Thursday , July 16 2026
Cloudflare

Hackers Target Cloudflare-Hosted AWS Domains to Steal Console Logins

A complex phishing attack targets AWS console users by misusing Cloudflare-hosted websites to steal login details. Each domain had a nearly identical copy of the AWS login page. It used a server-driven process that switched to email, SMS, or authenticator-app MFA challenges, allowing for real-time collection of second factors.

The phishing kit used a gating mechanism that validates the visitor before rendering the page. A URL parameter named input_24 carried an encrypted base64 blob that the kit POSTed to /api/check; the server decrypted it to identify the target email and set a cookie (observed as validEmail).

India to built Mythos-like AI model “Sarvam AI” and “BharatGen” assigned

India is speeding up its work to make homegrown AI models for cybersecurity. These models will help protect important digital...
Read More
India to built Mythos-like AI model “Sarvam AI” and “BharatGen” assigned

Cursor, SonicWall, SharePoint 0-day exploited to the wild

A serious security flaw in Cursor, a popular AI code editor used by more than 7 million developers, lets attackers...
Read More
Cursor, SonicWall, SharePoint 0-day exploited to the wild

Microsoft Patch Tuesday July-2026 fixes 570 flaws, 3 zero-days

Microsoft's Patch Tuesday in July 2026 fixes around 570 security flaws in its products. This comes after June's big update,...
Read More
Microsoft Patch Tuesday July-2026 fixes 570 flaws, 3 zero-days

Fortinet Patches 7 Flaws In FortiOS, FortiProxy, FortiPAM, and FortiSandbox

Fortinet fixes seven new security warnings on July 14, 2026. These affect FortiOS, FortiProxy, FortiPAM, and FortiSandbox. The issues vary...
Read More
Fortinet Patches 7 Flaws In FortiOS, FortiProxy, FortiPAM, and FortiSandbox

CISA warns Cisco IOS flaw, while VMware flaw allows bypassing authentication

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that hackers are using CVE-2008-4128, a CSRF flaw in Cisco...
Read More
CISA warns Cisco IOS flaw, while VMware flaw allows bypassing authentication

Meta’s louisiana data center to exceed 250 billion price tag

Meta announced on Monday that its data center in Richland Parish, Louisiana, will grow to 5 gigawatts of computing power....
Read More
Meta’s louisiana data center to exceed 250 billion price tag

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Subsequent /api/me calls got a JSON object with the victim’s address and decided if to show the clone or a blank page. This block stops sandboxes and many researchers from easily checking the site, showing it is a targeted delivery and not random mass phishing.

The cloned AWS console sign in page served by the phishing domains (Source : Datadog).

Credential stealing was centralized with one JavaScript file. After victims entered their details at /api/login, the kit read the server’s JSON reply and took the victim to /email, /sms, or /gauth based on the MFA type given. Each route showed a convincing challenge screen that matched AWS’s text and labels.

The kit then forwarded collected credentials and MFA codes to /api/auth; the server again selected the next route.

The code structure suggests the kit can relay authentication attempts to the legitimate AWS login in real time and return the resulting responses to the victim, classic AiTM behavior that permits capture and immediate reuse of MFA codes.

Between June 16 and 19, 2026, Datadog Security Research observed a wave of AWS console phishing sites attempting to harvest victim credentials.

The following three domains were registered between June 16 and 18, 2026, all through the registrar NICENIC INTERNATIONAL GROUP CO., LIMITED.

Domains Subdomains Registration date Registrar
us-west-login[.]com aws.us-west-login[.]com, aws-central.us-west-login[.]com June 18, 2026 NICENIC INTERNATIONAL GROUP CO., LIMITED
us-east-prod[.]com aws.us-east-prod[.]com June 17, 2026 NICENIC INTERNATIONAL GROUP CO., LIMITED
loginportal-aws[.]com June 16, 2026 NICENIC INTERNATIONAL GROUP CO., LIMITED

Cloudflare-Hosted AWS Phishing

Datadog researchers also found likely delivery artifacts on VirusTotal: a June 19 batch file referencing aws.us-west-login[.]com that executed curl commands against the phishing domain and a SendGrid URL, queried WHOIS metadata, and included the structure of a forged AWS Support email referencing a fabricated support ticket.

The operators used legitimate email delivery platforms such as SendGrid and Nimbu to bypass SPF/DKIM/DMARC checks and improve deliverability an increasingly common tactic among prolific phishing kits.


Possible rendering of the alleged phishing email on Virustotal (Source : Datadog).

The investigation found three domains pretending to be SendGrid. These were registered around the same time and were hosted on Cloudflare. They used the same React SPA design, encrypted email checks, and strong MFA management. This connects the campaign to a phishing kit based on input_24 that has been active since at least July 2025.

Prior studies (NVISO Labs, August 2025) saw the same actions on CRM and crypto-logins, showing that the same setup is likely being used for important AWS targets.

Defenders should look for DNS and network signs linked to the identified domains. They should also treat any ConsoleLogin CloudTrail events that come after as very important.

Datadog suggests checking queries for DNS activity and CloudTrail ConsoleLogin events. If there is a ConsoleLogin event after DNS or HTTP access to these phishing domains, it likely means credentials were stolen and might be reused.

Datadog Cloud SIEM ships detection rules that flag ConsoleLogin anomalies such as Impossible Travel with or without MFA; pairing network telemetry with CloudTrail makes these detections actionable.

Block and watch the listed domains, check CloudTrail ConsoleLogin events, and tell privileged AWS users to use phishing-resistant FIDO2 keys and access rules that reduce risks of credential replay.

Check Also

Nepal Unveils First “Hall of Fame” for Ethical Hackers

Nepal has started a ‘Hall of Fame’ program to honor cybersecurity researchers who safely report …