A concise but sophisticated phishing campaign that targeted AWS console users by abusing Cloudflare-hosted domains to deliver adversary-in-the-middle (AiTM) credential theft.
Each domain served an almost identical clone of the AWS console sign-in page and implemented a server-driven flow that dynamically branched into email, SMS, or authenticator-app MFA challenges, enabling real-time capture of second factors.
The phishing kit used a gating mechanism that validates the visitor before rendering the page. A URL parameter named input_24 carried an encrypted base64 blob that the kit POSTed to /api/check; the server decrypted it to identify the target email and set a cookie (observed as validEmail).
Subsequent /api/me calls returned a JSON object with the victim’s address and determined whether to render the clone or a blank page. This gating prevents sandboxes and many researchers from easily analyzing the site, and also indicates targeted delivery rather than opportunistic mass phishing.
Credential harvesting was centralized in a single JavaScript file. After victims submitted credentials to /api/login, the kit parsed the server’s JSON response and navigated the victim to /email, /sms, or /gauth depending on the MFA type returned. Each path presented a convincing challenge UI matching AWS’s text and labels.
The kit then forwarded collected credentials and MFA codes to /api/auth; the server again selected the next route.
The code structure suggests the kit can relay authentication attempts to the legitimate AWS login in real time and return the resulting responses to the victim, classic AiTM behavior that permits capture and immediate reuse of MFA codes.
Between June 16 and 19, 2026, Datadog Security Research observed a wave of AWS console phishing sites attempting to harvest victim credentials.
The following three domains were registered between June 16 and 18, 2026, all through the registrar NICENIC INTERNATIONAL GROUP CO., LIMITED.
| Domains | Subdomains | Registration date | Registrar |
|---|---|---|---|
| us-west-login[.]com | aws.us-west-login[.]com, aws-central.us-west-login[.]com | June 18, 2026 | NICENIC INTERNATIONAL GROUP CO., LIMITED |
| us-east-prod[.]com | aws.us-east-prod[.]com | June 17, 2026 | NICENIC INTERNATIONAL GROUP CO., LIMITED |
| loginportal-aws[.]com | June 16, 2026 | NICENIC INTERNATIONAL GROUP CO., LIMITED |
Cloudflare-Hosted AWS Phishing
Datadog researchers also found likely delivery artifacts on VirusTotal: a June 19 batch file referencing aws.us-west-login[.]com that executed curl commands against the phishing domain and a SendGrid URL, queried WHOIS metadata, and included the structure of a forged AWS Support email referencing a fabricated support ticket.
The operators used legitimate email delivery platforms such as SendGrid and Nimbu to bypass SPF/DKIM/DMARC checks and improve deliverability an increasingly common tactic among prolific phishing kits.
Concurrently, the investigation revealed three SendGrid-impersonating domains registered in the same timeframe and hosted on Cloudflare. Those sites employed the same React SPA architecture, encrypted email gating, and comprehensive MFA handling, linking this campaign to an input_24-based phishing kit active since at least July 2025.
Prior analyses (NVISO Labs, August 2025) observed similar behavior against CRM and crypto-target logins, reinforcing the likelihood that the same operator infrastructure is being repurposed for high-value AWS targets.
Operationally, defenders should hunt for DNS and network indicators resolving to the identified domains and treat any downstream ConsoleLogin CloudTrail events as high priority.
Datadog recommends queries for DNS activity to the domains and CloudTrail ConsoleLogin events: a ConsoleLogin event following DNS or HTTP access to these phishing domains strongly indicates credential capture and possible replay.
Datadog Cloud SIEM ships detection rules that flag ConsoleLogin anomalies such as Impossible Travel with or without MFA; pairing network telemetry with CloudTrail makes these detections actionable.
Block and monitor the listed domains, validate CloudTrail ConsoleLogin events, and advise privileged AWS users to adopt phishing-resistant FIDO2 keys and conditional access that limits credential replay risks.
| Indicator | Note |
|---|---|
| aws.us-west-login[.]com | |
| aws-central.us-west-login[.]com | |
| aws.us-east-prod[.]com | |
| loginportal-aws[.]com | Not observed with input_24 parameter |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
