Cloudy with a Chance of Hijacking Forgotten DNS Records Enable Scam Actor

May 21, 2025, 10:15 p.m.

Description

Hazy Hawk, a sophisticated threat actor, exploits abandoned cloud resources of high-profile organizations through DNS hijacking. By identifying and taking over dangling CNAME records pointing to unused cloud services, they create malicious URLs on reputable domains. These URLs lead users to scams and malware via traffic distribution systems. Hazy Hawk employs layered defenses, including domain obfuscation and content theft from legitimate websites, to avoid detection. They also leverage push notifications to maintain persistent access to victims. The attacks have impacted government agencies, universities, and major corporations worldwide since at least December 2023. This campaign highlights the importance of proper DNS management and the growing sophistication of cybercriminals in the affiliate marketing space.

Date

  • Created: May 21, 2025, 4:09 p.m.
  • Published: May 21, 2025, 4:09 p.m.
  • Modified: May 21, 2025, 10:15 p.m.

Indicators

  • somewhere.on-another-domain.com
  • something.on-your-domain.com
  • movie.rssnews.media
  • leak.eneu.io
  • labs.guard.io
  • wholetale.org
  • viralnow.xyz
  • viralclipnow.xyz
  • pass-jeux.gouv.fr
  • msnmarthastewartsweeps.com
  • jameshardie.it
  • jameshardie.eu
  • impliednauseous.xyz
  • ferma.co.in
  • clean-out.xyz
  • claytargetsports.com
  • cccodes.cloud
  • accomodateyours.com
  • acceleratetomb.xyz

Attack Patterns

  • Hazy Hawk

Additional Informations

  • Healthcare
  • Media
  • Finance
  • Government
  • United States of America