Datadog Security Labs reported an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Management Console users with high-fidelity cloned login pages hosted on typosquatted domains. The kit acts as a live proxy to the legitimate AWS sign-in flow, relaying authentication in real time to validate credentials and capture session material (and likely MFA/OTP codes) before redirecting victims, enabling rapid post-compromise access to cloud environments.
In an observed case, the threat actor accessed a compromised AWS account within ~20 minutes of credential submission, with console access originating from 185.209.196.132 (identified as a Mullvad VPN egress). Datadog identified two active infrastructure clusters and a third related domain, including cloud-recovery[.]net (IP 178.16.54[.]142), cloud-policy[.]com (IP 69.67.172[.]30), and cloud-recovery[.]us, with shared registrar metadata (Registrar ID 3254, CNOBIN INFORMATION TECHNOLOGY LIMITED) and signs of rapid infrastructure rotation. Reporting emphasized the activity is credential theft rather than exploitation of an AWS vulnerability or abuse of AWS infrastructure, and that the lure impersonates an “AWS Organization Security” alert with a likely spoofed sender noreply@security[.]aws.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Datadog said AWS Security was coordinating disruption and takedown actions against the phishing infrastructure. At the time of reporting, the campaign was still active.
Datadog Security Labs publicly detailed the campaign, identifying active infrastructure clusters on cloud-recovery[.]net and cloud-policy[.]com and a related inactive domain, cloud-recovery[.]us. The report also noted related phishing-kit servers tied to Microsoft 365 and Apple iCloud lures, suggesting broader reuse of the same kit.
In one observed case, attackers logged into a victim's AWS account within 20 minutes of credential submission, using a Mullvad VPN egress IP. The phishing kit acted as a real-time reverse proxy to capture credentials, likely MFA codes, and session material before redirecting the victim.
Datadog observed infrastructure changes on February 26, 2026, indicating ongoing maintenance and rotation of the phishing operation's domains and backend systems. The campaign used rapidly registered and rotated typosquatted domains to evade detection and takedown.
Datadog reported that an adversary-in-the-middle phishing campaign targeting AWS Management Console credentials had been running since late February 2026, and possibly earlier. The operation used fake security alert emails and typosquatted domains to lure victims to high-fidelity AWS login clones.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
helpnetsecurity.com
Open sourcesecuritylabs.datadoghq.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.