InfoSecBulletin Cybersecurity for mankind
A complex phishing attack targets AWS console users by misusing Cloudflare-hosted websites to steal login details. Each domain had a nearly identical copy of the AWS login page. It used a server-driven process that switched to email, SMS, or authenticator-app MFA challenges, allowing for real-time collection of second factors.
The phishing kit used a gating mechanism that validates the visitor before rendering the page. A URL parameter named input_24 carried an encrypted base64 blob that the kit POSTed to /api/check; the server decrypted it to identify the target email and set a cookie (observed as validEmail).
Hackers Target Cloudflare-Hosted AWS Domains to Steal Console Logins
Daily Cyber security update for 26. 06. 2026
WhatsApp to Alert Users Before Chatting With New Numbers
OpenAI unveils its first custom chip, Named Jalapeño
Bajaj Auto System Hit by a Ransomware Attack
Cisco Unified CM flaw CVE-2026-20230 exploited in attacks
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
Subsequent /api/me calls got a JSON object with the victim’s address and decided if to show the clone or a blank page. This block stops sandboxes and many researchers from easily checking the site, showing it is a targeted delivery and not random mass phishing.
Credential stealing was centralized with one JavaScript file. After victims entered their details at /api/login, the kit read the server’s JSON reply and took the victim to /email, /sms, or /gauth based on the MFA type given. Each route showed a convincing challenge screen that matched AWS’s text and labels.
The kit then forwarded collected credentials and MFA codes to /api/auth; the server again selected the next route.
The code structure suggests the kit can relay authentication attempts to the legitimate AWS login in real time and return the resulting responses to the victim, classic AiTM behavior that permits capture and immediate reuse of MFA codes.
Between June 16 and 19, 2026, Datadog Security Research observed a wave of AWS console phishing sites attempting to harvest victim credentials.
The following three domains were registered between June 16 and 18, 2026, all through the registrar NICENIC INTERNATIONAL GROUP CO., LIMITED.
| Domains | Subdomains | Registration date | Registrar |
|---|---|---|---|
| us-west-login[.]com | aws.us-west-login[.]com, aws-central.us-west-login[.]com | June 18, 2026 | NICENIC INTERNATIONAL GROUP CO., LIMITED |
| us-east-prod[.]com | aws.us-east-prod[.]com | June 17, 2026 | NICENIC INTERNATIONAL GROUP CO., LIMITED |
| loginportal-aws[.]com | June 16, 2026 | NICENIC INTERNATIONAL GROUP CO., LIMITED |
Cloudflare-Hosted AWS Phishing
Datadog researchers also found likely delivery artifacts on VirusTotal: a June 19 batch file referencing aws.us-west-login[.]com that executed curl commands against the phishing domain and a SendGrid URL, queried WHOIS metadata, and included the structure of a forged AWS Support email referencing a fabricated support ticket.
The operators used legitimate email delivery platforms such as SendGrid and Nimbu to bypass SPF/DKIM/DMARC checks and improve deliverability an increasingly common tactic among prolific phishing kits.
Possible rendering of the alleged phishing email on Virustotal (Source : Datadog).
The investigation found three domains pretending to be SendGrid. These were registered around the same time and were hosted on Cloudflare. They used the same React SPA design, encrypted email checks, and strong MFA management. This connects the campaign to a phishing kit based on input_24 that has been active since at least July 2025.
Prior studies (NVISO Labs, August 2025) saw the same actions on CRM and crypto-logins, showing that the same setup is likely being used for important AWS targets.
Defenders should look for DNS and network signs linked to the identified domains. They should also treat any ConsoleLogin CloudTrail events that come after as very important.
Datadog suggests checking queries for DNS activity and CloudTrail ConsoleLogin events. If there is a ConsoleLogin event after DNS or HTTP access to these phishing domains, it likely means credentials were stolen and might be reused.
Datadog Cloud SIEM ships detection rules that flag ConsoleLogin anomalies such as Impossible Travel with or without MFA; pairing network telemetry with CloudTrail makes these detections actionable.
Block and watch the listed domains, check CloudTrail ConsoleLogin events, and tell privileged AWS users to use phishing-resistant FIDO2 keys and access rules that reduce risks of credential replay.
