Cloud Abuse: TruffleNet BEC Campaign Hijacks AWS SES and Portainer to Orchestrate 800+ Malicious Hosts
Ddos 
Identity Compromise and BEC | Image: FortiGuard Labs
Fortinet’s FortiGuard Labs has identified a widespread cloud abuse campaign, dubbed “TruffleNet,” that leverages stolen AWS credentials to exploit Amazon Simple Email Service (SES) for large-scale Business Email Compromise (BEC) and email fraud operations. The infrastructure, consisting of over 800 unique hosts across 57 distinct networks, demonstrates a new level of scale, automation, and operational discipline in cloud credential abuse.
“Identity compromise remains one of the most pressing threats to cloud infrastructure today,” the Fortinet researchers wrote. “When attackers gain access to valid credentials, they can often bypass the traditional security controls designed to protect those environments.”
The TruffleNet infrastructure was first observed conducting reconnaissance activity using TruffleHog, a legitimate open-source tool for secret scanning, which attackers repurposed to test and validate compromised AWS keys.
According to Fortinet, “In one incident involving multiple compromised credentials, we recorded activity from more than 800 unique hosts across 57 distinct Class C networks.” These hosts shared common configurations — open ports, Docker management tools, and identical behavioral patterns — indicating a centrally managed, purpose-built system.
The initial contact sequence from these hosts involved a GetCallerIdentity API call, verifying credential validity, followed by GetSendQuota, an API used to query Amazon SES sending limits — a precursor to spam or phishing abuse.
“The vast majority of TruffleNet IPs showed no bad reputation or antivirus detections,” Fortinet noted. “The absence of such associations suggests a dedicated infrastructure built for a specific purpose.”
One of TruffleNet’s most distinctive features is its use of Portainer, a legitimate Docker and Kubernetes management UI, as a lightweight control panel to orchestrate the entire operation.
Fortinet explained that, “By providing a centralized dashboard and API, Portainer effectively serves as an ‘infrastructure-as-a-service’ layer, enabling adversaries to coordinate large numbers of nodes with minimal effort.”
While commonly used in DevOps workflows, the attackers repurposed Portainer to deploy, monitor, and update hundreds of compromised nodes simultaneously, effectively transforming what should be a cloud management tool into a criminal command infrastructure.
Beyond reconnaissance, Fortinet observed TruffleNet operators conducting fraudulent BEC operations using compromised AWS accounts to send spoofed corporate emails via Amazon SES.
In one notable case, attackers exploited SES to create verified email identities using stolen DomainKeys Identified Mail (DKIM) keys from hacked WordPress sites, allowing them to send convincing messages that bypassed standard anti-spam filters.
“Amazon SES was exploited within the compromised environment to establish sending identities using DomainKeys Identified Mail (DKIM) from previously compromised WordPress sites,” the report stated.
Fortinet detailed that before launching their BEC campaigns, the attackers executed aggressive cloud reconnaissance using various AWS APIs, including:
- ListIdentities (SES) – To enumerate verified sending domains.
- ListServiceQuotas (Service Quotas) – To assess service limits and plan large-scale abuse.
- UpdateLoginProfile (IAM) – To change console passwords or lock out legitimate owners.
- CreateUser (IAM) – To establish persistent access with new IAM identities.
- PutAccountVdmAttributes (SESv2) – To modify email delivery settings and evade detection.
These actions mapped to multiple MITRE ATT&CK techniques such as T1087.003 (Account Discovery), T1526 (Cloud Service Discovery), and T1136.003 (Create Cloud Account).
Immediately following these compromises, Fortinet observed one of the email identities — cfp-impactaction[.]com — being weaponized in a BEC vendor onboarding scam targeting the oil and gas industry.
Attackers impersonated ZoomInfo, sending fraudulent invoices requesting a $50,000 ACH payment. The attached W-9 form included a legitimate Employer Identification Number (EIN) from the real company to enhance authenticity.
Victims were directed to respond to a typosquatted domain, zoominfopay[.]com, operated by the attackers.
Fortinet’s analysis of TruffleNet revealed:
- 800+ active hosts from 10 unique ASNs, predominantly U.S.-based WS Telecom Inc. and Hivelocity LLC.
- Consistent open ports (5432, 3389) misused for communication and command purposes.
- Dedicated, non-blacklisted IPs, suggesting an exclusive infrastructure separate from traditional VPNs or botnets.
The report also connected several email domains used in the attacks — such as cndbenin[.]com, novainways[.]com, and restaurantalhes[.]com — to servers in France, many previously associated with XMrig cryptomining and SystemBC (Coroxy) trojans, indicating cross-campaign overlap among financially motivated actors.
Related Posts:
- 50,000 Emails a Day: How a Cloud Flaw Is Fueling Phishing Campaigns
- FBI crackdown “business email compromise” BEC fraud campaigns, 74 suspects arrested
- Interpol Recovers $41 Million Stolen in Singapore BEC Scam
- B2B Business Email Compromise: A Sophisticated Scheme Exploiting Trusted Relationships
- Nigerian National Receives 5-Year Sentence for Multi-Million Dollar BEC Fraud
Donate