{ "type": "Domain", "indicator": "cfp-impactaction.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cfp-impactaction.com", "alexa": "http://www.alexa.com/siteinfo/cfp-impactaction.com", "indicator": "cfp-impactaction.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4144876094, "indicator": "cfp-impactaction.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6905dfdab3ef8f05a7bdb858", "name": "Cloud Abuse at Scale", "description": "A large-scale attack infrastructure dubbed TruffleNet has been identified, built around the open-source tool TruffleHog. This infrastructure is used to systematically test compromised credentials and perform reconnaissance across AWS environments. The campaign involves over 800 unique hosts across 57 distinct Class C networks, characterized by consistent configurations and the use of Portainer. Alongside TruffleNet, adversaries are exploiting Amazon Simple Email Service (SES) to facilitate Business Email Compromise (BEC) campaigns. The attackers create email identities using compromised WordPress sites and conduct aggressive cloud reconnaissance. This activity highlights the evolving tactics of threat actors in exploiting cloud infrastructure at scale, combining credential theft, reconnaissance automation, and SES abuse to conduct high-volume fraud with minimal detection.", "modified": "2025-12-01T10:03:42.437000", "created": "2025-11-01T10:24:25.998000", "tags": [ "identity compromise", "trufflehog", "credential abuse", "cloud infrastructure", "coroxy", "systembc", "aws", "bec", "portainer", "trufflenet", "xmrig", "ses" ], "references": [ "https://www.fortinet.com/blog/threat-research/cloud-abuse-at-scale" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XMrig", "display_name": "XMrig", "target": null }, { "id": "Coroxy", "display_name": "Coroxy", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null } ], "attack_ids": [ { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.003", "name": "Cloud Account", "display_name": "T1136.003 - Cloud Account" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 387134, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690b3e15fa1f58b81bdfb81d", "name": "EbeeNov2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-05T12:04:04.227000", "created": "2025-11-05T12:07:49.857000", "tags": [], "references": [ "Nov.Week1.pdf" ], "public": 1, "adversary": "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 152, "FileHash-SHA1": 99, "FileHash-SHA256": 186, "domain": 28, "email": 9, "hostname": 21 }, "indicator_count": 544, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690971aab884aeaa7bb8e818", "name": "IOC - Cloud Abuse at Scale TruffleNet, AWS SES, and Business Email Compromise", "description": "Identity compromise remains one of the most pressing threats to cloud infrastructure today. When attackers gain access to valid credentials, they can often bypass the traditional security controls designed to protect those environments. In AWS, this type of compromise frequently manifests through abuse of the Simple Email Service (SES), one of the most common tactics observed in real-world intrusions. SES offers adversaries a convenient and scalable way to conduct illicit email operations once they\u2019ve obtained valid AWS access keys.", "modified": "2025-12-04T03:02:23.905000", "created": "2025-11-04T03:23:22.112000", "tags": [ "x8664", "cpython", "cpython mz", "cpython me", "z cfgretrymode" ], "references": [ "https://www.fortinet.com/blog/threat-research/cloud-abuse-at-scale" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6907af1fc40c87d4f976b559", "name": "Cloud Abuse at Scale", "description": "The recent campaign identified involves the use of stolen credentials targeting Amazon Simple Email Service (SES) through a sophisticated infrastructure known as TruffleNet. This infrastructure takes advantage of TruffleHog, an open-source tool designed for secret scanning, to systematically test compromised credentials across various AWS environments. Notably, the campaign connects credential testing with tactics for downstream Business Email Compromise (BEC), which manifests as attackers impersonating trusted entities to facilitate financial fraud.", "modified": "2025-12-02T19:05:55.070000", "created": "2025-11-02T19:21:03.699000", "tags": [ "threat research", "fortiguard labs threat research", "x8664", "fortimail", "fortinet", "z cfgretrymode", "cpython mz", "fortigate", "cpython mb", "cpython md", "d cfgretrymode", "cpython", "service", "adjusts", "coroxy", "user agents", "observed", "bec compromise", "cpython me" ], "references": [ "https://www.fortinet.com/blog/threat-research/cloud-abuse-at-scale" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Financial", "Oil And Gas" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "182 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690ad770c5fcdae15f76ed1f", "name": "Cloud Abuse at Scale", "description": "", "modified": "2025-12-01T10:03:42.437000", "created": "2025-11-05T04:49:52.769000", "tags": [ "identity compromise", "trufflehog", "credential abuse", "cloud infrastructure", "coroxy", "systembc", "aws", "bec", "portainer", "trufflenet", "xmrig", "ses" ], "references": [ "https://www.fortinet.com/blog/threat-research/cloud-abuse-at-scale" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XMrig", "display_name": "XMrig", "target": null }, { "id": "Coroxy", "display_name": "Coroxy", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null } ], "attack_ids": [ { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.003", "name": "Cloud Account", "display_name": "T1136.003 - Cloud Account" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": "6905dfdab3ef8f05a7bdb858", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690959971f6d4b338591ed5b", "name": "TruffleNet BEC Campaign Exploits AWS SES with Stolen Credentials", "description": "Attackers are abusing Amazon Web Services' (AWS) Simple Email Service (SES) via legitimate open source tools to steal credentials and infiltrate organizations to execute network reconnaissance.", "modified": "2025-11-04T01:40:39.541000", "created": "2025-11-04T01:40:39.541000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "211 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Nov.Week1.pdf", "https://www.fortinet.com/blog/threat-research/cloud-abuse-at-scale" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Systembc", "Xmrig", "Coroxy" ], "industries": [ "Energy" ] }, "other": { "adversary": [ "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter" ], "malware_families": [ "Systembc", "Xmrig", "Coroxy" ], "industries": [ "Oil and gas", "Energy", "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6905dfdab3ef8f05a7bdb858", "name": "Cloud Abuse at Scale", "description": "A large-scale attack infrastructure dubbed TruffleNet has been identified, built around the open-source tool TruffleHog. This infrastructure is used to systematically test compromised credentials and perform reconnaissance across AWS environments. The campaign involves over 800 unique hosts across 57 distinct Class C networks, characterized by consistent configurations and the use of Portainer. Alongside TruffleNet, adversaries are exploiting Amazon Simple Email Service (SES) to facilitate Business Email Compromise (BEC) campaigns. The attackers create email identities using compromised WordPress sites and conduct aggressive cloud reconnaissance. This activity highlights the evolving tactics of threat actors in exploiting cloud infrastructure at scale, combining credential theft, reconnaissance automation, and SES abuse to conduct high-volume fraud with minimal detection.", "modified": "2025-12-01T10:03:42.437000", "created": "2025-11-01T10:24:25.998000", "tags": [ "identity compromise", "trufflehog", "credential abuse", "cloud infrastructure", "coroxy", "systembc", "aws", "bec", "portainer", "trufflenet", "xmrig", "ses" ], "references": [ "https://www.fortinet.com/blog/threat-research/cloud-abuse-at-scale" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XMrig", "display_name": "XMrig", "target": null }, { "id": "Coroxy", "display_name": "Coroxy", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null } ], "attack_ids": [ { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.003", "name": "Cloud Account", "display_name": "T1136.003 - Cloud Account" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 387134, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690b3e15fa1f58b81bdfb81d", "name": "EbeeNov2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-05T12:04:04.227000", "created": "2025-11-05T12:07:49.857000", "tags": [], "references": [ "Nov.Week1.pdf" ], "public": 1, "adversary": "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 152, "FileHash-SHA1": 99, "FileHash-SHA256": 186, "domain": 28, "email": 9, "hostname": 21 }, "indicator_count": 544, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690971aab884aeaa7bb8e818", "name": "IOC - Cloud Abuse at Scale TruffleNet, AWS SES, and Business Email Compromise", "description": "Identity compromise remains one of the most pressing threats to cloud infrastructure today. When attackers gain access to valid credentials, they can often bypass the traditional security controls designed to protect those environments. In AWS, this type of compromise frequently manifests through abuse of the Simple Email Service (SES), one of the most common tactics observed in real-world intrusions. SES offers adversaries a convenient and scalable way to conduct illicit email operations once they\u2019ve obtained valid AWS access keys.", "modified": "2025-12-04T03:02:23.905000", "created": "2025-11-04T03:23:22.112000", "tags": [ "x8664", "cpython", "cpython mz", "cpython me", "z cfgretrymode" ], "references": [ "https://www.fortinet.com/blog/threat-research/cloud-abuse-at-scale" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6907af1fc40c87d4f976b559", "name": "Cloud Abuse at Scale", "description": "The recent campaign identified involves the use of stolen credentials targeting Amazon Simple Email Service (SES) through a sophisticated infrastructure known as TruffleNet. This infrastructure takes advantage of TruffleHog, an open-source tool designed for secret scanning, to systematically test compromised credentials across various AWS environments. Notably, the campaign connects credential testing with tactics for downstream Business Email Compromise (BEC), which manifests as attackers impersonating trusted entities to facilitate financial fraud.", "modified": "2025-12-02T19:05:55.070000", "created": "2025-11-02T19:21:03.699000", "tags": [ "threat research", "fortiguard labs threat research", "x8664", "fortimail", "fortinet", "z cfgretrymode", "cpython mz", "fortigate", "cpython mb", "cpython md", "d cfgretrymode", "cpython", "service", "adjusts", "coroxy", "user agents", "observed", "bec compromise", "cpython me" ], "references": [ "https://www.fortinet.com/blog/threat-research/cloud-abuse-at-scale" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Financial", "Oil And Gas" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "182 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690ad770c5fcdae15f76ed1f", "name": "Cloud Abuse at Scale", "description": "", "modified": "2025-12-01T10:03:42.437000", "created": "2025-11-05T04:49:52.769000", "tags": [ "identity compromise", "trufflehog", "credential abuse", "cloud infrastructure", "coroxy", "systembc", "aws", "bec", "portainer", "trufflenet", "xmrig", "ses" ], "references": [ "https://www.fortinet.com/blog/threat-research/cloud-abuse-at-scale" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XMrig", "display_name": "XMrig", "target": null }, { "id": "Coroxy", "display_name": "Coroxy", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null } ], "attack_ids": [ { "id": "T1087.003", "name": "Email Account", "display_name": "T1087.003 - Email Account" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.003", "name": "Cloud Account", "display_name": "T1136.003 - Cloud Account" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": "6905dfdab3ef8f05a7bdb858", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690959971f6d4b338591ed5b", "name": "TruffleNet BEC Campaign Exploits AWS SES with Stolen Credentials", "description": "Attackers are abusing Amazon Web Services' (AWS) Simple Email Service (SES) via legitimate open source tools to steal credentials and infiltrate organizations to execute network reconnaissance.", "modified": "2025-11-04T01:40:39.541000", "created": "2025-11-04T01:40:39.541000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "211 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cfp-impactaction.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cfp-impactaction.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780501868.6636882 }