetSendQuota to test access and perform reconnaissance across AWS environments; one incident involved more than 800 unique hosts across 57 distinct Class C networks, and downstream BEC activity used cfp-impactaction.com and zoominfopay[.]com to target the oil and gas sector with a $50,000 ACH payment request.

    Show sources