‘TruffleNet’ attack wields stolen credentials against AWS

(Haberdoedas / Unsplash)

By Elizabeth Montalbano • Nov 04, 2025

Attackers are abusing Amazon Web Services’ (AWS) Simple Email Service (SES) via legitimate open source tools to steal credentials and infiltrate organizations to execute network reconnaissance. In some cases, threat actors even use compromised environments to perform downstream business email compromise (BEC) attacks.

An emerging threat campaign is using stolen credentials to target SES, Amazon’s email automation service, via a large-scale attack infrastructure dubbed TruffleNet, built around the open source scanning tool TruffleHog, according to research from Fortinet AI. Attackers designed TruffleNet to “systematically test compromised credentials and perform reconnaissance across AWS environments,” Fortinet AI’s Scott Hall wrote in the post.

“In one incident involving multiple compromised credentials, we recorded activity from more than 800 unique hosts across 57 distinct Class C networks,” he wrote. Attackers achieved this using not only TruffleHog, but also “by consistent configurations, including open ports and the presence of Portainer,” an open source management UI for Docker and Kubernetes that simplifies container deployment and orchestration.