{
	"id": "8e9ea729-a11e-4c1a-a1e6-cc4f4de66b67",
	"created_at": "2026-04-06T00:10:11.695821Z",
	"updated_at": "2026-04-10T13:11:31.749702Z",
	"deleted_at": null,
	"sha1_hash": "81a82416db4912f7be5607f55492f3f618db1cd3",
	"title": "SNS Sender | Active Campaigns Unleash Messaging Spam Through the Cloud",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 887320,
	"plain_text": "SNS Sender | Active Campaigns Unleash Messaging Spam Through\r\nthe Cloud\r\nBy Alex Delamotte\r\nPublished: 2024-02-15 · Archived: 2026-04-05 13:24:41 UTC\r\nExecutive Summary\r\nSNS Sender is a script that enables bulk SMS spamming using AWS SNS, aka Smishing, a previously\r\nunseen technique in the context of cloud attack tools.\r\nThe script author is currently known by the alias ARDUINO_DAS and is prolific in the phish kit scene.\r\nThe script requires valid AWS SNS credentials compromised from an environment not subject to the SNS\r\nsandbox restrictions.\r\nWe identified links between this actor and numerous phishing kits used to target victims’ personally\r\nidentifiable information (PII) and payment card details.\r\nThe smishing scams often take the guise of a message from the United States Postal Service (USPS)\r\nregarding a missed package delivery.\r\nOverview\r\nA common thread between businesses and threat actors is that both are moving workloads previously handled by\r\ntraditional web servers to the cloud. SentinelLABS has identified one example of this in the form of SNS Sender,\r\na Python script that uses AWS Simple Notification Service (SNS) to send bulk SMS messages for the purpose of\r\nspamming phishing links, aka Smishing.\r\nSNS Sender is the first script we encountered using AWS SNS to send spam texts. The script requires access to an\r\nAWS account in which the service was already provisioned, configured, and enabled. By default, AWS accounts\r\nare subject to restrictions through a feature called the SNS sandbox. These restrictions can be removed if the\r\ncustomer spends $1 and provides a viable use case to AWS support, who manually review such requests. While\r\nother tools like AlienFox have used business to customer (B2C) communications platforms such as Twilio to\r\nconduct SMS spamming attacks, we are unaware of existing research that details tools abusing AWS SNS to\r\nconduct such attacks.\r\nWe identified links between the actor behind this tool and many phishing kits used to target victims’ personally\r\nidentifiable information (PII) and payment card details under the guise of a message from the United States Postal\r\nService (USPS) regarding a missed package delivery. We believe this actor is using cloud services to send bulk\r\nSMS phishing messages, though they may still be testing the tool based on some questionable programming\r\nchoices.\r\nScript Analysis\r\nhttps://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/\r\nPage 1 of 9\n\nSNS Sender is a script that enables bulk SMS spamming using AWS SNS. The script requires a list of phishing\r\nlinks named links.txt in its working directory. SNS Sender also takes several arguments that are entered as\r\ninput:\r\nA text file containing a list of AWS access keys, secrets, and region delimited by a colon\r\nA text file containing a list of phone numbers to target\r\nA sender ID, similar to a display name for a message\r\nThe message content\r\nSNS Sender inputs and outputs\r\nThe send_sns_message function sets up the AWS boto3 client–an interface between the Python script and the\r\nAWS SNS backend–to send the SMS messages. The boto3 client variables are obtained through the arguments\r\nthat the script user provided.\r\nThe sender ID variable is an interesting inclusion. According to AWS documentation, this variable is optional and\r\nis supported in some countries. In the United States, carriers do not support sender IDs, whereas in India, they are\r\nmandatory. The inclusion of a sender ID contrasts with the actor’s association with USPS-themed phishing kits\r\ntargeting Americans. The oversight may indicate the actor is not familiar with this exception and likely resides in a\r\ncountry where the sender ID is commonplace.\r\nSNS Sender establishes a while loop that iterates through the list of AWS credentials and regions. The script\r\nreplaces any occurrences of the string linkas in the message content variable with a URL from the links.txt\r\nfile, which weaponizes the message as a phishing SMS. The link is selected randomly using the Python random\r\nlibrary’s choice method.\r\nThe script tracks how many AWS access key pairs have been accessed through the a variable and how many\r\nphone numbers have been used through the y variable, which are initialized as 0 and incremented by 1 each time\r\nthe loop runs. Each message is sent using the credentials from one line from the AWS access key pair list, and the\r\ntracking ensures that the next line is accessed for the subsequent message.\r\nTo run at scale, the list would need to be incredibly long, and likely repeat access key \u0026 secret pairs, making this a\r\ncoding method with questionable efficacy.\r\nPhishing Kits\r\nhttps://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/\r\nPage 2 of 9\n\nWhen investigating the handle ARDUINO_DAS , we identified more than 150 phishing kit files containing references\r\nto the actor. More than half of the kits are USPS-themed. The assets in these archives are similar in name to the\r\nURIs present in several recent Smishing campaigns using a missed package delivery lure. We believe that the\r\nactor abandoned the ARDUINO_DAS handle in 2023 after accusations that the actor scammed buyers. However,\r\nsome recently circulated phishing kits still reference this handle, which may make it an artifact of actors using the\r\nphishing kit.\r\nDue to the link between ARDUINO_DAS and USPS phishing, we explored several active campaigns circulating\r\nthrough early January 2024, hosted on hxxps://usps[.]mytrackingh[.]top and hxxps://u-sipsl[.]cc . Both\r\nsites host a USPS-themed phishing site with a flow like:\r\n1. Landing Page: Explains to the visitor that their USPS package is unable to be delivered. The “Click\r\nUpdate” button leads to the next step.\r\n2. Tracking Page: This page looks like USPS tracking details, but it prompts the victim to enter their name,\r\nphysical address, phone number, and email address.\r\n3. Card Verification Page: This page prompts the user to enter a credit card number for a $0.30 redelivery fee.\r\n4. The server forwards the details to a card checker, which is likely run through a Telegram service.\r\nLanding page for phishing flow\r\nhttps://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/\r\nPage 3 of 9\n\nPII theft form\r\nhttps://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/\r\nPage 4 of 9\n\nCredit card theft form\r\nConclusion\r\nActors are continuously finding new tools and platforms they can use to conduct their attack of choice, and SNS\r\nSender is no exception. Spammers have used mega tools like AlienFox and Predator to target bulk mail services as\r\nwell as business communications services. Other researchers have detailed which APIs have been used during in-the-wild AWS SNS abuse attacks, as well as enumeration routes actors may take to verify a targeted\r\nenvironment’s SNS capabilities. SNS Sender provides a glimpse into how actors conduct these attacks.\r\nSNS Sender represents a more narrow approach that relies on the actor having access to a properly configured\r\nAWS SNS tenant. Using AWS presents a challenge for this actor: AWS does not allow SMS notifications via SNS\r\nby default. For this feature to work, the tenant needs to be removed from the SNS sandbox environment. This is an\r\nupdate from previous research where AWS automatically allowed accounts to send to 10 destination numbers\r\nwhile an account is in the SNS sandbox.\r\nOrganizations using AWS SNS can protect themselves by reviewing the SNS documentation for the latest\r\ninformation. AWS has shared guidance for organizations to learn more about the SNS sandbox and how to change\r\nsending limits. Identity and Access Management (IAM) administrators should review identity best practices to\r\noptimize their organization’s security posture.\r\nDesire for recognition presents operational security challenges for actors developing tools for the opportunistic\r\ncloud hacking scene. The actor including their handle in the script is ubiquitous among cloud hack tools, enabling\r\nresearchers to form a point of attribution even when delineating the tool families becomes challenging due to\r\nextensive overlap.\r\nIndicators of Compromise\r\n8fd501d7af71afee3e692a6880284616522d709e – sns_sender.py, SNS Sender\r\nPhishing URLs\r\nhxxps[:]//perwebsolutions[.]com/js/\r\nhxxps[:]//usps[.]mytrackingh[.]top\r\nhxxps[:]//u-sipsl[.]cc\r\nPhish Kit Archives\r\n01b82c779de9ef59ecd814d6131433f7b17d7eb0\r\n03329461d8003aece83db2c124b5c2769dd0300e\r\n03b0cc3f1576d0d719f5ac5dbba582a9c10e64e0\r\n040e07a1c4cbc7eb9fb2a8ecfb865c0a2f4db5b9\r\n04676e36b9e11f32fd675e96dd721a5a215a0641\r\n0544db064ecb8fd8f36e96ef31d031447011c711\r\n0547074a7cb42a67a933d70c302b626f4e10a86e\r\nhttps://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/\r\nPage 5 of 9\n\n09ddd1b6f3dc1323ad86d458da05f5be605c8e7a\r\n0a8ab120e03ed49e18ce3246b9d00f547fd9432c\r\n0bb8a3a478d1143a04fb8abd8aa9c116282cc700\r\n0eaa126cf4414684763b415aabc08e262ee7c194\r\n0fb6fa2855a39f7010d3a1bcc0c08e739747785c\r\n1024d7c1a10e94d0f926cff649a9bd9a0c5df6ba\r\n103a49c6c4f71ab5bbcaa01df89aef80e0c90229\r\n106b42a1a6401f6ff3cb38f66d0668ac22fbc59c\r\n10fe02acfa1053210387bc312f1ff9529eaeba35\r\n138a00f5e6ef81560cdfe25f2ab087c24e839efd\r\n14ea8aa63539498773bb0d4bea5fbede05f1c17d\r\n17a2515096e6afe5976f57887c89d3efe285ed06\r\n1a97f72dedbdf13b13baa4c535398af25a78a28e\r\n1b1940f128bb4f3420ebc4b5ab1a7b165e70003b\r\n1d0a54f030e8b68bbf1256811fbb4a284ce31fda\r\n1e85b4cf222387cddc0f2977d5c9f4a5eb03db06\r\n1fa655639ee1f7d9c8e3157346f65d351d4b3450\r\n1fb3a8a17123f82bf39ae93ede40273f155d5fa1\r\n1fe0823655c30cabf51816ed1048f647172d29c8\r\n20813f948849a05f84ed1b6a707ffc6965d17c1e\r\n25dd30bda5bbfa7af884c0d3a71857b6abcb8222\r\n27b6aaa536200b085d611af07b0c05df8a856eb8\r\n29a4771a04afce2b789fe34b42a12d2fa65073ab\r\n29d49c1d21c9e97c757db81db594e55b15587f98\r\n2ac1467e567bc6e950b8aee96d898b71f9cf5849\r\n2c62c5f3e4166be99bf985a0c5f08cfe5795221d\r\n2d4f45cdfe0793431e0134376b309f1707a4e2e6\r\n2e9bb5c725eee402a36d64f63e07f72451eaec03\r\n319569a20fdaf2fa356f6e33e575a5a613da79b2\r\n32a21398869e2e221552da49fe1d4beba11ad2ca\r\n342d6e453f6a02c43ca4dee045f89cbdaa97926c\r\n357df6a8740bca2b81b62a3a429b2fef5cc883a8\r\n38fcec4299789a1ba16099df0842aa196c34dde6\r\n3b15bf62091a80ec32a2c3af92da5115641cf13b\r\n3ba42572bd49882280306fc72759016c1ea90e7c\r\n3c6dfef72f703bd8a2779a40cef39c4eb2305e69\r\n3d920ba992668bbb303a6680251c54c928fec988\r\n3f31c8c8bf2acdbb3cbe792b2728b3a2eadccaec\r\n3fc724ee8958f941168e16e06ed8f0eccffacde7\r\n403ed75a0a86783a39e65aac0ca8d69d43f7a562\r\n40840c0b6bd9a6a25dd864e7812cb1ee499b10bf\r\n45a39f3af4ca67dea1f920a7bd03fe43b4b38bec\r\nhttps://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/\r\nPage 6 of 9\n\n492a0031807ea7defcfb6a0be058580adac88345\r\n4aa1f81a313c991532379f68808a59fdbecef2de\r\n4c95a04759f5edc679122c013d2bb2570cef78dc\r\n4cdbc5d865172d4026a624f0aa56959875ba562c\r\n4d8bcefef73e03784fd104b8cec8bb2e3b47c89b\r\n4f636146bc6661795a4fbde68c5ca5b48e4a462d\r\n508d218b811aaea176b51f577a2cb74ff59ddf6e\r\n50e6703a85b4e72834cef4438f29777c0e73af54\r\n533ba3e5bacf6c982cc827b6aef62817897cf8ea\r\n53c26c8f577e45ba188e18b89da4b54ff41970d0\r\n563bc88fd217b1af0301e7eec2b03051a7236054\r\n56d51c8d5959d33ba4c52643a6436380e4f9fd8b\r\n589a185002c75260b66a29a21939a751d1b49585\r\n5a61394c2b1b0da534a348ecd714810a57194574\r\n5a6f197b77317d5d80dbe59984ccffa11cbc28ac\r\n5aae678fdaada1e58e88fe9a8eabfddfc1fafed1\r\n5bc0e77c722c8b973e8d2627002da3503e26dbde\r\n5dc5dc2206059359df9bc5056dca634b8ca13004\r\n5fe779032a8edf0866832903aac4caa4c22d65cc\r\n60077d66f395c7af28537338bd8fed0e5f108617\r\n601c2e36a2f284ef3bb4752b364da53afe480537\r\n60d209585249f32d0ad24ca295911729d8f56496\r\n64a8d7093ed1f3737901110118c768fb9ded4882\r\n64cb6b72523df13628d2f43f400c719a556c5d86\r\n658a6fe9f5700426d2a6b85dc035ba54b847eede\r\n6594a9357d39e377032fc2b5094ee2f68248bffe\r\n687f843a50e75ea74b8c51487356ee2b1ebfe359\r\n6911cb39a03184324406f79042b648b8ed89c2d9\r\n6c1eefaba836d8a4f86ab8cc7d9a514f045827bb\r\n6cd850c489930ef8d2438174ab38d4c33bc70c45\r\n6d0e9ce56f99c87d9d70e0522b96c625783aece2\r\n7935a5760e10976d9eff013735c303069c669e72\r\n797acd73e43b3f56961d0c687d86009fec832aee\r\n79f93db9c9b5f42c7b26b79c926eb3dfeaee3571\r\n7c53c7119bf6be6c5b149a1fdcb2c22b39bc1470\r\n7c6d96174246fe907a1cb7fbe0f2592c1f8b48b7\r\n7edcdc353071b1c44ce4a8ac33670378a86eb1ba\r\n83e8e7da62463b79970442d2b0de2eccf36450f7\r\n847bb302b6107ac93a669c09552ca158a1440596\r\n87091170ae9ec6e0641d1e689a22e11324e2e4c6\r\n87093850d8084a9a1b1881e0959acf41fcf8799c\r\n87b41c7f499be3b765628874b37d2d0f84d53517\r\nhttps://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/\r\nPage 7 of 9\n\n88dfbd8036b122a1efa32b222f985447c7c80b41\r\n8952fbe59931daba401f615bf06b90547b6171a7\r\n8ac6dd99742dd328b690fb6f0552f2c4df2566c6\r\n8bc41965baba7f5e25d4bbb0519c1e4c573734c5\r\n8f06a9204f9a354cdf4dbf4c3ae870d5a386de59\r\n9004df92c9a9427767fdca02b9a1378cff42dbce\r\n91065e8ab12e9fce202c0eac0290cb1bd6c46ae2\r\n912a376b255e3b873a73767679e0fbe9a1b01446\r\n91562cad5eb7a9568190fa4b84da4de50ed3d274\r\n95197a29d05d2043771bc97a5ded6086f6dfbbd2\r\n95e707b5f9257913a36fb276d25e7312a9b86156\r\n97fba04a848da3c09bd906b6b3adb4aa9031e471\r\n98b85e3e2bcff8b5032ddbb9758174dec2bacf58\r\n9954725c56a9060c90b8d5cd0483fc6808f39bd1\r\n99d35595f41a9be3fc077d37599447c096ce66cf\r\n9a2ac6259c2707b34546bee8b5a4eec677716299\r\n9c4593c93cc5a5d7712bee10574823ebca9f6674\r\n9f2faa971f0f4fd783e34d11cba67b261b54cc5c\r\n9f9fbf77fd4c3aeb1542589efdc45d4e328da56c\r\na19ac9df01a0bc64e636054b0a728e024ade61e9\r\na2163de2f5056d64a27e96a73f7858b79d47ad06\r\na38087ce0515cd30fb3580ba12840bc610429649\r\na7ec178adabbb8eb533a81c658ecce56a9e697da\r\nab9baecfdf85033e65d59652e666b7328cb0960d\r\nabddb05ed3b75cae4354044bad05e5662cbfbab5\r\nad0d4cfcc7c35a9a96ad071a4863dbe8f83d87db\r\nadf4765cb74c708496fa39c8c002e32b6f0c1e71\r\naebdd69f0bbbb8d0d3c231f0fbe1516edc5e0216\r\nb212145149ca3f1c62e991bcf31357ecc8b17851\r\nb2192b99736376f9e5705e81d3b55bce408e17a8\r\nb26d632d14e91634ba01df0b3b18907657025563\r\nb5d8b89c88f32e2c0a9166f48e87f853a497b667\r\nb66c21bb8ef8ffa3143f3a6bae2c67f14eef069a\r\nb6e3c52c1bd309f596b4ba50d0f7487b66bd5701\r\nb7420fb4774e755bdb3062d12eb750687c115a3a\r\nb7a6780990590ac3ebb632b9198b63531d645129\r\nb841b4ae0629a5336356bce88794e0744f72f98b\r\nba5d94f8852f5cdee14e2bf8e1f0eb1cf599ecfb\r\nbc0e3f1c5b323daf31ecff178c620be0c03efb64\r\nbc3ebc37a77acef15b827e4ee43aeb839bc5605d\r\nbe0ca87b74a345d62814cad3916133e3e655acc6\r\nbf9c85e3ed9a3f0a51eeda6284be24b507a5770f\r\nhttps://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/\r\nPage 8 of 9\n\nc117393f640ccd1d5fa5b002fcc3803498b61a2d\r\nc283818259bceaddfd62554fdf37493d413b9b84\r\nc547caad7d7517b2026e3c17461c249a925460d3\r\nc60830bac782f58c61a81821da8153f639c86a74\r\nc92c68b12ba817df7eb83666bd478466cb1c423a\r\ncabbe92c9b5acb779f9fb76b1f8e3ed77a44935d\r\ncb27a59e95c5d1b81219ba1cae4225f7340b16f2\r\ncc4306140f14bcec70f103f4213e96e24d065381\r\nce701e5c639158563455c28bc39efd2051196932\r\ncea7151a8260b9e48b687d40a9062ad361efed2d\r\ncf4872e3e9f580b1865f68bae6b31bca0f0e22e6\r\ncf7f11b4a39792531118058bd1c8ba2a2cabc486\r\nd71c9f3d3aba149d13d7434731423c164cf2f002\r\nd77c1f97339ba891286c10f6456a1e7f44b3c3bb\r\nd78275c82d2f10ba5ed6bfbfec37686a7646d8ea\r\ndc7fd807e8c9fc10185dcc47bc14f7460a4228b3\r\ndd682090d3815b52cf74b22280d1b8db02ef339e\r\ndf66269b6826273650716524219dd83cf0302dc4\r\ndf7ee28ca069f798489cb4dc2ff1295bb6377a6f\r\ndff37819d805c0fa99f11a466f583f2f752af8b0\r\ne2498ab48872162bab97e7a5737376cec2a5b401\r\ne7dc9e8f82cab9de0ec3b92693cdca726c5d72a6\r\ne95528bd91158bab9d1e998969951209f6d8a3b6\r\nea4c4495ac7d68543cb423d34704e8fbfd595f6b\r\neab2f2b4a924397d22ecd1a6e8758de585e9fdcc\r\nee7105ca1065b6f0f6ce4b041b1a0a95b5678790\r\neefcbc6b32fdf7167db0b9a455b3c8c0f8d4b58d\r\nef5a5d04dc048a3c1f6a415be1ad74e1478b802e\r\nef8b8d215b4cc107495b3957fbedd2317f642cd9\r\nf01c586c97d68847d1f373f7fd45444af26aff7a\r\nf28b3d223a0c351f70ec0c7680e80083c232a470\r\nf351bd5595b1eb2196f5c2ef1c519a7a8a7967dc\r\nf35fd34a90c7a9b827c1d9417b8f088e8302ba01\r\nf3b5e4840139ab0465b3c432d19bae1365e923af\r\nf5b1256e407fb37d44a54ba29dc6fd4815cfde55\r\nf754e4a59c49c0b3e653fdd8fdc04078810524dd\r\nfae99902bef8011459926e4a69b85ae2cf0c0914\r\nfc9d7c59645450be5887f938aaacbca2b0b3f1f9\r\nSource: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/\r\nhttps://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/"
	],
	"report_names": [
		"sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud"
	],
	"threat_actors": [],
	"ts_created_at": 1775434211,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/81a82416db4912f7be5607f55492f3f618db1cd3.pdf",
		"text": "https://archive.orkl.eu/81a82416db4912f7be5607f55492f3f618db1cd3.txt",
		"img": "https://archive.orkl.eu/81a82416db4912f7be5607f55492f3f618db1cd3.jpg"
	}
}