'TruffleNet' Attack Wields Stolen Credentials Against AWS

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Reconnaissance and BEC are among the malicious activities attackers commit after compromising cloud accounts, using a framework based on the TruffleHog tool.November 3, 2025Attackers are abusing Amazon Web Services' (AWS) Simple Email Service (SES) via legitimate open source tools to steal credentials and infiltrate organizations to execute network reconnaissance. In some cases, threat actors even use compromised environments to perform downstream business email compromise (BEC) attacks.An emerging threat campaign is using stolen credentials to target SES, Amazon's email automation service, via a large-scale attack infrastructure dubbed TruffleNet, built around the open source scanning tool TruffleHog, according to research from Fortinet AI. Attackers designed TruffleNet to "systematically test compromised credentials and perform reconnaissance across AWS environments," Fortinet AI's Scott Hall wrote in the post."In one incident involving multiple compromised credentials, we recorded activity from more than 800 unique hosts across 57 distinct Class C networks," he wrote. Attackers achieved this using not only TruffleHog, but also "by consistent configurations, including open ports and the presence of Portainer," an open source management UI for Docker and Kubernetes that simplifies container deployment and orchestration. Though Portainer also is a legitimate tool — in this case, widely used by administrators for DevOps workflows — attackers also can exploit it as a lightweight control panel that provides a centralized dashboard and API for managing malicious infrastructure. This enables adversaries to coordinate large numbers of nodes with minimal effort, Hall noted.Related:Ollama, Nvidia Flaws Put AI Infrastructure at RiskThe initial way that attackers connect TruffleNet to an AWS environment is through a simple call to GetCallerIdentity, which is used to test whether stolen credentials were valid. The malicious infrastructure also had a component that leverages the AWS control line interface (CLI) to query the "GetSendQuota" API for SES, which is "a call frequently seen at the outset of SES abuse," Hall noted.Most of the IPs used by TruffleNet had no antivirus or bad reputation detections, suggesting that the infrastructure was built by attackers specifcially for its purpose. "In most cloud-based attacks, source IP addresses are often linked to VPNs, Tor nodes, or other illicit activity," Hall noted. Similarly, no follow-on actions or privilege escalations were attempted from these source hosts — only GetSendQuota and GetCallerIdentity calls were observed. "This pattern implies a possible tiered infrastructure, with some nodes dedicated to reconnaissance, and others reserved for later stages of the attack," he wrote.Related:Critical Site Takeover Flaw Affects 400K WordPress SitesThe BEC attacks observed by the researchers are likely related to TruffleNet, as they were observed along reconnaissance activity linked to the malicious infrastructure, Hall said. Attackers exploited Amazon SES within the compromised environment to establish sending identities using DomainKeys Identified Mail (DKIM) from previously compromised WordPress sites.One of the malicious domains, cfp-impactaction.com, was then used in a "BEC vendor onboarding W-9 scam" targeting the oil and gas sector, Hall wrote. "Attackers sent an invoice purporting to be from ZoomInfo, requesting a $50,000 ACH payment," he explained. The W-9 attached to the BEC messages contained a publicly available Employer ID number of the impersonated company to lend credibility to the email, which directed recipients of the BEC scam emails to send payment inquiries to a typosquatted address, zoominfopay[.]com, Hall added.TruffleNet demonstrates that identity compromise remains one of the most pressing threats to cloud infrastructure, particularly against AWS. Attackers frequently abuse SES to successfully scale illicit email operations once they've obtained valid AWS keys, Hall observed.Related:Kimsuky Debuts HTTPTroy Backdoor Against South Korea UsersThe discovery of the malicious infrastructure also shows "how quickly threat actors are evolving their tactics to exploit cloud infrastructure at scale" to bypass traditional security controls, he said. "By combining credential theft, reconnaissance automation, and SES abuse, adversaries can weaponize legitimate services to conduct high-volume fraud and Business Email Compromise with minimal detection," Hall wrote.To mitigate the risks from these evolving threats to the cloud, defenders should implement continuous monitoring, least-privilege access, and behavioral analytics, according to Fortinet AI. Identity-driven cloud threats require specific types of visibility and protection so organizations can detect any abnormal activity and ensure that credentials to their networks aren't stolen and used against them for further malicious activity.Composite alerting technology in particular can help organizations evaluate multiple aspects of cloud-based attacks, including: anomalous cloud connections and suspicious automation activity; unusual user behavior and deviations from expected patterns; offensive tool usage, including TruffleHog and similar utilities; and common SES abuse indicators, Hall said."Composite alerting is highly effective at detecting identity compromise, which often evades traditional point-based detection," he wrote. "Because valid credentials appear legitimate, they can bypass standard monitoring when no clear indicators of compromise are present."Composite alerts, then, can analyze both network and behavioral anomalies, he explained, "generating high-confidence alerts for cloud attacks and identity misuse."Elizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.