An attacker infrastructure dubbed TruffleNet is leveraging stolen credentials and open-source tools to systematically compromise Amazon Web Services (AWS) environments for reconnaissance and subsequent financial fraud. The campaign uses a network of over 800 unique hosts and abuses the AWS Simple Email Service (SES) to facilitate Business Email Compromise (BEC) attacks.
The new threat campaign was identified in research from Fortinet, which details how the infrastructure automates the testing of compromised credentials at a significant scale. TruffleNet is characterized by its use of TruffleHog, a legitimate open-source tool for scanning secrets, to validate stolen AWS credentials. This activity represents a sophisticated approach to weaponizing legitimate cloud services for malicious purposes, similar to how other threat actors have repurposed legitimate services for their own ends, such as the Aisuru botnet which leverages residential proxies.
Attack Methodology and Reconnaissance
The attack begins with a simple API call to GetCallerIdentity to confirm if a set of stolen credentials is valid. According to researchers, this is followed by a query to the GetSendQuota API, which is described as “a call frequently seen at the outset of SES abuse.” This reconnaissance phase allows attackers to assess the email-sending capabilities of a compromised account before using it for fraudulent activities. The infrastructure’s IP addresses largely showed no prior malicious reputation, suggesting a purpose-built network designed to evade standard detection methods.
Attackers also utilize Portainer, an open-source management tool for containers, to serve as a lightweight control panel. This enables the coordinated management of a large number of nodes with minimal effort, streamlining the operation of the distributed attack infrastructure. Fortinet noted that in one incident, activity was recorded from “more than 800 unique hosts across 57 distinct Class C networks.” The pattern of activity, limited to initial reconnaissance calls, suggests a tiered infrastructure where some nodes are used for testing and others are reserved for later attack stages.
From Reconnaissance to BEC Attacks
Following the reconnaissance phase, the attackers leverage compromised AWS accounts for BEC campaigns. In one documented instance, the threat actors exploited SES to send fraudulent invoices targeting the oil and gas sector. The email, which impersonated the company ZoomInfo, requested a “$50,000 ACH payment.” To add legitimacy, the attached W-9 form included the impersonated company’s publicly available Employer ID number and directed payment inquiries to a typosquatted domain.
The TruffleNet campaign demonstrates the increasing use of automation and legitimate tooling by threat actors to exploit cloud infrastructure. By combining credential theft with automated reconnaissance and the abuse of trusted services, attackers can conduct high-volume fraud while minimizing their chances of detection. This tactic of using legitimate APIs for malicious purposes has been seen in other campaigns, such as the SesameOp backdoor which utilized OpenAI’s API for command and control.
Fortinet advises that mitigating these identity-driven threats requires continuous monitoring, least-privilege access controls, and behavioral analytics to detect anomalous activity that may indicate a compromise. This campaign highlights the evolving tactics of threat actors who are weaponizing legitimate cloud services and open-source tools to execute attacks at scale.