Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

TruffleNet

TruffleNet is the name Fortinet/FortiGuard gave to a large-scale cloud-focused attack infrastructure and business email compromise (BEC) scam built around the open-source TruffleHog toolkit. Reported activity targets Amazon Web Services (AWS) environments and uses compromised credentials to systematically test access and conduct reconnaissance. The operation abuses AWS services, particularly Simple Email Service (SES), to create new email identities and send spoofed messages that appear authentic. Supporting reporting also states the infrastructure abused Portainer and that attackers stole DKIM keys from WordPress sites to enable email sending through AWS SES. Based on the provided content, TruffleNet is associated with phishing and fraud/BEC activity in cloud environments rather than a traditional standalone malware family. High-confidence behaviors include use of stolen credentials, AWS reconnaissance, SES identity creation, spoofed email delivery, and DKIM key theft from WordPress sites.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
risky biz rssNews
Nov 19, 2025
Risky Bulletin: Microsoft will integrate Sysmon into Windows

TruffleNet is a campaign leveraging the TruffleHog toolkit to target cloud environments, likely for credential harvesting and lateral movement.

Read more
bank info securityNews
Nov 6, 2025
Breach Roundup: UPenn Hit by Email Breach

A large-scale phishing and BEC campaign that abuses AWS infrastructure and stolen credentials to send spoofed emails and fraudulent invoices, evading detection by using legitimate cloud services.

Read more
govinfosecurityNews
Nov 6, 2025
Breach Roundup: UPenn Hit by Email Breach

A large-scale phishing and BEC campaign that abuses AWS infrastructure and stolen credentials to send spoofed emails and fraudulent invoices, evading detection by using legitimate cloud services.

Read more
the hacker newsNews
Nov 6, 2025
ThreatsDay Bulletin: AI Tools in Malware, Botnets, GDI Flaws, Election Attacks & More

TruffleNet is a large-scale attack infrastructure leveraging TruffleHog for credential testing and reconnaissance in AWS environments. It is used for automated credential abuse, reconnaissance, and potentially BEC attacks.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.