AiTM Phishing Kits Steal Console Credentials and MFA Codes from AWS Environments

HomeCyber Security News AiTM Phishing Kits Steal Console Credentials and MFA Codes from AWS Environments By Tushar Subhra Dutta June 25, 2026 A newly discovered phishing kit is targeting Amazon Web Services users by silently stealing login credentials and multi-factor authentication codes the moment a victim types them in. Unlike older tools that captured passwords for later use, this kit works in real time, meaning attackers can access a victim’s AWS console before the victim realizes something is wrong. The campaign ran between June 19 and 23, 2026, and marks a serious shift in how cloud accounts are attacked. The kit relies on a technique called adversary-in-the-middle, or AiTM, which places a hidden relay between the victim and the real AWS login page. When a victim enters credentials and an MFA code, everything is quietly forwarded to the attacker’s server, which passes it to the actual AWS site. This live relay gives attackers a brief window to log in using the stolen session before it expires, making MFA protections effectively useless. Analysts from Datadog Security Labs identified the campaign and documented how it operated, publishing a report shared with Cyber Security News (CSN). Cloned AWS Console (Source – DATADOG) The researchers found three phishing domains, all registered within the same 24-hour window through a registrar named NICENIC INTERNATIONAL GROUP CO., LIMITED, and hosted on Cloudflare. Each domain served a near-perfect copy of the AWS console sign-in page, making it nearly impossible for most users to notice anything off. The attack emails were sent through trusted platforms like SendGrid and Nimbu, which helped them pass email authentication filters and reach inboxes directly. The phishing email impersonated AWS Support and cited a fabricated issue about bandwidth throttling to create urgency. This social engineering pushed recipients into clicking quickly, without pausing to check whether the request was real. What makes this campaign stand out is that it did not cast a wide net. The kit only displayed the fake login page when a valid, pre-verified email appeared in the link, and researchers recovered fewer than 50 target addresses. Most belonged to software engineers and engineering leaders in the United States, pointing to a targeted operation rather than mass phishing. AWS AiTM Phishing Kit Steals Console Credentials The core of this kit lived inside a single JavaScript file embedded in the fake AWS login page. When a victim visited the site, the page read an encrypted value from the URL, verified it against the attacker’s server, and only showed the login form if the visitor matched a known target. The phishing kit’s server-driven MFA flow (Source – DATADOG) This trick prevented security sandboxes and researchers from examining the page’s behavior. Once credentials were submitted, the kit forwarded them to the phishing server, which interacted with the real AWS sign-in system in the background. The server could only determine which MFA challenge to show next, whether email, SMS, or a time-based one-time password, by actively relaying data to the legitimate AWS site. That live exchange is what sets AiTM kits apart from standard phishing pages and makes them far more dangerous. Ties to a Broader Phishing Operation Alongside the three AWS domains, researchers found three more domains impersonating SendGrid, all registered during the same window through the same registrar. The similarities were clear, including a matching React-based app structure, the same encrypted email gating method, and identical MFA support across all major second-factor types. Researchers also traced the input_24 URL parameter, a fingerprint of this kit, to campaigns dating back to July 2023, including attacks on cryptocurrency wallet users and a Salesforce login page impersonation. This points to a threat actor who has refined and reused the same toolkit across multiple industries over several years. To defend against this threat, security teams should look for DNS queries pointing to the known phishing domains and check AWS CloudTrail logs for ConsoleLogin events following contact with those domains. A successful login appearing right after traffic to a phishing domain strongly suggests an attacker captured and replayed a victim’s session. Treating AWS console phishing as a high-priority threat is the clearest lesson from this campaign. Indicators of Compromise (IoCs):- Type Indicator Description Domain us-west-login[.]com AWS phishing domain registered via NICENIC Domain aws.us-west-login[.]com AWS phishing subdomain Domain aws-central.us-west-login[.]com AWS phishing subdomain Domain us-east-prod[.]com AWS phishing domain registered via NICENIC Domain aws.us-east-prod[.]com AWS phishing subdomain Domain loginportal-aws[.]com AWS phishing domain; not observed with input_24 parameter Domain switch-sglogin[.]com SendGrid phishing domain registered via NICENIC Domain uslogin-prodsg[.]com SendGrid phishing domain registered via NICENIC Domain sendgrid.uslogin-prodsg[.]com SendGrid phishing subdomain Domain us-west-prod[.]com SendGrid phishing domain registered via NICENIC Domain sendgrid.us-west-prod[.]com SendGrid phishing subdomain Domain 15hourolddomain-bypass-ed-google-workspace-protection-fuckgoogle[.]com Non-existent domain pinged by attacker validation script found on VirusTotal Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Upgrade your proactive defense against attacks. Access 5 proven threat hunting tactics you can deploy in your SOC : Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Compromised 10,000+ GitHub Repositories to Inject Malicious Script How Attackers Exploit Privileged Access and How to Lock Them Out  PoC Exploit Released for libssh2 Remote Code Execution Vulnerability Hackers Use Cisco AnyConnect and Google Update Lures to Drop SharkLoader Malware LastPass Customer Data Exposed in Klue Supply Chain Attack Latest News Cyber Security Russia Used Cellebrite Tool to Hack Activist’s iPhone Despite Contract Cancellation Cyber Security Windows Secure Boot Certificate Expired — Billions of PCs Affected Including Linux Distros Cyber Security 25-Year-Old Vulnerability in cURL Used by 30 Billion Devices Finally Patched Cyber Security News LokiBot Campaign Uses JScript Attachment, .NET Injector, and Process Injection to Steal Credentials Cyber Security News Shai-Hulud Payload Steals GitHub, npm, Cloud, CI/CD, and SSH Credentials From Developers