Researchers uncovered a coordinated campaign leveraging stolen AWS credentials to automate reconnaissance and abuse Amazon Simple Email Service (SES) for Business Email Compromise (BEC) operations. The attackers used a custom infrastructure dubbed TruffleNet, built around the open-source tool TruffleHog, to validate and test compromised credentials across hundreds of AWS environments. Once valid credentials were confirmed, the adversaries exploited SES to create verified email identities, enabling large-scale phishing and financial fraud campaigns that mimicked legitimate business correspondence.
The campaign relied on extensive automation and modular infrastructure, with over 800 hosts across multiple networks using AWS CLI and Boto3 to perform API calls such as GetCallerIdentity and GetSendQuota for reconnaissance. Attackers also used Portainer, an open-source Docker and Kubernetes management interface, to coordinate infrastructure operations. Follow-on activity included privilege escalation attempts and BEC campaigns that impersonated vendors, using compromised DKIM keys from hijacked WordPress sites to authenticate malicious emails. The campaign highlights how credential theft and SES abuse enable scalable fraud through legitimate cloud services with minimal detection.