Amazon on Friday mentioned it flagged and disrupted what it described as an opportunistic watering gap marketing campaign orchestrated by the Russia-linked APT29 actors as a part of their intelligence gathering efforts.
The marketing campaign used “compromised web sites to redirect guests to malicious infrastructure designed to trick customers into authorizing attacker-controlled gadgets by means of Microsoft’s gadget code authentication stream,” Amazon’s Chief Info Safety Officer CJ Moses mentioned.
APT29, additionally tracked as BlueBravo, Cloaked Ursa, CozyLarch, Cozy Bear, Earth Koshchei, ICECAP, Midnight Blizzard, and The Dukes, is the title assigned to a state-sponsored hacking group with ties to Russia’s International Intelligence Service (SVR).
In current months, the prolific risk actor has been linked to assaults leveraging malicious Distant Desktop Protocol (RDP) configuration information to focus on Ukrainian entities and exfiltrate delicate information.
Because the begin of the 12 months, the adversarial collective has been noticed adopting varied phishing strategies, together with gadget code phishing and gadget be part of phishing, to acquire unauthorized entry to Microsoft 365 accounts.
As not too long ago as June 2025, Google mentioned it noticed a risk cluster with affiliations to APT29 weaponizing a Google account function known as application-specific passwords to realize entry to victims’ emails. The extremely focused marketing campaign was attributed to UNC6293.
The most recent exercise recognized by Amazon’s risk intelligence group underscores the risk actor’s continued efforts to reap credentials and collect intelligence of curiosity, whereas concurrently sharpening their tradecraft.
“This opportunistic method illustrates APT29’s continued evolution in scaling their operations to solid a wider web of their intelligence assortment efforts,” Moses mentioned.
The assaults concerned APT29 compromising varied official web sites and injecting JavaScript that redirected roughly 10% of tourists to actor-controlled domains, equivalent to findcloudflare[.]com, that mimicked Cloudflare verification pages to provide an phantasm of legitimacy.
In actuality, the top purpose of the marketing campaign was to entice victims into coming into a official gadget code generated by the risk actor right into a sign-in web page, successfully granting them entry to their Microsoft accounts and information. This method was detailed by each Microsoft and Volexity again in February 2025.
The exercise can be noteworthy for incorporating varied evasion methods, equivalent to Base64 encoding to hide malicious code, setting cookies to forestall repeated redirects of the identical customer, and shifting to new infrastructure when blocked.
“Regardless of the actor’s makes an attempt emigrate to new infrastructure, together with a transfer off AWS to a different cloud supplier, our group continued monitoring and disrupting their operations,” Moses mentioned. “After our intervention, we noticed the actor register further domains equivalent to cloudflare.redirectpartners[.]com, which once more tried to lure victims into Microsoft gadget code authentication workflows.”
