Technical Analysis: Sophisticated AiTM Phishing Campaign Targeting AWS Console Users
A highly coordinated and technically proficient phishing campaign has been identified, specifically targeting AWS console users through an Adversary-in-the-Middle (AiTM) attack vector. By leveraging Cloudflare-hosted domains, the threat actors have deployed a kit capable of bypassing traditional Multi-Factor Authentication (MFA) by intercepting credentials and session tokens in real time.
Each malicious domain serves a pixel-perfect clone of the AWS sign-in interface. Unlike standard phishing sites, this kit utilizes a sophisticated server-driven logic flow. Depending on the user’s specific security configuration, the kit dynamically branches the user journey into customized challenges for email, SMS, or authenticator-app-based MFA, ensuring a seamless and convincing theft of the second factor.
Advanced Gating and Evasion Mechanisms
To evade automated security sandboxes and rapid researcher analysis, the phishing kit employs a strict validation gating mechanism. When a visitor hits the site, the kit looks for a specific URL parameter named input_24. This parameter contains an encrypted Base64 blob which the kit POSTs to a /api/check endpoint. The server decrypts this blob to identify the specific target email address and subsequently sets a validEmail cookie.
Following this, calls to /api/me return a JSON object containing the victim’s metadata, which dictates whether the server renders the cloned login page or a benign blank page. This targeted “pre-flight” check suggests that the campaign is not a broad, opportunistic spray, but rather a highly directed operation against specific high-value identities.
The core of the credential harvesting operation is centralized within a single, modular JavaScript file. Once a victim submits their credentials via /api/login, the kit parses the server’s JSON response and automatically redirects the user to the appropriate MFA path—/email, /sms, or /gauth. By mirroring the exact UI, text, and labels used by AWS, the kit maintains a high level of user deception.
The architectural design indicates classic AiTM behavior: the kit acts as a proxy, relaying authentication attempts to the legitimate AWS infrastructure in real time. This allows the attacker to capture the resulting session tokens and MFA codes instantly for immediate reuse.
Between June 16 and 19, 2026, Datadog Security Research observed this wave of activity. The following domains were registered via NICENIC INTERNATIONAL GROUP CO., LIMITED:
| Domains | Subdomains | Registration Date | Registrar |
|---|---|---|---|
| us-west-login[.]com | aws.us-west-login[.]com, aws-central.us-west-login[.]com | June 18, 2026 | NICENIC INTERNATIONAL GROUP |
| us-east-prod[.]com | aws.us-east-prod[.]com | June 17, 2026 | NICENIC INTERNATIONAL GROUP |
| loginportal-aws[.]com | N/A | June 16, 2026 | NICENIC INTERNATIONAL GROUP |
Delivery Infrastructure and Email Impersonation
Threat intelligence gathered from VirusTotal revealed delivery artifacts, including a June 19 batch file that utilized curl commands to interact with the phishing domains. Furthermore, researchers identified forged AWS Support emails that leveraged SendGrid and Nimbu to bypass SPF, DKIM, and DMARC protections—a hallmark of professional-grade phishing kits designed to maximize deliverability.
Investigation into these SendGrid-impersonating domains revealed they share a React SPA architecture and the same input_24 encryption logic used in previous campaigns. This links the current AWS targeting to infrastructure active since at least July 2025, which has previously been observed targeting CRM and cryptocurrency platforms, as noted in prior NVISO Labs analyses.
Defensive Recommendations and Hunting Strategies
To mitigate the risk of credential replay and unauthorized access, security teams should adopt the following defensive postures:
- DNS & Network Hunting: Monitor for DNS queries or outbound HTTP traffic directed toward the identified malicious domains.
- CloudTrail Correlation: Prioritize
ConsoleLoginevents in AWS CloudTrail that occur immediately following network telemetry directed at the suspect domains. This temporal correlation is a high-fidelity indicator of a successful AiTM compromise. - SIEM Integration: Utilize advanced detection rules (such as those in Datadog Cloud SIEM) to flag “Impossible Travel” anomalies and MFA-bypass patterns.
- Phishing-Resistant MFA: The most effective defense against AiTM is the adoption of FIDO2/WebAuthn hardware security keys, which are cryptographically bound to the origin and cannot be intercepted by proxy-based kits.
| Indicator | Technical Note |
|---|---|
| aws.us-west-login[.]com | Primary Phishing Domain |
| aws-central.us-west-login[.]com | Subdomain |
| aws.us-east-prod[.]com | Primary Phishing Domain |
| loginportal-aws[.]com | Not observed utilizing input_24 parameter |
Note: All domains have been intentionally defanged (e.g., [.]) to prevent accidental resolution. Please re-fang these indicators only within a controlled threat intelligence environment.