TruffleNet Campaign Exploits AWS SES for Large-Scale Cloud Abuse and BEC Fraud (Campaign)

Researchers uncovered a large-scale criminal campaign that automated validation of stolen AWS credentials using a custom infrastructure named TruffleNet and abused Amazon SES to create verified sender identities for Business Email Compromise (BEC). The adversaries used AWS CLI/Boto3 calls (e.g., GetCallerIdentity, GetSendQuota), Portainer for orchestration, and stolen DKIM keys from compromised WordPress sites to send authenticated phishing and financial fraud at scale, with follow-on privilege escalation attempts.