Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TruffleNet AWS SES credential-abuse campaign

Campaign
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

The TruffleNet campaign is abusing stolen AWS credentials and AWS SES to validate access, recon cloud environments, and fuel downstream BEC fraud. The operation spans more than 800 unique hosts across 57 Class C networks, showing infrastructure built for scale rather than a one-off intrusion. Attackers use TruffleHog, GetCallerIdentity, and GetSendQuota to test credentials and probe email-sending quotas. Related activity also leveraged Portainer and a BEC vendor onboarding W-9 scam tied to cfp-impactaction.com and zoominfopay[.]com.

Related Happenings

PCPJack worm-like credential theft framework

Malware Activity
First: 07.05.2026 20:45 Last: 07.05.2026 20:45 Sources 1

About this happening: The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...

Open Happening

FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers

Campaign
First: 10.03.2026 18:21 Last: 10.03.2026 18:21 Sources 1

About this happening: A **new FortiGate abuse campaign** is using **FortiGate NGFW appliances** as entry points to breach victim networks, creating immediate risk for **healthcare**, **government**, an...

Open Happening

Operation PCPcat credential-exfiltration campaign

Campaign
First: 16.12.2025 10:21 Last: 16.12.2025 10:21 Sources 1

About this happening: The **Operation PCPcat** campaign is now linked to **industrial-scale data exfiltration**, with defenders estimating **59,128 servers** already breached. The operation leverages *...

Open Happening

PHP servers, IoT devices and cloud gateways active exploitation surge

Exploitation Wave
First: 29.10.2025 15:00 Last: 29.10.2025 15:00 Sources 1

About this happening: An active exploitation wave is driving a sharp increase in attacks against PHP servers, IoT devices, and cloud gateways. The activity uses known CVEs and cloud misconfigurations t...

Latest development: 29.10.2025 17:38

Automated campaigns target exposed PHP servers, IoT devices, and cloud gateways with botnets such as Mirai, Gafgyt, and Mozi, exploiting known CVEs and cloud misconfigurations to gain control and expand botnet networks. The activity includes `/?XDEBUG_SESSION_START=phpstorm` abuse against Xdebug sessions, attempts to harvest credentials, API keys, and access tokens, and scanning that often originates from AWS, Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud.

Open Happening

Crimson Collective campaign expands across multiple victims

Campaign
First: 08.10.2025 20:33 Last: 08.10.2025 20:33 Sources 1

About this happening: **Crimson Collective** is running an active **AWS cloud extortion campaign** that targets cloud environments to steal data and pressure companies for payment. The operation has be...

Open Happening

Timeline

  1. 03.11.2025 12:59 2 articles · 6mo ago

    TruffleNet abuses stolen AWS credentials to probe SES and fuel BEC

    Initial Disclosure

    Fortinet AI identified TruffleNet, an attack infrastructure built around TruffleHog, that abuses Amazon Web Services' (AWS) Simple Email Service (SES) by using stolen credentials, GetCallerIdentity, and GetSendQuota to test access and perform reconnaissance across AWS environments; one incident involved more than 800 unique hosts across 57 distinct Class C networks, and downstream BEC activity used cfp-impactaction.com and zoominfopay[.]com to target the oil and gas sector with a $50,000 ACH payment request.

    Show sources
    Open in new tab