The Birdling Rectangle Logo Dark

AWS S3 + nxcli crypto-themed phishing campaign

Our team analyzed multiple phishing emails from a recent credential-collection campaign that leverages legitimate cloud hosting (AWS S3) and disposable hosting front-ends to evade takedown and to reduce infrastructure cost/overhead.

14th Command Team

December 16, 2025

Phishing & Social Engineering
The logo for aws 3 and nxci

We analyzed multiple phishing emails from a recent campaign that impersonate cryptocurrency platforms like Coinbase and MetaMask. Most of them use short-lived hosting infrastructure (subdomains under nxcli.*) for mail envelope/return-paths and publicly-hosted static HTML landing pages on Amazon S3 (URLs under *.s3.us-east-1.amazonaws.com). This is a classic credential-collection campaign that leverages legitimate cloud hosting (AWS S3) and disposable hosting front-ends to evade takedown and to reduce infrastructure cost/overhead. Abuse reports and our intel show nxcli-style temporary domains are frequently used in abuse/hosting churn, and security vendors have observed attackers increasingly using AWS-hosted static pages for phishing.

Key artifacts (IOCs extracted from emails)

  • Return-path / envelope-from domains:

    • postmaster@cc572632fb.nxcli.io

    • postmaster@da51d48b66.nxcli.io
      (these are ephemeral-looking nxcli.* subdomains)

  • Hosting / cloudhost names and IPs in headers:

    • cloudhost-14816648.us-midwest-1.nxcli.net — IP 8.29.157.245 (seen in headers)

    • cloudhost-3931394.us-midwest-1.nxcli.net — IP 209.87.158.9 (seen in headers)

  • Amazon S3 landing pages (observed across emails):

    • https://access-authority-8167f7a.s3.us-east-1.amazonaws.com/index.html?id=3023483355649777990-3533

    • https://access-authority-d0bd040.s3.us-east-1.amazonaws.com/index.html

  • Displayed (social-engineering) URLs in message body (spoofed to look legitimate):

    • https://coinbase.com/christmas-airdrop (displayed text only — not the real target)

    • https://metamask.io/2FA (displayed as manual fallback — likely not the actual target)

  • Subjects / lure strings:

    • 🎅 SPECIAL CHRISTMAS BONUS: Claim Your 1,000 $COIN Holiday Airdrop!

    • URGENT: FINAL 24-HOUR WARNING - Account Termination Imminent

  • Spam/phishing engine signals in headers:

    • Our BirMail platform flagged GB_S3_HTM (HTML link stored on AWS S3) and URI_PHISH for the MetaMask email.

    • DKIM present but invalid, SPF likely failing (header mismatch); envelope-from ≠ From.

Technical analysis & tactics observed

1. Infrastructure: disposable fronting + S3 static pages

  • Attackers are using nxcli.* ephemeral subdomains for mail infrastructure (return-path/envelope-from) and Nxcli-hosted cloudhost nodes (observed in Received headers / hostnames). nxcli domains are known to be used as temporary/test domains by hosting providers and have prior abuse reports, a pattern attackers exploit for churn-resistant operations.

  • The landing pages themselves are hosted on AWS S3 buckets (public static HTML). We have once documented this abuse pattern: attackers host static phishing pages on S3 because they are easy to create, cheap, served via HTTPS, and slow to be taken down unless reported to AWS.

2. Email forgery & header artifacts

  • The From: header shows legitimate brand names (Coinbase, MetaMask) but the envelope-from/return-path domains are unrelated (nxcli.io). This fails alignment checks for DMARC in strict alignment scenarios — a useful detection signal.

  • DKIM signatures are present but flagged invalid in the headers (likely forged or mismatched), and BirMail rules mark the messages high-score spam with brand-specific phishing rules (e.g., KAM_FAKE_COINBASE3) and GB_S3_HTM. These combined signals indicate deliberate spoofing and use of cloud-hosted landing pages to host the phishing form.

3. Social engineering and payload

  • The Coinbase message uses a holiday/airdrop lure and explicit token amounts (1,000 $COIN) — a high-value incentive to drive clicks. The MetaMask message uses urgency and account/2FA fear (24 HOURS REMAINING), a classic “panic + fix now” tactic. Both aim to get the user to click a button linking to the S3-hosted page, which almost certainly contains web forms or wallet-connection prompts to harvest credentials/seed phrases or to trick victims into signing transactions. Based on typical Web3 phishing, the end goal is likely credential/seed-phrase collection or social engineering to connect wallets and drain funds.

Likely attacker goals & monetization

  • Credential/seed phrase harvesting — the most immediate goal for crypto-themed lures.

  • Wallet interaction fraud — prompting users to connect wallets and sign malicious transactions (MEV/drain).

  • Credential resale — collected accounts / emails / wallet keys could be sold or used.

  • Low-cost churn — use of disposable hosting (nxcli) + cheap static S3 buckets minimizes attacker operational cost and increases resilience to takedown.

Evidence of campaign scale & reuse patterns

  • The nxcli.* naming pattern and multiple different postmaster@<hash>.nxcli.io addresses suggest automated creation of disposable sending identities. Public forums and abuse reports show nxcli temporary domains are often reported for similar abuse, indicating attackers reuse this ecosystem to spin up messages quickly.

  • BirMail/SpamAssassin tags (GB_S3_HTM, URI_PHISH) and multiple similar S3 bucket names (access-authority-*) indicate a templated landing page deployed to multiple S3 buckets — typical of bulk phishing campaigns.

Detection & hunting (rules and queries you can apply now)

Email gateway / MTA rules

  1. Block/flag envelope-from containing *.nxcli.io or hostnames cloudhost-*.us-midwest-1.nxcli.net (or set to quarantine for inspection).

    • Example Sieve/snort-like match: Envelope-From =~ /nxcli\.io$/i

  2. Flag messages with links to S3 static-hosting — suspicious unless allowed.

    • Regex: https?://[A-Za-z0-9\-\_]+\.s3\.us-east-1\.amazonaws\.com/.*

    • More general: https?://[A-Za-z0-9\-\_]+\.s3\.amazonaws\.com/.*

  3. Phishing brand impersonation rules: If From or body contains brand tokens (“Coinbase”, “MetaMask”, “airdrop”, “claim $COIN”) AND links point to non-official domains (not the brand’s verified domains), quarantine.

    • Example content rule: /(coinbase|metamask).*(s3\.amazonaws\.com|nxcli\.io|access-authority-)/i

  4. Reject/quarantine messages with invalid DKIM + From-envelope mismatch when DMARC policy is strict or suspicious.

    • If From domain != envelope-from domain and DKIM/SPF checks fail → high risk.

SIEM / Network hunting

  • Search web proxy logs for access to *.s3.us-east-1.amazonaws.com/*index.html* or frequent unique S3 bucket names that are not part of your organization’s normal asset inventory.

  • Query for egress connections to those S3 hostnames from many user endpoints in short windows — that could show campaign click-throughs.

  • Look for POST traffic to S3-hosted endpoints (form submission) from internal IPs.

Example Sigma-like pattern (simplified)

selection:
  Url:
    - '*s3.us-east-1.amazonaws.com*index.html*'
  EmailFromDomain|contains:
    - 'nxcli.io'
condition: selection

Mitigation & remediation steps (recommended order)

  1. Quarantine and inspect all e-mails matching the above detection rules; remove any that have been delivered to users' inboxes.

  2. Block / add to denylist: the exact S3 bucket hostnames and nxcli sender domains at the gateway (temporary measure). Note: blocking all amazonaws.com is not feasible — instead rely on URL reputation and bucket-level denylisting.

  3. Report to AWS: open an abuse report with AWS containing the S3 bucket hostnames and sample phishing pages (include full headers and screenshots). AWS typically responds to phishing bucket reports and can remove public access if the bucket violates TOS. (You can report at AWS abuse channels.)

  4. Report to the impersonated brands. Provide them email headers, S3 URLs, and screenshots so they can pursue takedown.

User & operational guidance (for crypto users)

  • Never enter seed phrases / private keys into a web form. Legitimate services will never ask you to paste your seed phrase into a website.

  • If prompted to “connect” a wallet, check the exact domain of the dApp and the connect request details. When in doubt, use a hardware wallet or disconnect.

  • Bookmark official exchange/wallet pages (do not follow links from emails).

  • For suspected compromise, move assets to a new wallet with a new seed using a hardware wallet (after confirming previous wallet keys were not exfiltrated).

Attribution possibilities & confidence

  • Confidence (infrastructure use & TTPs): High. The headers and HTML clearly show nxcli.* disposable infrastructure and S3-hosted static pages; flags and the S3 links confirm the tactic.

  • Attribution to a specific actor or cluster: Low. The infrastructure (ephemeral cloudhost + S3 buckets) is deliberately disposable and provides little persistent fingerprinting for high-confidence attribution without more samples, pivot data, or backend access logs from AWS/Nxcli.

Appendix — IOCs (copyable)

  • Domains and hosts:

    • cc572632fb.nxcli.io

    • da51d48b66.nxcli.io

    • cloudhost-14816648.us-midwest-1.nxcli.net (IP 8.29.157.245)

    • cloudhost-3931394.us-midwest-1.nxcli.net (IP 209.87.158.9)

  • S3 URLs:

    • https://access-authority-8167f7a.s3.us-east-1.amazonaws.com/index.html?id=3023483355649777990-3533

    • https://access-authority-d0bd040.s3.us-east-1.amazonaws.com/index.html

  • Display/fake links used in bodies:

    • https://coinbase.com/christmas-airdrop (display text)

    • https://metamask.io/2FA (display text)

  • Subjects observed:

    • 🎅 SPECIAL CHRISTMAS BONUS: Claim Your 1,000 $COIN Holiday Airdrop!

    • URGENT: FINAL 24-HOUR WARNING - Account Termination Imminent

Get Our Intelligence Briefs

Get exclusive intelligence on African cyber trends, and expert security insights delivered directly to your inbox.