Daily Briefing for 09.02.25

At a glance.

• Amazon shuts down APT29 watering-hole campaign.
• Salesloft Drift breach affects security firms.
• TamperedChef spreads via malicious PDF editor tools.

Amazon shuts down APT29 watering-hole campaign.

Amazon’s threat intelligence team describes a watering-hole campaign run by APT29, a threat actor tied to Russia's Foreign Intelligence Service (SVR). The threat actor used "compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow." Amazon shut down the campaign on AWS infrastructure, then tracked the activity and disrupted it again when the threat actor moved to another cloud provider.

The researchers urge users to follow security best practices and to "[f]ollow Microsoft’s security guidance on device authentication flows and consider disabling this feature if not required."

Salesloft Drift breach affects security firms.

KrebsOnSecurity is tracking the ongoing impact of breaches stemming from the theft of authentication tokens from AI chatbot provider Salesloft. Google's Threat Intelligence Group (GTIG) warned last week that a threat actor had compromised numerous Salesforce instances using the stolen tokens. The researchers then discovered that the hackers had stolen authentication tokens for hundreds of additional services that integrate with Salesloft, including Google Workspace, Slack, Microsoft Azure, Amazon S3, and OpenAI.

Zscaler and Palo Alto Networks have both confirmed that their Salesforce instances were breached. Zscaler says the threat actor may have accessed customers' business contact information and "[p]lain text content from certain support cases." Palo Alto Networks told BleepingComputer, "The attacker extracted primarily business contact and related account information, along with internal sales account records and basic case data. We are in the process of directly notifying any impacted customers." The company stressed that the incident was confined to its Salesforce environment, and "did not affect any Palo Alto Networks products, systems, or services."

TamperedChef spreads via malicious PDF editor tools.

Heimdal Security has published a report on a malware campaign targeting European organizations via fake PDF editing tools. The attackers promoted the malicious editing tools with Google Ads and compromised websites, targeting users searching for free alternatives to Adobe tools. Once installed, the fake editors functioned normally for nearly two months before downloading an infostealer dubbed "TamperedChef."

Truesec is also tracking the campaign, noting that the TamperedChef's dormancy period was likely designed to maximize infections before security tools began flagging the malware. The researchers add, "Truesec has observed at least 5 different Google campaign IDs which suggests a widespread campaign. The length from the start of the campaign until the malicious update was also 56 days, which is close to the 60 days length of a typical Google advertising campaign."