A coordinated credential-stuffing campaign is targeting US-based fleet-management platforms. Yeti has observed activity against three customers in the last 72 hours. Recommended actions are at the bottom of this post.
HIGH severity 11 known victims ~3% success rate 05.04 first seen
Summary
Threat actor CRAMPON-7 is replaying credentials harvested from a 2025 unrelated SaaS breach against fleet-management login endpoints. Distributed across approximately 4,200 residential proxies; rate-limited at 1.5 requests/second per IP — well below typical naive rate-limiting thresholds.
Targeted organizations share one trait: missing or optional two-factor authentication on operator-tier accounts. Administrator accounts uniformly have 2FA enforced and have not been compromised in this campaign.
Indicators of compromise
User-Agent
The campaign rotates UAs but the modal string we’ve observed is:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/126.0 Safari/537.36
Request signature
POST /api/v*/auth/login
Content-Type: application/json
{"email": "<harvested>", "password": "<harvested>", "remember": true}
The remember: true flag is unusual — most legitimate flows default it to
false. This is currently the cleanest single signal for filtering.
Source ASNs (top 5 of 47 observed)
| ASN | Provider |
|---|---|
| AS396982 | Google Cloud (proxies) |
| AS14061 | DigitalOcean (proxies) |
| AS62240 | Clouvider (residential) |
| AS63949 | Linode |
| AS16509 | Amazon AWS |
Jitter pattern
4–7 seconds between attempts within a session; 100–300 attempts per session before the source rotates. This matches the documented behavior of the Snipr stuffing kit, sold on a handful of Telegram channels since late 2024.
Recommended actions
| # | Action | Owner | SLA |
|---|---|---|---|
| 01 | Enforce 2FA on operator accounts (no opt-out) | Security | 7d |
| 02 | Implement progressive rate-limiting on /login | Platform | 3d |
| 03 | Subscribe to HIBP Domain monitoring; force-reset matched accounts | Security | 14d |
| 04 | Block listed ASNs at CDN edge for /auth/* routes | Platform | 24h |
The first three are the durable fixes. Action 04 is a band-aid — the attacker will pivot to other ASNs within 48–72 hours.
What we’re watching
We expect this campaign to either escalate (move to higher-value targets and add a phishing layer) or wind down within two weeks if the success rate drops below ~2%. Next update: 2026.05.10.
Sources
- Yeti detection telemetry, n=3 customers
- Partner ISAC report S-2026-117 (private)
- Have I Been Pwned domain feed
Found this useful? Send it to someone who'd benefit, or email us a question.