\n
![\"Hazy](\"\/wp-content\/uploads\/infoblox-threat-actor-hazy-hawk-logo.png\"){kind=logo}
<\/span><\/p>\nHazy Hawk is a DNS-savvy threat actor that hijacks abandoned cloud resources of high-profile organizations. By \u201ccloud resources\u201d we mean things like S3 buckets and Azure endpoints. You might have read about domain hijacking; we and other security vendors have written about different techniques for grabbing control of forgotten domain names several times over the past year. While domain names can be hijacked through stolen accounts, we think the most interesting hijacks leverage DNS misconfigurations. Because DNS is not widely understood as a threat vector, these kinds of attacks can run undetected for long periods of time. At the same time, these attacks require a technical sophistication that isn\u2019t commonplace in the cybercriminal world. Hazy Hawk finds gaps in DNS records that are quite challenging to identify, and we believe they must have access to commercial passive DNS services to do so.<\/p>\n
The hijacked domains are used to host large numbers of URLs that send users to scams and malware by way of different traffic distribution systems (TDSs). This actor came to our attention after successfully gaining control of subdomains of the U.S. Center for Disease Control (CDC) in February 2025. Hundreds of URLs hosted on the CDC subdomain appeared suddenly and surfaced in search engine results, their result rankings buoyed by the credibility of the CDC. We soon realized that other government agencies across the globe, large universities, and international companies had been victimized by the same threat actor since at least December 2023. Figure 1 shows a simple view of Hazy Hawk operations. <\/p>\n
![\"Figure](\"\/wp-content\/uploads\/a-high-level-overview-of-how-hijacked-cloud-resource-domains-are-used-for-malicious-activities-by-hazy-hawk.png\")
<\/p>\n
Figure 1. A high-level overview of how hijacked cloud resource domains are used for malicious activities by Hazy Hawk<\/p>\n
The discovery of vulnerable DNS records is a complex problem and indicates that Hazy Hawk has access to a large passive DNS service. These types of hijacks rely on misconfigured DNS records and can involve multiple DNS records in a chain that is not visible through normal internet probing. In addition, the integration of malicious push notifications in the attack chain acts as a force multiplier. <\/p>\n
Perhaps the most remarkable thing about Hazy Hawk is that these hard-to-discover, vulnerable domains with ties to esteemed organizations are not being used for espionage or \u201chighbrow\u201d cybercrime. Instead, they feed into the seedy underworld of adtech, whisking victims to a wide range of scams and fake applications, and using browser notifications to trigger processes that will have a lingering impact. Hazy Hawk is indicative of the lengths scam artists will go to get a portion of the multi-billion-dollar fraud market. In the senior population within the United States alone, citizens lose billions of dollars a year to the type of content Hazy Hawk delivers.1<\/sup><\/p>\n Hazy Hawk uses layered defenses to protect their operations from discovery. By hijacking very reputable domains, they evade and hinder security analysis. Furthermore, Hazy Hawk uses code from legitimate websites to disguise their own content. The URLs typically redirect visitors through a second set of domains before entering a TDS for further routing. We found that a subdomain of the well-established js[.]org<\/span> was used to deliver fake videos and games, for example, while in other cases Hazy Hawk appears to have set up the redirection site themselves. <\/p>\n Our discovery of Hazy Hawk starts with Brian Krebs. He alerted us that the CDC domain, cdc[.]gov<\/span>, was suddenly hosting dozens of URLs that referenced porn videos. These could be seen in search engine results and carried the credentials of the CDC in the search metadata. In addition to pornography, there were also advertisements for a British football match (see Figure 2). Krebs initially thought that the CDC website had what is called an open relay, allowing traffic to freely redirect across their domain. But from our DNS perspective, it did not look that way.<\/p>\n Figure 2. An example of Hazy Hawk hijacked domains in Google search results on February 16, 2025 <\/p>\n Why did we suspect DNS hijacking? All the URLs were on a strange subdomain of the primary domain, ahbazuretestapp[.]cdc[.]gov<\/span>. This isn\u2019t the kind of subdomain a threat actor is likely to choose, so we checked for active CNAME records. It turned out that the subdomain was aliased to an Azure website. The Azure domain was the site of the hijack. Shown in Figure 3, DNS queries for ahbazuretestapp[.]cdc[.]gov<\/span> will lead to ahbdotnetappwithsqldb[.]azurewebsites[.]net.<\/span> <\/p>\n Figure 3. The IP resolution chain for ahbazuretestapp[.]cdc[.]gov on February 16, 2025 <\/p>\n At this point, we were certain that the CDC had abandoned their Azure service, and that the hacker then found its corresponding, so-called dangling, DNS record. Hijacking was as easy as creating an Azure account and a site with the same name. But how does this all work? <\/p>\n CNAME records are a type of DNS record that maps one domain name (the alias) to another (the CNAME). Very basically, it is a way for you to tell a resolver that, if someone wants to access something[.]on-your-domain[.]com<\/span>, they can find it somewhere[.]on-another-domain[.]com<\/span>. See Figures 4 and 5. These records are commonly used by content delivery networks (CDNs) to distribute large files you don\u2019t want to handle yourself.2<\/sup><\/p>\n Figure 4. Simplified view of DNS CNAME resolution <\/p>\n Figure 5. An example CNAME chain for cloud resources<\/p>\n When a DNS CNAME record exists, but the resource it points to does not, the record is considered dangling. An attacker registers the missing resource to hijack the domain. Traditional dangling CNAME attacks take advantage of cases where the DNS record points to a domain that is not registered. The email security firm Guardio wrote about a threat actor who used this technique to imitate major brands in spam distribution.3<\/sup> In that case, for example, marthastewart[.]msn[.]com<\/span> had a CNAME record pointing to msnmarthastewartsweeps[.]com<\/span>. The latter domain had not been registered by MSN, but the DNS record had not been removed. By registering the abandoned domain, the spammer could send emails as MSN. For only a few dollars, the spammer gained a tremendous advantage. <\/p>\n Domain hijacking sounds so easy: find a misconfigured DNS record, register a domain, and you are off to the races! But to hijack these domains, attackers first must find the dangling CNAME record. Even with free publicly available tools, effort and access to DNS data is required. For traditional CNAME hijacks, potential records can be checked by querying the alias domain to see if it is registered. A DNS response of NXDOMAIN is a telltale sign that the domain is ripe for hijacking. <\/p>\n But Hazy Hawk is not a traditional hijacker, and hijacking cloud resources is not as easy as looking for an NXDOMAIN response. Identifying abandoned cloud resources is significantly more challenging than identifying unregistered domains. Every cloud provider handles missing resources differently. While a few providers will respond with an NXDOMAIN, most of them will respond with an IP address. Beyond that, there are even more challenges to isolating vulnerable DNS records. Some major cloud providers, like Azure, have implemented specific mechanisms to prevent hijacking even when a dangling record exists. <\/p>\n We are not going to share methods to isolate exploitable CNAME records. Let\u2019s just say it requires extensive passive DNS access and ingenuity. Finding cloud resources susceptible to hijacking is significantly more labor intensive than finding lame name server delegations that are vulnerable to a Sitting Ducks attack.4<\/sup> Hazy Hawk and other cloud resource hijacking actors are likely doing significant manual work to validate vulnerable domains due to the various ways each cloud provider handles dropped resources. In contrast, through random sampling, we identify thousands of domains every day that might be susceptible to a Sitting Ducks attack, and tens of thousands of domains have been hijacked since 2020. <\/p>\n So, let\u2019s talk Hazy Hawk. They are very good at finding abandoned cloud resources. We\u2019ve seen attacks against dozens of major organizations since at least December 2023.5<\/sup> They have commandeered domains (see the Indicators section for a full list) from: <\/p>\n Hazy Hawk has usurped resources on these services, and possibly others: <\/p>\n We use the name Hazy Hawk for this actor because of how they find and hijack cloud resources that have dangling DNS CNAME records and then use them in malicious URL distribution. It\u2019s possible that the domain hijacking component is provided as a service and is used by a group of actors. <\/p>\n Hazy Hawk creates large numbers of URLs on the reputable resource. These URLs lead to a variety of scams and malware through affiliations with other actors. The first image in Figure 1 shows a high-level view of their operation. The URLs are cloaked\u2014meaning their true nature is hidden\u2014through the integration of sketchy adtech services. For example, visiting one of the CDC links led to a TDS operated by Adsterra. Navigating to the link from a VPN led to a webpage containing the text \u201canonymous proxy detected,\u201d while a residential IP address led through a maze of malicious content dependent on device and location. We captured examples of this rerouting behavior (see these screenshots<\/strong><\/a>), by clicking one of the URLs on an Android phone. <\/p>\n Hazy Hawk uses layered defenses to disguise their activities, including: <\/p>\n In certain cases, the malicious URLs are obfuscated to make it less obvious which cloud resource was hijacked. One way the threat actor does this is with URL redirection. For example, in January 2025, we saw Hazy Hawk exploit an open relay on the University of Bristol\u2019s website to redirect victims to the domain they hijacked: agri-offers[.]michelin[.]co[.]uk<\/span>. See Figure 6. Abuse of open relays is not new; Brian Krebs documented<\/strong><\/a> their use by spam actors in 2016. <\/p>\n Figure 6. Hazy Hawk hijacked domains using URL redirection <\/p>\n Another obfuscation trick they use is specific to AWS S3 buckets. Their malicious URLs are sometimes written in such a way that they do not directly refer to the hijacked resource name. For example, Hazy Hawk hijacked the S3 bucket oercommons<\/span> in March 2025, but instead of using that domain name in the distributed scam URLs, like this:<\/p>\n Https[:]\/\/oercommons[.]s3[.]amazonaws[.]com\/<params> <\/span><\/p>\n they used an alternate format like this: This format hides the bucket name and thwarts blocking based on the fully qualified domain name of the bucket. Clever! Figure 7 shows another example and includes other domains that were contacted while loading the URL.6<\/sup><\/p>\n Figure 7. AWS subdomain obfuscation; the hijacked bucket name is hidden in the URL path https:\/\/urlquery.net\/report\/64ae0264-9f2a-4234-b8b6-8b8a8030a2f4 <\/p>\n Hazy Hawk uses legitimate, often high-profile websites as the basis of their initial site content. They then modify the site to redirect to a second location. To a content crawler, the majority of the site will appear legitimate. <\/p>\n In some cases, they used a clone (pure copy of the HTML) of the page, such as the New York Times,7<\/sup> for their own main page. Although it might fool a content crawler (probably the goal) it won\u2019t fool real humans any time soon. We have seen Hazy Hawk do this for quite a few of the domains they have taken over, up until mid-February. It is unclear if they only did this for domain names they didn\u2019t think were valuable, or if they just did it to all of their domains up until that point, but this content cloning is not the best disguise. <\/p>\n More recently, we\u2019ve seen them try a bit harder, and at least do a bit of research into the companies owning the domains they are hijacking. For example, when they hijacked a subdomain of honeywell[.]com<\/span>, visiting it with a browser would land the user on a website that pretended to be Honeywell (the HTML was not a copy, but imitated the original Honeywell site). The admittedly simple website8<\/sup> talks about thermostats, smart home devices, and other things you might expect to find on a Honeywell domain. <\/p>\n Moving on from cloaking home pages, most of the webpages hosted on the hijacked domains use the same template and the same HTML headers. Hazy Hawk lures their victims with the promise of an enticing video (often pornography or pirated content). But, instead of building a video streaming website from scratch, Hazy Hawk just copied PBS. The website template they use is literally just a copy of pbs[.]org<\/span>. They load the same libraries, the same stylesheets, and the same fonts, sometimes from pbs[.]org<\/span> directly (shown above in Figure 7: AWS subdomain obfuscation). The one thing they do not appear to steal is PBS\u2019 video player, which might be surprising. But in reality, they don\u2019t need a video player: the \u201cvideos\u201d on their websites are just blurry pictures of videos with a play button in the middle.<\/p>\n The initial URL often redirects through a second domain. Sometimes the initial redirect itself is a hijack. That was the case when a French government website for the Olympic Games was commandeered in November 2024. Following the event, the site was taken down, but the DNS record was not removed. Hazy Hawk created URLs that redirected users to https[:]\/\/share[.]js[.]org\/watch\/<\/span>, which served fake CAPTCHAs, requested permission to deliver notifications, and finally redirected users to the scam domain. If a user visited the URL from a VPN, they were blocked via TDS domains operated by an actor we track as Venal Viper.9<\/sup> <\/p>\n So how did Hazy Hawk get access to share[.]js[.]org<\/span>? It turns out, they stole that too. The domain js[.]org<\/span> provides free webspace to JavaScript developers.10<\/sup> The developers use a subdomain of js[.]org<\/span> to point to their GitHub repo.11<\/sup> An established Chinese developer, Jeff Tian, had claimed the \u201cshare\u201d subdomain six years ago, linking share[.]js[.]org<\/span> to his WeShare tool.12<\/sup> Somehow Hazy Hawk gained control of the subdomain in November 2024 and began using it to redirect visitors from the French government website to scam content. When we asked Jeff about it, he said that he was alerted in January by the js[.]org<\/span> maintainers that his page was serving \u201cSports-News powered by WordPress\u201d and not the original content.13<\/sup><\/p>\n In many cases, the hijacked cloud domain redirects to a likely threat actor-controlled domain in Blogspot.14<\/sup> For example, the domain chesta-korci-bro[.]blogspot[.]com<\/span> served as the first redirection for many of the CDC URLs and was first observed in passive DNS only a month earlier.15<\/sup> As of mid-April this Blogspot domain was still active and visiting individual blog entries would lead users into similar scams.16<\/sup><\/p>\n In some instances, we have seen an intermediate redirection through one of several link shorteners, including the (formerly Twitter) URL shortening service t[.]co, TinyURL, Bitly, and Cuttly, before sending the user to the actor-controlled redirection site.17<\/sup> <\/p>\n Regardless of the first redirection, potential victims will typically be directed into a TDS, which will determine where they are sent next. The landing page is often unrelated to the initial lure. For example, the offer to watch high-profile sports matches may lead to security or gift card scams. A TDS is designed to maximize profits for the parties involved, connecting victims with the \u201ccontent\u201d they are most likely to \u201cbuy,\u201d while protecting the network from discovery by security vendors. This combination of profit and security motivations create dynamic circumstances where it can be hard to recreate a user\u2019s experience\u2014the first visit may lead to a scam and the second to an Amazon shopping page. <\/p>\n Many of the Hazy Hawk URLs leveraging the hijacked cdc[.]gov<\/span> subdomain redirected through an actor-controlled Blogspot page and then to viralclipnow[.]xyz<\/span>. By sampling URL navigation paths that include this domain, we can get a view of how the TDS domains relate to the hijacked domains, initial redirects, and landing pages. The graphic in Figure 8 shows referrals and redirections of various URLs that connect to viralclipnow[.]xyz<\/span>. <\/p>\n Figure 8. A partial view of the TDS connections of viralclipnow[.]xyz<\/span>; the graph shows referrals and redirections from visiting URLs hosted on a number of primary domains, including cdc[.]gov<\/span><\/p>\n Figure 9 below shows the portion of Figure 8 above that contains the cdc[.]gov<\/span> domain. In it, we can see how Blogspot domains were used as intermediate redirects before landing at viralclipnow[.]xyz<\/span> and other domains. The graph also shows some of the scam landing domains, including clean-out[.]xyz<\/span> and turbo-vpn-app[.]com<\/span>. Other domains shown there are part of the TDS. When the xyz Registry closed down viralclipnow[.]xyz<\/span> in February, the threat actor moved to other domains.<\/p>\n Figure 9. (zoom in from Figure 8) Partial view of TDS containing viralclipnow[.]xyz<\/span> and subdomains of cdc[.]gov<\/span><\/p>\n Hazy Hawk is one of the dozens of threat actors we track within the advertising affiliate world. As we previously reported<\/a><\/strong>, threat actors who belong to affiliate advertising programs drive users into tailored malicious content and are incentivized to include requests to allow push notifications from \u201cwebsites\u201d along the redirection path. The victim who accepts these notifications, often through a trick by the actor, will be inundated with browser push notifications, each of which leads to a different scam. Programs for so-called push monetization can pay a 70-90 percent revenue share to the affiliate who gained the victim\u2019s approval. Push notifications essentially provide a persistence mechanism for the malicious adtech world to target a victim repeatedly. <\/p>\n Several examples of the push notifications seen from the CDC hijack are shown in Figure 10, with more examples here<\/a><\/strong>. The push notification services are run by different actors; we have seen residual push notifications from both RollerAds and the Russian underground operator, MoneyBadgers. While operators like Hazy Hawk are responsible for the initial lure, the user who clicks is led into a labyrinth of sketchy and outright malicious adtech. The fact that Hazy Hawk puts considerable effort into locating vulnerable domains and then using them for scam operations shows that these advertising affiliate programs are successful enough to pay well.<\/p>\n Figure 10. Push notifications following a visit to a Hazy Hawk URL claimed that the laptop had been hacked; clicking on the notification led to tech support and antivirus scams <\/p>\n The U.S. Federal Bureau of Investigation\u2019s (FBI) statistics on the wide range of scams enabled by Hazy Hawk show that such crimes are rapidly increasing, particularly among the elder community.18<\/sup> In 2023, total losses reported for various fraud against people over 60 in the United States toppled $3.4 billion. Figure 11 shows those crimes by category. A remarkable number of them are the types we see Hazy Hawk conducting, along with other actors working in the affiliate advertising space. <\/p>\n Figure 11. Losses by category according to the 2023 Elder Fraud Report<\/p>\n There are two types of victims with Hazy Hawk activities: those whose domains are hijacked and the users who visit the malicious URLs. <\/p>\n For domain owners, the best protection against Hazy Hawk and similar DNS hijacking threat actors is well-managed DNS. This can be difficult in complex, multi-national organizations where management of projects, domain registration, and DNS records may all be in separate organizations. These attacks are common after mergers and acquisitions. We recommend the establishment of processes that trigger a notification to remove a DNS CNAME record whenever a resource is shut down, as well as tracking active resources. <\/p>\n The best way to shield end users from Hazy Hawk is through protective DNS solutions. Threat actors who work in the affiliate marketing space utilize TDSs to maximize their profits, and DNS is the optimal solution to disrupt all activity through these systems. When the threat intelligence used in a protective DNS product is designed to track and detect TDS actors, as Infoblox Threat Intel does, Hazy Hawk and others can change their domain names and still be thwarted. <\/p>\n Education is a final component. Urge users to deny notification requests from websites they don\u2019t know. If they start receiving messages, unwanted notifications can be turned off in the browser settings. <\/p>\n Malicious indicators are found in our GitHub repository<\/strong><\/a>. Note that compromised domains are not included as they are legitimate.<\/p>\nBackstory<\/h3>\n
![\"Figure](\"\/wp-content\/uploads\/an-example-of-hazy-hawk-hijacked-domains-in-google-search-results-on-february-16-2025.png\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/the-ip-resolution-chain-for-ahbazuretestappcdcgov-on-february-16-2025.png\")
<\/p>\nCNAME Hijacking<\/h3>\n
![\"Figure](\"\/wp-content\/uploads\/simplified-view-of-dns-cname-resolution.png\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/an-example-cname-chain-for-cloud-resources.png\")
<\/p>\nHazy Hawk<\/h3>\n
\n
\n
\n
URL Obfuscation<\/h3>\n
![\"Figure](\"\/wp-content\/uploads\/hazy-hawk-hijacked-domains-using-url-redirection.png\")
<\/p>\n
\n Https[:]\/\/s3-ap-southeast-2[.]amazonaws[.]com\/oercommons\/<params> <\/span><\/p>\n![\"Figure](\"\/wp-content\/uploads\/aws-subdomain-obfuscation-the-hijacked-bucket-name-is-hidden-in-the-url-path-httpsurlquerynetreport64ae0264-9f2a-4234-b8b6-8b8a8030a2f4.png\")
<\/p>\nStealing Legitimate Website Content<\/h3>\n
Initial Redirection<\/h3>\n
Traffic Distribution Systems<\/h3>\n
![\"Figure](\"\/wp-content\/uploads\/a-partial-view-of-the-tds-connections-of-viralclipnowxyz-the-graph-shows-referrals-and-redirections-from-visiting-urls-hosted-on-a-number-of-primary-domains-including-cdcgov.png\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/zoom-in-from-figure-8-partial-view-of-tds-containing-viralclipnowxyz-and-subdomains-of-cdcgov.png\")
<\/p>\nPush Notifications<\/h3>\n
![\"Figure](\"\/wp-content\/uploads\/push-notifications-following-a-visit-to-a-hazy-hawk-url-claimed-that-the-laptop-had-been-hacked-clicking-on-the-notification-led-to-tech-support-and-antivirus-scams-figure-1.png\")
\n![\"Figure](\"\/wp-content\/uploads\/push-notifications-following-a-visit-to-a-hazy-hawk-url-claimed-that-the-laptop-had-been-hacked-clicking-on-the-notification-led-to-tech-support-and-antivirus-scams-figure-2.png\")
\n<\/div>\n![\"Figure](\"\/wp-content\/uploads\/losses-by-category-according-to-the-2023-elder-fraud-report.png\")
<\/p>\nPrevention and Protection<\/h3>\n
Indicators<\/h3>\n