{"id":13138,"date":"2026-03-26T09:04:10","date_gmt":"2026-03-26T16:04:10","guid":{"rendered":"https:\/\/www.infoblox.com\/blog\/?p=13138"},"modified":"2026-03-26T09:04:10","modified_gmt":"2026-03-26T16:04:10","slug":"no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/","title":{"rendered":"No Reach, No Risk: The Keitaro Abuse in Modern Cybercrime Distribution"},"content":{"rendered":"<p><strong>Authors: Infoblox Threat Intel and Confiant<\/strong><\/p>\n<h3>Executive Summary<\/h3>\n<p>Recently we published the <a href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/inside-keitaro-abuse-a-persistent-stream-of-ai-driven-investment-scams\/\">first part<\/a> of a four-month-long study conducted with Confiant on the abuse of Keitaro, an advertising performance tracker frequently abused by threat actors. We ran out of pages before we ran out of examples. The first blog focused on the use of AI, particularly in investment scams, and barely scratched the surface of how Keitaro is abused. This installment demonstrates how a broad spectrum of threat actors abuse commercial, feature-rich, easy-to-use tools like Keitaro to reach victims. In the modern, mass-scale criminal economy, risk is highly dependent on reach.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-image.png\" alt=\"A diagram of a computer server AI-generated content may be incorrect.\" \/><\/p>\n<table class=\"calloutbox\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><strong>Disruptive technology should be framed as a marketing challenge, not a technological one. &#8212; Clayton M. Christensen<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Christensen\u2019s observation explains why even the most technically proficient malware operators have embraced adtech: breakthrough tooling is inert without distribution. In campaigns where Keitaro is used, this all-in-one adtech (tracker, traffic distribution system, and cloaker) functions as the logistics that converts capability into impact. It finds real people, in real time, whose environments are compatible with the payloads on offer. After all, threat actors are not a threat if they can&#8217;t find victims that are compatible with their products (i.e. threats).<\/p>\n<p>Commercial adtech lowers the barrier for threat actors by outsourcing part of the delivery mechanism. Instead of building and maintaining their own routing, profiling, and targeting stacks, operators can focus on crafting (and constantly iterating) malicious campaigns while the platform optimizes who sees what, and when. Distribution is the decisive edge; without it, the most advanced malware is little more than a lab demo.<\/p>\n<p>The majority of observed Keitaro instances are operated by actors with ties to Eastern Europe, frequently fronted by Cloudflare or hosted in bulletproof providers. These configurations frustrate attribution and slow down disruption efforts from the security community. Although investment scams dominate the use of Keitaro in our study, other activity includes:<\/p>\n<ul class=\"list-spacing\">\n<li>Malware delivery pipelines (loaders, infostealers, and weaponized remote administration tools)<\/li>\n<li>Crypto theft operations (wallet drainers targeting NFT owners)<\/li>\n<li>Spam\u2011to\u2011phish\/eCrime funnels where email campaigns resolve to Keitaro gates before redirecting to phishing kits or employment scams<\/li>\n<li>Domain\u2011centric social deception, including lookalike domain farms and RDGA (registered DGA) patterns that keep lures fresh and reputations clean<\/li>\n<li>Gambling geo\u2011gates that selectively expose betting sites by location<\/li>\n<li>Domain hijacking techniques that exploit DNS lame delegation, aka the Sitting Ducks vulnerability<\/li>\n<li>Fake online pharmaceuticals, investment schemes, and malicious adtech (fraud via push notifications)<\/li>\n<\/ul>\n<p>A few of the highlights we cover in this segment:<\/p>\n<ul class=\"list-spacing\">\n<li>Over 20% of the threat actors tracked by Confiant during this period used Keitaro, with some obtaining tens of millions of impressions<\/li>\n<li>96% of spam campaigns that included links to Keitaro instances led to cryptocurrency wallet drainers in a hybrid scam and phishing attack<\/li>\n<li>Our use of JA4+ techniques to identify malware download sites, particularly ones hosted in bulletproof provider AS214351<\/li>\n<li>The use of fake arrests as clickbait lures leading to investment scams<\/li>\n<li>Spam campaigns generating localized, dynamically crafted messages disguised as employment-related salary notifications<\/li>\n<li>Reward scam campaigns targeting Brazilians to gain PII, specifically Cadastro de Pessoas F\u00edsicas (CPF) Numbers (individual taxpayer ID), Pix Key (instant payment identifier such as phone, email, CPF or unique key), and CNH (driver\u2019s license number)<\/li>\n<\/ul>\n<p>Keitaro\u2019s popularity among threat actors raises a simple question: why does it keep winning mindshare? The answer comes down to the economics of consolidation and a product whose features they can leverage. In many malicious adtech stacks, operators pay separately for a tracker, a cloaker, and a traffic distribution system (TDS). Keitaro bundles all three, reducing cost and operational friction while providing a single console for analytics, routing policies, and rapid iteration. This consolidation lowers the barrier to entry, shortens setup time, and makes scaling campaigns significantly easier. It is also easy to use and available in major hosting providers.<\/p>\n<p>Unfortunately, while we found Keitaro\u2019s owners, Apliteni, both receptive and responsive to abuse reporting, the volume of threat domains is more than we can realistically gather evidence for them to action. In addition, stolen licenses are widely used, particularly by the more sophisticated criminals. We\u2019ll cover more of the Keitaro technology and the challenges with large-scale abuse reporting in the final segment of this series.<\/p>\n<p>Ultimately, Keitaro is just one of many tools used in the cybercriminal ecosystem, but the feature set has made it attractive to malicious actors who want to maximize their victim reach with the least effort.<\/p>\n<p><em>Confiant secures the digital advertising supply chain and protects many major advertising exchanges, platforms, and publishers. Their visibility of close to 90 billion ad impressions a month on publisher sites is derived from thousands of client-side integrations that block malvertising attacks. This product suite also collects on threat activity seen in the wild and serves to complement the view Infoblox Threat Intel has via DNS, spam, and website scans.<\/em><\/p>\n<h3>Threats By the Numbers<\/h3>\n<p>Keitaro\u2011enabled campaigns distribute a wide variety of threat types: scams, phishing pages, malware distribution, and more (see Figure 1). In the sections that follow, we examine the most prominent threat types observed in our data and highlight representative examples of how threat actors are leveraging Keitaro across these different use cases.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure1.png\" alt=\"Figure 1\" \/><\/p>\n<p class=\"image-caption\">Figure 1. Relative distribution of content types observed using Keitaro<\/p>\n<h3>Spam Campaigns<\/h3>\n<p>Among threat actors abusing Keitaro, we identified 25 who were using spam as an initial attack vector to distribute malicious content. In aggregate, these actors conducted approximately 120 campaigns and sent tens of thousands of emails during the four-month period. The campaigns primarily pushed cryptocurrency and non-fungible token (NFT) airdrop scams, banking credential phishing, ClickFix\u2011based malware delivery, and romance\/investment fraud. Wallet drainers were by far the biggest campaigns we observed in spam-related activities. Approximately 96% of spam emails delivered scams that lured victims into approving fraudulent cryptocurrency transactions for the purpose of wallet draining (see Figure 2).<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure2.png\" alt=\"Figure 2\" \/><\/p>\n<p class=\"image-caption\">Figure 2. Distribution of observed spam campaigns utilizing Keitaro<\/p>\n<p>We tokenized the subject line of each spam email and used those tokens to derive labels commonly seen in spam campaigns that routed traffic through Keitaro. We then analyzed each token set to estimate the core theme of the message and grouped the dataset into 12 categories. In Figure 3, we selected the top three tokens per category and rendered a heat map to compare themes at a glance. This view helped us see the range of social engineering lures and how they concentrate across categories in a single, simple view. The links redirected victims to websites that used Keitaro to track or conditionally redirect to other malicious landing pages.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure3.png\" alt=\"Figure 3\" \/><\/p>\n<p class=\"image-caption\">Figure 3. Popular token labels by spam category<\/p>\n<h3>Malvertising<\/h3>\n<p>On average, Confiant tracks around 30 active malvertising threat actors with high-confidence attribution over a typical 90-day period. Over the date range in scope for the findings in this report, eight of these threat actors have been identified as leveraging Keitaro for cloaking or traffic distribution. Substantial activity was also observed among a multitude of malicious campaigns that are not currently attributed to any known actor clusters but that did use Keitaro for cloaking. Among the dataset, some campaigns ran at such prodigious volumes that tens of millions of impressions were observed client-side associated with these unattributed, lone-wolf IOCs.<\/p>\n<h3>Threat Highlights<\/h3>\n<p>To show the breadth of threats seen in the wild, we\u2019ll showcase examples of:<\/p>\n<ul class=\"list-spacing\">\n<li>Malware<\/li>\n<li>Phishing<\/li>\n<li>Scams<\/li>\n<li>Illegal content (<em>often these are really scams<\/em>)<\/li>\n<\/ul>\n<h3>Malware<\/h3>\n<p><strong>JA4+ Fingerprinting Uncovers Keitaro Servers Used for Malware Delivery<\/strong><\/p>\n<p>The JA4+ network fingerprinting suite allowed us to identify web servers that expose the Keitaro admin console, complementing our other data sources. The admin portal is the self\u2011hosted web UI for the Keitaro Tracker. It\u2019s where operators configure campaigns, flows, landing pages, offers, traffic sources, and domains; view reports; and manage integrations and access (see Figure 4). This methodology produced over 100 IP addresses that were associated with malware distribution and appeared largely unreported in public threat intel sources at the time of collection.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure4.jpg\" alt=\"Figure 4\" \/><\/p>\n<p class=\"image-caption\">Figure 4. Keitaro\u2019s web UI admin login page<\/p>\n<p>Among the Keitaro IP addresses that we identified, the most notable was a subset managed by ISP FEMO IT SOLUTIONS LIMITED (AS214351). This organization registered with the RIPE NCC on August 15, 2024, and is less than two years old. It only operates 3 \/24 prefixes and has been described in open-source reporting as a <a href=\"https:\/\/info.silentpush.com\/hubfs\/SP-WP-bulletproof-hosting.pdf\" target=\"_blank\"><strong>bulletproof hosting services provider<\/strong><\/a>. Its upstream provider is aurologic GmbH. <a href=\"https:\/\/www.recordedfuture.com\/research\/malicious-infrastructure-finds-stability-with-aurologic-gmbh\" target=\"_blank\"><strong>Open\u2011source<\/strong><\/a> reporting has described aurologic as a central nexus within the malicious infrastructure ecosystem and, in Insikt Group analysis, identified networks such as Virtualine Technologies, <a href=\"https:\/\/decodecybercrime.com\/mapping-defhost-an-investigation-into-femo-it-solutions-limited-as214351\/\" target=\"_blank\"><strong>Femo<\/strong><\/a> IT Solutions Limited, Global-Data System IT Corporation (SWISSNETWORK02), Railnet, and the recently sanctioned Aeza Group among threat\u2011activity enablers (TAEs). Figure 5 shows the various malware <a href=\"https:\/\/www.joesandbox.com\/analysis\/1814603\/0\/html\" target=\"_blank\"><strong>samples<\/strong><\/a> analyzed in Joe Sandbox and distributed via AS214351.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure5.png\" alt=\"Figure 5\" \/><\/p>\n<p class=\"image-caption\">Figure 5. Malware payloads hosted on AS214351<\/p>\n<p>Many of the Keitaro IP addresses we saw in the AS214351 network host and distribute malware. For instance, in November and December 2025, 62[.]60[.]226[.]248 hosted the DonutLoader malware payload (SHA256: b98b53ca03e3e9009b31bcc37b90b206064b25effce449dde63c51cef6a47470), a memory\u2011only loader that turns PE\/.NET\/DLL\/script into shellcode and injects them into other processes. In the attack that we observed, the DonutLoader injected the StealC v2 information stealer into Chrome and Microsoft Edge browser processes. The malware targeted multiple categories of sensitive information:<\/p>\n<ul class=\"list-spacing\">\n<li><strong>Browser Data<\/strong>: Harvests cookies, login credentials, and browsing history from Chrome and Edge browsers by accessing their respective data files<\/li>\n<li><strong>Cryptocurrency Wallets<\/strong>: Attempts to steal wallet files from multiple cryptocurrency applications including Electrum, ElectronCash, Daedalus Mainnet, and WalletWasabi<\/li>\n<\/ul>\n<p>The malware&#8217;s C2 configuration (see Figure 6) showed that StealC sends stolen data to hXXp[:]\/\/62[.]60[.]178[.]163\/ce369e7324834845[.]php. The configuration contained a &#8220;Botnet&#8221; tag used by the operator and the panel to group victims, pivot IOCs, and apply rules (e.g., geofencing, payload rules). It also contained the &#8220;Traffic RC4 key&#8221; for network encryption of StealC v2\u2019s protocol (request\/response payloads), as well as the &#8220;Rc4 Key&#8221; for decrypting strings, API names, and configuration details. According to network fingerprinting databases, 62[.]60[.]226[.]248 exposed a Keitaro admin login console (Keitaro local version: 11.0.19) in November and December 2025 and continues to do so as of this writing.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure6.png\" alt=\"Figure 6\" \/><\/p>\n<p class=\"image-caption\">Figure 6. StealC v2 C2 configuration<\/p>\n<p>During summer 2025, 62[.]60[.]226[.]248 was also hosting a customized remote monitoring and management (RMM) client called ScreenConnect that auto-enrolled victims into the actor-controlled network relays. Figure 7 shows the standard ScreenConnect (ConnectWise Control) web portal that was accessible via hXXps[:]\/\/object[.]brovanti[.]com\/. This website was hosted on 62[.]60[.]226[.]248 in August 2025. Adversaries that use RMM TTPs commonly stand up their own ScreenConnect server and then distribute pre\u2011configured access\u2011agent installers so victims auto\u2011enroll into that instance. The same host (i.e., IP address) typically serves the portal UI, relay service, and installer downloads, so seeing both the customized binary and the portal on the same IP address is expected. The follow-on malware after the ScreenConnect installation was RustyStealer, an information stealer that functions as a credential-harvesting tool and delivers other malware. Open\u2011source <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-ymir-ransomware-partners-with-rustystealer-in-attacks\/\" target=\"_blank\">reporting<\/a> indicates that RustyStealer activity has been observed preceding Ymir ransomware deployment in some intrusion chains.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure7.png\" alt=\"Figure 7\" \/><\/p>\n<p class=\"image-caption\">Figure 7. Example of an attacker-controlled ScreenConnect control web portal served by object[.]brovanti[.]com<\/p>\n<h3>Phishing<\/h3>\n<p>Phishing malvertising chains usually fall into two categories: credential theft and PII harvesting. Credential theft includes masquerading as an established web portal where victims attempt to log in, and their account details are siphoned off by the attacker. This is more common in search ads, where malvertisers take advantage of victims\u2019 intent (based on their search keywords) to log into a system.<\/p>\n<p>PII harvesting on the other hand is the favorite monetization path for criminals operating via display ads. The subterfuge involves giveaway scams like the \u201cYou\u2019ve won an iPhone\u201d or \u201cSpin the wheel to win\u201d money pages. Victims are lured to fill out a bunch of forms to claim their prize and may be required to give up information like their name, email address, phone number, or even credit card number.<\/p>\n<h4>TilapiaParabens<\/h4>\n<p>TilapiaParabens is a \u2018rewards scam\u2019 phishing campaign targeted at Brazilian audiences with deceptive short-format mobile video ads (TikTok style). Confiant has been tracking them since March 2025. It leverages high domain churn, consistently spinning up multiple new campaigns and domains daily over extended periods.<\/p>\n<p>The abuse is identity and PII theft\u2014specifically Cadastro de Pessoas F\u00edsicas (CPF) Numbers (individual taxpayer ID), Pix Key (instant payment identifier such as phone, email, CPF or unique key), CNH (driver\u2019s license number), etc.<\/p>\n<p>They typically use local cloaking kits such as The White Rabbit and Cloakilio, but the dataset that was in scope for this report showed multiple instances of Keitaro used for cloaking as well. These kits cloak landing pages that are paired loosely with the content that matches their domains (e.g., Figure 8). The money page takes victims through giveaway scams where they\u2019re warmed up with a questionnaire (seen in Figure 9). Ultimately, victims are tricked into giving up their information for the bogus reward claim on PII harvesting pages similar to Figure 10.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure8.jpg\" alt=\"Figure 8\" \/><\/p>\n<p class=\"image-caption\">Figure 8. TilapiaParabens scam landing page sample<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure9.png\" alt=\"Figure 9\" \/><\/p>\n<p class=\"image-caption\">Figure 9. TilapiaParabens warm-up quiz sample from a previously uncloaked campaign<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure10.png\" alt=\"Figure 10\" \/><\/p>\n<p class=\"image-caption\">Figure 10. TilapiaParabens PII harvesting sample<\/p>\n<h4>Spam Campaigns<\/h4>\n<p>From October 2025 through January 2026, we observed multiple phishing campaigns impersonating popular services such as Netflix and Spotify. Each campaign relied on the same lure: a fabricated alert claiming the victim\u2019s payment method had failed. The actors employed a security evasion technique known as hash\u2011busting, which involves adding or mutating low-value content so that each email produces a unique hash.<\/p>\n<p>Figure 11 shows how one actor added personalized content, including crude or taunting remarks directed at security professionals, inside parts of the HTML that are not rendered. In this case, the actor placed both a random MD5\u2011like token and the hostile commentary inside HTML comments within the message body. Although the recipient never sees this content, it ensures that the HTML hash or fuzzy hash differs across messages, reducing the effectiveness of simple signature\u2011based anti\u2011spam rules.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure11.png\" alt=\"Figure 11\" \/><\/p>\n<p class=\"image-caption\">Figure 11. Hash-busting technique used in a phishing email attack; the update button is hyperlinked to hXXps[:]\/\/membros[.]mtcreatingimages[.]com\/spotify<\/p>\n<h4>Localized Attacks<\/h4>\n<p>We identified spammers generating localized, dynamically crafted messages disguised as employment-related salary notifications. Mail Transfer Agent transaction data showed that the attacker spoofed business email accounts and tailored messages to specific phishing targets. Figure 12 illustrates one case involving the spoofed account admin[@]jjim[.]co[.]kr; the email domain has been parked since its creation. The attacker used this address to deliver emails containing an embedded link: hXXps[:]\/\/estrategicadesenvolvimento[.]com[.]br\/Webmail\/webmail[.]php?email={victim@email}<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure12.png\" alt=\"Figure 12\" \/><\/p>\n<p class=\"image-caption\">Figure 12. Dynamically crafted phishing email impersonating a corporate email system, localized for target<\/p>\n<p>The associated mail server IP address (158[.]94[.]209[.]29) has known ties to Remcos RAT malware command-and-control (C2) infrastructure. When victims clicked the link, they were redirected to a fraudulent webmail login page, pre-populated with their own email address in the username field (see Figure 13).<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure13.png\" alt=\"Figure 13\" \/><\/p>\n<p class=\"image-caption\">Figure 13. Phishing page pre-filled with username<\/p>\n<h4>Unnamed Lookalike Actor<\/h4>\n<p>We have been tracking an unnamed actor running a phishing campaign impersonating Canadian financial institutions and other high\u2011trust service providers. The earliest creation date for domains we\u2019ve attributed to this actor is February 2025, and they are still actively creating domains as of March 2026. The actor registers domains infrequently, creating them only on scattered days and in very small numbers rather than at a consistent pace. This irregular, low\u2011volume activity suggests they may be trying to stay under the radar and avoid detection.<\/p>\n<p>The actor creates lookalike domains that mimic targets such as Canadian enterprises and organizations, including all the major banks and many other important organizations. In parallel, they also spoof the branding of shipping and logistics companies (DHL, FedEx, Canada Post) as well as government and retail services such as Costco. These domains host phishing pages featuring login portals, package\u2011tracking pages, refund notifications, and authentication pages. The screenshots in Figure 14 show examples of content for the domains rbcsecurityservices[.]com and interac-gigadat15[.]info.<\/p>\n<div class=\"img-container\">\n<img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure14a.png\" alt=\"Figure 14a\"><br \/>\n<img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure14b.png\" alt=\"Figure 14b\">\n<\/div>\n<p class=\"image-caption\">Figure 14. Landing pages for lookalike domains impersonating Canadian financial institutions. Image credit: urlscan.io<\/p>\n<p>The actor\u2019s operational pattern suggests automated or scripted domain creation: registrations appear in clusters with consistent formatting, recurring keyword structures, and predictable brand\u2011adjacent terminology. Clusters of domains center on a specific impersonated brand and pair that brand name with predictable thematic keywords. Financial institutions are matched with terms like <em>login<\/em>, <em>secure<\/em>, <em>device<\/em>, <em>portal<\/em>, <em>verify<\/em>, <em>auth<\/em>, or <em>alerts<\/em>. Examples include:<\/p>\n<ul class=\"list-spacing\">\n<li>rbclogin-digital[.]com<\/li>\n<li>cibcsecurity2fa[.]com<\/li>\n<li>bmosecure-webportal[.]com<\/li>\n<li>bnc-websecurity[.]com<\/li>\n<\/ul>\n<p>These combinations give the domains a sense of legitimacy while also signaling the intended phishing theme (authentication, account verification, or security update).<\/p>\n<p>Another domain pattern appears for brands such as Gigadat, where the naming scheme leans heavily on numerical suffixes appended to brand names; examples include gigadat-interac6302[.]com and interac-gigadat0012[.]info. The actor applies a similar pattern to logistics impersonation: DHL, FedEx, and Canada Post domains mix brand names with random numeric strings or shipment\u2011related vocabulary, such as mydhl725378-order442-online[.]com, parceltrackdelfedex[.]com, and canadapostshipment[.]info. Table 1 includes a few samples of domains and patterns for some of the brands the actor impersonates.<\/p>\n<table>\n<tr>\n<td><strong>Canadian Financial Institutions<\/strong><\/td>\n<td><strong>Other high-trusted service providers<\/strong><\/td>\n<\/tr>\n<tr>\n<td>bmosecure-portal[.]app<br \/>authentifybmo[.]com<br \/>bncloginsecuriter[.]com<br \/>bnc-websecurity[.]com<br \/>cibc-registration-access-online[.]com<br \/>cibcsecurity2fa[.]com<br \/>cra-signin-partner-id[.]com<br \/>etransfer-auth-cra[.]com<br \/>rbcdevice-login[.]com<br \/>myrbcsecureddevice[.]com<br \/>tdonlineverif[.]com<br \/>tdcommercial-securedlogins[.]com<\/td>\n<td>canadapostshipment[.]info<br \/>adressinvalidepostescanada-enligne38846[.]info<br \/>costcorebate-groceries2026[.]com<br \/>mygroceries2costco[.]com<br \/>dhlmanagemypack0099[.]com<br \/>mydhl725378-order442-online[.]com<br \/>fedexdelivery[.]ca<br \/>fedexca-orderstatus[.]link<br \/>gigadat-interac-0910[.]com<br \/>gigadat-claiminterac[.]info<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">Table 1. Sample of lookalike domains used to impersonate legitimate financial institutions and businesses<\/td>\n<\/tr>\n<\/table>\n<h3>Scams<\/h3>\n<h4>Cryptocurrency Theft<\/h4>\n<p>A recurring theme in the threat landscape is the fake airdrop giveaway, which leads to cryptocurrency theft via a wallet drainer. Actors use Keitaro to track and filter\/redirect visitors to their lure websites. Incident <a href=\"https:\/\/cryptonews.com\/news\/over-4-million-worth-of-assets-stolen-by-solanas-wallet-drainers-scam-sniffer\/\" target=\"_blank\">reporting<\/a> shows millions in losses from Solana wallet drainers, with stolen assets including USDT\/USDC, BONK, ZERO, and SOL.<\/p>\n<p>In legitimate settings, blockchain projects run airdrops to distribute free tokens to eligible wallet addresses. These often belong to early users and are a way for the project to bootstrap communities, decentralize ownership, and market new launches. Threat actors piggyback on that pattern. They promise free tokens, then drive targets to connect their wallets and approve malicious transactions or to download wallet\u2011drainer kits.<\/p>\n<p>In practice, unsolicited airdrop tokens are frequently illiquid, unsellable, or outright impersonations designed to trigger risky clicks. Despite this, many owners have only a surface-level understanding of tokens and overestimate their cash-out value. Cryptocurrency token giveaway scams exploit this misunderstanding and hit key psychological levers, adding artificial scarcity (\u201cfirst-come, first-served\u201d) and urgency to short\u2011circuit due diligence and push a wallet connection.<\/p>\n<p>One common variant impersonates Phantom, which is a multichain wallet application and not a token project. Phantom has explicitly <a href=\"https:\/\/cointelegraph.com\/news\/crypto-wallet-phantom-dismisses-rumors-of-a-token-airdrop\" target=\"_blank\">stated<\/a> it has no plans to launch a token or conduct an airdrop, so any \u201cPhantom token\u201d pitches are almost certainly fake or impersonation tokens used as scam pretexts.<\/p>\n<p>For example, during the week of December 13, 2025, a threat actor conducted a large spam campaign that sent thousands of emails from a spoofed address hello[@]phantom[.]com. The email contained an HTML body message disguised as a real Phantom promotion letter (see Figure 15).<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure15.png\" alt=\"Figure 15\" \/><\/p>\n<p class=\"image-caption\">Figure 15. Spam email message with fake giveaway lure<\/p>\n<p>The emails instructed victims to claim free Phantom tokens on the actor&#8217;s fraudulent website hXXps[:]cooldece[.]com, which used Keitaro to track visitors. Figure 16 shows the website impersonating the Phantom platform.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure16.png\" alt=\"Figure 16\" \/><\/p>\n<p class=\"image-caption\">Figure 16. Scam page impersonating Phantom<\/p>\n<p>When victims stepped through the reward claim process, the website redirected them to another malicious location: hXXps[:]\/\/honknft[.]com\/connect\/rh7_1a7r72zi-kk4k4z?b=1. From here, the actor instructed victims to connect their Phantom wallet to receive the free tokens. In this scam, the actor simply used the free token promise to lure the victim into connecting their wallet and signing a malicious transaction. This action authorizes the actor to drain liquid assets such as USDC\/USDT, popular SPL tokens, and NFTs that already exist in the victim&#8217;s wallet. There are drainer kit tools that help actors easily run these transactions.<\/p>\n<p>Many of this actor\u2019s previous campaigns involved a different giveaway scam (Figure 17). Their wallet drainer JavaScript functions were heavily obfuscated. Their lures instructed victims to &#8220;turn on Blind Signing and Debug Data.&#8221; By doing so, victims turned off ledger device safeguards and approved opaque smart contract interactions they could not verify in a human readable way.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure17.png\" alt=\"Figure 17\" \/><\/p>\n<p class=\"image-caption\">Figure 17. Token wallet drainer lure<\/p>\n<p>Domain registration details and hosting history for honknft[.]com indicate the actor is likely based in Russia. The registrant location fields show Moscow, Russia, and although the site sits behind Cloudflare, passive DNS indicates the domain\u2019s real IP address is 158[.]94[.]208[.]165. That address is managed by omegatech[.]sc (AS202412), an ASN registered only a couple of months ago as of this writing. Its upstream provider is aurologic GmbH; open\u2011source <a href=\"https:\/\/www.recordedfuture.com\/research\/malicious-infrastructure-finds-stability-with-aurologic-gmbh\" target=\"_blank\">reporting<\/a> has described aurologic as an upstream provider for networks associated with cybercrime, disinformation, and other forms of abuse, including some with links to Russia.<\/p>\n<p>Additionally, we traced honknft[.]com to an Ethereum-based NFT collection called Honk! ($HONK). On Etherscan, the token <a href=\"https:\/\/etherscan.io\/address\/0x8fb6ec891f80D0DA0e966A54Ed403F5149a347C8\" target=\"_blank\">page<\/a> classifies it as an ERC\u2011721\/NFT and links to honknft[.]com\/mint. The token was launched in January 2023 &#8212; the same month we saw the first attack <a href=\"https:\/\/urlscan.io\/result\/7ab43545-15c9-40f7-8cdc-b2985087f2f9\/#summary\" target=\"_blank\">instance<\/a> and campaign from this wallet drainer actor. As of this writing, the token shows a history of nearly 25,000 token transfers (see Figure 18). Based on infrastructure overlap and campaign timing, this NFT collection is likely dedicated to the actor\u2019s wallet draining operations.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure18.png\" alt=\"Figure 18\">Figure 18. Honk! NFT collection page on opensea.io associated with wallet-draining campaign<\/p>\n<h4>Spoofing Investment Companies<\/h4>\n<p>The actors covered in our first blog in this series (<a href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/inside-keitaro-abuse-a-persistent-stream-of-ai-driven-investment-scams\/\">Inside Keitaro Abuse: A Persistent Stream of AI-Driven Investment Scams<\/a>) create fabricated investment companies. In contrast, this actor impersonates legitimate investment and financial businesses. They use domains with no distinct pattern rather than keyword lookalike domains (Table 2), which helps them evade detectors that rely on identifying brand\u2011similar domains. The page content is where they spoof real companies, and in many of the examples we observed, the impersonations target multiple investment and financial businesses across different countries (Figure 19.1 and 19.2).<\/p>\n<table>\n<tr>\n<td colspan=\"2\" align=\"center\"><strong>Indicator<\/strong><\/td>\n<\/tr>\n<tr>\n<td>azgrvfra[.]com<br \/>\nca24watch[.]com<br \/>\ndailycrepoton[.]com<br \/>\ndigitalwealth-au[.]com<br \/>\niralfdgs[.]com<\/td>\n<td>moplih[.]com<br \/>\nnewtotalca[.]com<br \/>\nquietfostdio[.]com<br \/>\nsomeotherbox[.]com<br \/>\nuzelart[.]com<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">Table 2. Sample domains for sites with content that impersonates legitimate businesses, but the domains are not lookalikes<\/td>\n<\/tr>\n<\/table>\n<div class=\"grid-container\">\n<div class=\"grid-item\">\n<img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure19a.png\" alt=\"Figure 19.1\"><\/p>\n<p class=\"image-caption\">Figure 19.1. Investment scam <a href=\"https:\/\/urlscan.io\/result\/019c8aa0-52c6-73bf-9b16-ce39892c8cc6\/\" target=\"_blank\"><strong>page<\/strong><\/a> for burkespitbbq[.]com, which impersonates DEGIRO, a European online broker based in the Netherlands<\/p>\n<\/div>\n<div class=\"grid-item\">\n<img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure19b.png\" alt=\"Figure 19.2\"><\/p>\n<p class=\"image-caption\">Figure 19.2. Investment scam <a href=\"https:\/\/urlscan.io\/result\/01973ce3-0a46-728a-a0a9-2495a989ba3f\/\" target=\"_blank\"><strong>page<\/strong><\/a> for linda-makeup[.]com, which impersonates a Singapore-based financial education platform<\/p>\n<\/div>\n<\/div>\n<h4>Health and Fake Shops<\/h4>\n<p>Dubious healthcare products are a problem that predates the digital era. Modern malvertising campaigns often digitally promote &#8220;snake oil&#8221; products which often include supplements like keto gummies promising rapid weight loss, or services that make dangerous, unsubstantiated claims about curing serious ailments. The purveyors of these goods exploit consumer anxieties and vulnerabilities to push products that are at best unproven, and at worst actively harmful.<\/p>\n<p>The digital ad campaigns marketing these products and services will often try to create a false sense of urgency (\u201conly 100 bottles left,\u201d \u201cclaim yours now\u201d) and are supported by numerous fake reviews and testimonials on verbose sales pages. It\u2019s typical for prices to be inflated as well.<\/p>\n<p>Ad platforms that take marketplace quality seriously will have policies in place against these types of campaigns, so the affiliates that promote these offerings will often have to rely on cloaking to circumvent any safeguards.<\/p>\n<p>We have solid examples of these types of health scams with Keitaro present, from the fourth quarter of 2025. Figure 20 below shows one such example.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure20.jpg\" alt=\"Figure 20\" \/><\/p>\n<p class=\"image-caption\">Figure 20. Health scam hosted on health[.]tenerium[.]org<\/p>\n<h4>TheNovosti<\/h4>\n<p>TheNovosti is an Eastern European-origin actor running large-scale cloaked campaigns that trick users into opting into malicious push notification subscriptions, often via fake &#8220;half-loaded&#8221; page templates. After opt-in, notifications escalate to a broad range of malvertising chains. Ad creative is typically health (Figure 21) or pension-themed clickbait targeting elderly users (e.g., garlic cures, sugar factoids). This actor is known for extremely high domain churn (~4,000 domains per week at peak) and believed to be the umbrella actor responsible for several related clusters. This actor has used Keitaro for cloaking.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure21.gif\" alt=\"Figure 21\" \/><\/p>\n<p class=\"image-caption\">Figure 21. TheNovosti clickbait ad leading victims to terrainane[.]com<\/p>\n<h4>Unnamed Health Scam Actor<\/h4>\n<p>This actor runs health product scam shops designed to promote supplements and other products, and will eventually steal the user\u2019s financial information. The domains for these shops are primarily advertised through Facebook ads targeting multiple regions in various languages. Both the scam pages and Facebook ads rely on social engineering tactics to entice users and create urgency through misleading \u201cmiracle cure\u201d narratives and supposedly expiring supplement deals. Users attempting to access the sites outside of the actor\u2019s targeted locations will be redirected to legitimate pages like YouTube and Amazon; cloaking enabled via Keitaro. Examples of the Facebook ads and scam pages can be seen in Figures 22 and 23.<\/p>\n<div class=\"img-container\">\n<img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure22a.png\" alt=\"Figure 22a\"><br \/>\n<img decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure22b.png\" alt=\"Figure 22b\">\n<\/div>\n<p class=\"image-caption\">Figure 22. Facebook ads associated with health product scam shops<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure23.png\" alt=\"Figure 23\" \/><\/p>\n<p class=\"image-caption\">Figure 23. Screenshot of one of the <a href=\"https:\/\/urlscan.io\/result\/019ada90-8386-747b-bdd2-e7708a215e55\/\" target=\"_blank\"><strong>fake shop pages<\/strong><\/a><\/p>\n<p>The domains show a clear pattern of bulk\u2011generated, disposable infrastructure centered on cheap, low\u2011reputation TLDs, most commonly .top, .click, .today, .info, .store, .shop, .life, .biz, and .pro, with the occasional generic .com. Naming conventions rely heavily on simple, hyphenated keyword pairs tied to broad themes like news, health, wellness, fitness, or lifestyle, alongside numerous short, pseudo\u2011random strings indicative of automated registration. Table 3 shows a sample of such patterns.<\/p>\n<table>\n<tr>\n<td><strong>Hyphenated Themes<\/strong><\/td>\n<td><strong>Randomly Generated<\/strong><\/td>\n<\/tr>\n<tr>\n<td>trending-now[.]today<br \/>\nthe-social-spot[.]com<br \/>\nfitness-zenew[.]info<br \/>\ncurated-nest[.]pro<br \/>\nboost-core[.]today<br \/>\ncoreflow-news[.]info<br \/>\ntipboost-info[.]com<br \/>\nstrong-tips[.]info<br \/>\nlife-booste[.]com<br \/>\nenergy-zone[.]top<\/td>\n<td>pilyf[.]life<br \/>\nnywav[.]life<br \/>\nrujas[.]biz<br \/>\nqezybu[.]com<br \/>\ngyruvi[.]top<br \/>\nsuxady[.]top<br \/>\njaceviu[.]shop<br \/>\nziqiwui[.]click<br \/>\njexyni[.]top<br \/>\nqiqaly[.]top<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">Table 3. Sample domains grouped by the techniques used to generate them<\/td>\n<\/tr>\n<\/table>\n<p>The campaign also shows indications of using a TDS, with multiple redirect hops observed across samples. In one instance, the presence of top9mediatrk[.]com in the redirection chain suggests the likely use of TDS\u2011style infrastructure to route and manage traffic before ultimately leading users to the health\u2011product scam pages.<\/p>\n<h4>More Investment Scams<\/h4>\n<h4>HircusPircus<\/h4>\n<p>Tracked since 2021, HircusPircus is an international scam group that advertises fraudulent investment opportunities. They typically use the tactic of abusing brands as opposed to celebrities, which is less likely to be detected by ad platform security mechanisms.<\/p>\n<p>This actor has been influential enough to serve as a reference point for categorizing similar investment scam actors and sub-clusters from a detection perspective. HircusPircus differs from FaiKast (an investment scam actor that leverages AI in their investment scams and therefore was included in blog 1 of this series) in that they do not rely on deepfake personas to drive victims to their scams. Furthermore, it\u2019s very unusual to see this actor implement cloaking in their campaigns. However, we did observe them running Keitaro with the HideClick cloaking kit enabled in a prominent, high-volume campaign (hosted on investarmco[.]com) at the end of October 2025. See Figure 24.<\/p>\n<div class=\"img-container\">\n<img style=\"width:16%\" decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure24a.png\" alt=\"Figure 24a\"><br \/>\n<img style=\"width:80%\" decoding=\"async\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure24b.jpg\" alt=\"Figure 24b\">\n<\/div>\n<p class=\"image-caption\">Figure 24. HircusPircus ad sample for an investment scam impersonating ADNOC run on investarmco[.]com<\/p>\n<p>Typical HircusPircus TTPs include:<\/p>\n<ul class=\"list-spacing\">\n<li>Ads are served through programmatic advertising that anchor on investing-related copy (Figure 24 above)<\/li>\n<li>Landing pages promote fake savings products (Figure 25 below)<\/li>\n<li>Campaigns use domains with financial-sounding names and sometimes reference real companies to add credibility<\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure25.jpg\" alt=\"Figure 25\" \/><\/p>\n<p class=\"image-caption\">Figure 25. HircusPircus landing page impersonating Aramco, hosted on investarmco[.]com<\/p>\n<h4>AirportArrest<\/h4>\n<p>AirportArrest is an actor behind cloaked investment scams that span multiple countries including Canada, Italy, Switzerland, and others. They\u2019re an unusual player in investment scam malvertising as their clickbait of choice is fake content of people getting arrested. The white pages are highly localized and often feature real news about the targeted city, such as various infrastructure projects.<\/p>\n<p>Ads and landing pages typically have some sort of scandalous law enforcement angle such as those shown in Figures 26 through 28.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure26.jpg\" alt=\"Figure 26\" \/><\/p>\n<p class=\"image-caption\">Figure 26. AirportArrest clickbait ad sample on hotelbiloxi[.]com<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure27.png\" alt=\"Figure 27\" \/><\/p>\n<p class=\"image-caption\">Figure 27. AirportArrest landing page with fake story on petalsage[.]com<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure28.png\" alt=\"Figure 28\" \/><\/p>\n<p class=\"image-caption\">Figure 28. AirportArrest landing page impersonating a legitimate news article, on holzveredler247[.]com<\/p>\n<h3>Illegal Content<\/h3>\n<p>We\u2019ve included a dedicated section on Illegal content, given its frequent association with Keitaro abuse. However, this activity, including online gambling, is typically not standalone and is instead part of larger, <a href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/scaling-the-fraud-economy-pig-butchering-as-a-service\/\">coordinated scam operations<\/a>.<\/p>\n<h4>Online Gambling<\/h4>\n<p>Several actors we have observed abusing Keitaro services lead users to online gambling sites. In one notable example, the domains redirect multiple times before reaching the final landing page, strongly suggesting the use of a TDS (Figure 29). The actor uses hostnames like leadshub[.]trk-links[.]com and tds[.]favbet[.]partners in <a href=\"https:\/\/urlscan.io\/result\/52965ce7-5b01-40a8-8976-c2d7f1e27bd6\/#redirects\" target=\"_blank\">redirect chains<\/a> routing to gambling pages (Figure 30). The presence of terms like \u201ctrk\u201d and \u201ctds\u201d in these hostnames, along with the multiple redirections, are TTPs commonly associated with TDS infrastructure.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure29.png\" alt=\"Figure 29\" \/><\/p>\n<p class=\"image-caption\">Figure 29. Multiple <a href=\"https:\/\/urlscan.io\/result\/0196161b-44d8-76b4-ab0e-925fcce48b82\/#redirects\" target=\"_blank\"><strong>redirections<\/strong><\/a> and the presence of the domain trk-links[.]com suggest a TDS<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure30.png\" alt=\"Figure 30\" \/><\/p>\n<p class=\"image-caption\">Figure 30. Example of a gambling page; there are many different templates and the content can look completely different<\/p>\n<p>This actor uses a variety of patterns when creating their SLDs, likely to diversify their infrastructure and make it more difficult to detect and block the domains with a single detection rule. One common tactic this actor uses is registering the same SLD label across multiple TLDs. The examples in Table 4 illustrate three variations of this approach:<\/p>\n<ul class=\"list-spacing\">\n<li>Identical SLDs across different TLDs<\/li>\n<li>Nearly identical SLDs that differ only by incremental numbers across TLDs<\/li>\n<li>Lookalike labels (e.g., variations resembling \u201ctelegram\u201d) registered on multiple TLDs sometimes paired with accompanying terms like \u201clink\u201d or \u201chub\u201d<\/li>\n<\/ul>\n<table>\n<tr>\n<td colspan=\"3\" style=\"text-align:center\"><strong>Same or similar SLD label, different TLDs<\/strong><\/td>\n<\/tr>\n<tr>\n<td>click-link[.]online<br \/>click-link[.]store<br \/>click-link[.]space<\/td>\n<td>linkhub1.online<br \/>linkhub2.space<\/td>\n<td>talagram[.]online<br \/>talagram[.]store<\/td>\n<\/tr>\n<tr>\n<td colspan=\"3\" style=\"text-align:center\"><strong>Different variations<\/strong><\/td>\n<\/tr>\n<tr>\n<td>hublink1[.]space<br \/>hublink2[.]space<br \/>hublink3[.]space<br \/>hublink4[.]space<\/td>\n<td>your-link[.]online<br \/>your-lnk[.]online<br \/>yourlnk[.]online<\/td>\n<td>invitezone[.]space<br \/>invitationlink[.]space<br \/>invitehub[.]site<\/td>\n<\/tr>\n<tr>\n<td colspan=\"3\">Table 4. Sample domains grouped by different domain generation techniques; TLDs such as .space TLD and .online TLD have low reputations<\/td>\n<\/tr>\n<\/table>\n<h4>Adult Content<\/h4>\n<p>We uncovered an actor that appears to be hijacking domains to deliver pornography and dating-related content. At least 75% of the domains associated with this activity exhibited lame delegation at some point\u2014meaning the authoritative name server(s) that the domain is delegated to does not have information about the domain and therefore cannot resolve queries\u2014making it susceptible to takeover via a <a href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/who-knew-domain-hijacking-is-so-easy\/\">Sitting Ducks attack<\/a>. A lame delegation creates a gap where certain exploitable DNS providers allow anyone to \u201cclaim\u201d the vulnerable domain\u2019s DNS configuration without having access to the legitimate registrant\u2019s account, enabling quiet and effective hijacking. Below is a sample of titles from the pages involved in this activity:<\/p>\n<ul class=\"list-spacing\">\n<li>\u201cDeep talk. Slow burn. Real interest.\u201d<\/li>\n<li>\u201cYou\u2019re not the only one tired of surface-level.\u201d<\/li>\n<li>\u201cA little flirt never hurt. Start with a smile.\u201d<\/li>\n<li>\u201cThis isn\u2019t fast food dating. It\u2019s the good stuff.\u201d<\/li>\n<\/ul>\n<p>The domains in this actor\u2019s cluster also show very sparse and inconsistent infrastructure patterns\u2014different registrars, hosting providers, and DNS configurations\u2014which is atypical for a threat actor intentionally building their own domain ecosystem, but fully consistent with opportunistic hijacking of abandoned or misconfigured properties. As illustrated in Figure 31, the registration dates span more than two decades, further supporting that these domains were not created by a single actor but repurposed after periods of neglect.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure31.png\" alt=\"Figure 32\" \/><\/p>\n<p class=\"image-caption\">Figure 31. Distribution of creation dates for domains associated with an unnamed actor involved in domain hijacking activity<\/p>\n<p>Since October 2025, every observed domain linked to this actor redirects to the adult content hosted on yellowusheart[.]net via TDS domain meetdatefind[.]com, although in some instances the redirection chains end at the TDS domain. This consistent redirection pattern\u2014despite the starting domains\u2019 unrelated origins and infrastructure\u2014strongly supports the conclusion that the actor is using hijacked domains as disposable entry points. By taking control of previously legitimate or dormant domains, the actor inherits any existing reputation or residual traffic and avoids domain acquisition costs, all while making the campaign\u2019s structure and origins difficult to trace. Figure 32 shows the redirection chain.<\/p>\n<p><img decoding=\"async\" class=\"blog-image\" src=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-part2-figure32.png\" alt=\"Figure 32\" \/><\/p>\n<p class=\"image-caption\">Figure 32. Redirection <a href=\"https:\/\/urlscan.io\/result\/019c830a-be4a-70b0-89e2-c720070eff0e\/#redirects\" target=\"_blank\"><strong>chain<\/strong><\/a> for the TDS routing users from hijacked domains to porn\/adult websites<\/p>\n<h3>What\u2019s Next<\/h3>\n<p>Part 3 closes the series by stepping back from individual clusters to map the ecosystem dynamics behind Keitaro\u2011enabled operations:<\/p>\n<ul class=\"list-spacing\">\n<li>Trendlines &amp; inflection points: A high\u2011level overview of notable shifts and trigger events that catalyzed activity patterns across campaigns using Keitaro.<\/li>\n<li>Feature analysis: How specific Keitaro features can be or are being weaponized in practice, supported by representative case vignettes.<\/li>\n<li>Cybercrime disruption: A candid account of our work with Keitaro\u2019s leadership to establish an abuse\u2011escalation channel and document success rate for fraud takedowns.<\/li>\n<\/ul>\n<h3>Indicators<\/h3>\n<p>A curated selection of indicators related to the threats discussed can be seen in the table below. A more comprehensive list of indicators can be found in our <a href=\"https:\/\/github.com\/infobloxopen\/threat-intelligence\" target=\"_blank\">GitHub repository<\/a>.<\/p>\n<p><em>Note: These domains may be associated with inactive or stolen licenses.<\/em><\/p>\n<table>\n<tr>\n<td><strong>Indicators<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>promoswf[.]shop<br \/>\npromoswh[.]shop<br \/>\npromoswn[.]shop<br \/>\npromoswm[.]shop<br \/>\npromoswu[.]shop<\/td>\n<td>TilapiaParabens \u2013 Rewards Scams<\/td>\n<\/tr>\n<tr>\n<td>health[.]tenerium[.]org<\/td>\n<td>Health Scams<\/td>\n<\/tr>\n<tr>\n<td>terrainane[.]com<\/td>\n<td>The Novosti<\/td>\n<\/tr>\n<tr>\n<td>investarmco[.]com<\/td>\n<td>HircusPircus<\/td>\n<\/tr>\n<tr>\n<td>hotelbiloxi[.]com<br \/>\npetalsage[.]com<br \/>\nholzveredler247[.]com<br \/>\ncharityvirtue[.]com<br \/>\nucaboodle[.]com<\/td>\n<td>AirportArrest<\/td>\n<\/tr>\n<tr>\n<td>object[.]brovanti[.]com<br \/>\n62[.]60[.]226[.]248<br \/>\nhXXp[:]\/\/62[.]60[.]178[.]163\/ce369e7324834845[.]php<\/td>\n<td>Malware download locations on Keitaro instances<\/td>\n<\/tr>\n<tr>\n<td>membros[.]mtcreatingimages[.]com<br \/>\nhXXps[:]\/\/membros[.]mtcreatingimages[.]com\/spotify<\/td>\n<td>Keitaro links used in Spotify phishing emails<\/td>\n<\/tr>\n<tr>\n<td>hXXps[:]\/\/estrategicadesenvolvimento[.]com[.]br\/Webmail\/web<br \/>\nmail[.]php?email={victim@email}<br \/>\nestrategicadesenvolvimento[.]com[.]br<\/td>\n<td>Dynamically crafted phishing links used in localized spam campaign<\/td>\n<\/tr>\n<tr>\n<td>158[.]94[.]209[.]29<\/td>\n<td>Mail server used in localized spam campaign; previously used for Remcos RAT C2<\/td>\n<\/tr>\n<tr>\n<td>adressinvalidepostescanada-enligne38846[.]info<br \/>\nauthentifybmo[.]com<br \/>\nbmosecure-portal[.]app<br \/>\nbmosecure-webportal[.]com<br \/>\nbnc-websecurity[.]com<br \/>\nbncloginsecuriter[.]com<br \/>\ncanadapostshipment[.]info<br \/>\ncibc-registration-access-online[.]com<br \/>\ncibcsecurity2fa[.]com<br \/>\ncostcorebate-groceries2026[.]com<br \/>\nmygroceries2costco[.]com<br \/>\ncra-signin-partner-id[.]com<br \/>\ndhlmanagemypack0099[.]com<br \/>\netransfer-auth-cra[.]com<br \/>\nfedexca-orderstatus[.]link<br \/>\nfedexdelivery[.]ca<br \/>\ngigadat-claiminterac[.]info<br \/>\ngigadat-interac-0910[.]com<br \/>\ngigadat-interac6302[.]com<br \/>\ninterac-gigadat0012[.]info<br \/>\ninterac-gigadat15[.]info<br \/>\nmydhl725378-order442-online[.]com<br \/>\nmyrbcsecureddevice[.]com<br \/>\nparceltrackdelfedex[.]com<br \/>\nrbcdevice-login[.]com<br \/>\nrbclogin-digital[.]com<br \/>\nrbcsecurityservices[.]com<br \/>\ntdcommercial-securedlogins[.]com<br \/>\ntdonlineverif[.]com\n<\/td>\n<td>Domains used by an unnamed lookalike actor<\/td>\n<\/tr>\n<tr>\n<td>cooldece[.]com<br \/>\nhonknft[.]com<br \/>\nhXXps[:]\/\/honknft[.]com\/connect\/rh7_1a7r72zi-kk4k4z?b=1<\/td>\n<td>Indicators used in wallet draining scams impersonating the Phantom platform.<\/td>\n<\/tr>\n<tr>\n<td>azgrvfra[.]com<br \/>\nca24watch[.]com<br \/>\ndailycrepoton[.]com<br \/>\ndigitalwealth-au[.]com<br \/>\niralfdgs[.]com<br \/>\nmoplih[.]com<br \/>\nnewtotalca[.]com<br \/>\nquietfostdio[.]com<br \/>\nsomeotherbox[.]com<br \/>\nuzelart[.]com<br \/>\nburkespitbbq[.]com<br \/>\nlinda-makeup[.]com<\/td>\n<td>Domains used by an actor spoofing investment companies<\/td>\n<\/tr>\n<tr>\n<td>trending-now[.]today<br \/>\nthe-social-spot[.]com<br \/>\nfitness-zenew[.]info<br \/>\ncurated-nest[.]pro<br \/>\nboost-core[.]today<br \/>\ncoreflow-news[.]info<br \/>\ntipboost-info[.]com<br \/>\nstrong-tips[.]info<br \/>\nlife-booste[.]com<br \/>\nenergy-zone[.]top<br \/>\npilyf[.]life<br \/>\nnywav[.]life<br \/>\nrujas[.]biz<br \/>\nqezybu[.]com<br \/>\ngyruvi[.]top<br \/>\nsuxady[.]top<br \/>\njaceviu[.]shop<br \/>\nziqiwui[.]click<br \/>\njexyni[.]top<br \/>\nqiqaly[.]top<\/td>\n<td>Domains used by an unnamed actor running heatlhcare product scams<\/td>\n<\/tr>\n<tr>\n<td>top9mediatrk[.]com<\/td>\n<td>TDS domain seen in association with the same actor in the row above.<\/td>\n<\/tr>\n<tr>\n<td>click-link[.]online<br \/>\nclick-link[.]store<br \/>\nclick-link[.]space<br \/>\nhublink1[.]space<br \/>\nhublink2[.]space<br \/>\nhublink3[.]space<br \/>\nhublink4[.]space<br \/>\ninvitezone[.]space<br \/>\ninvitationlink[.]space<br \/>\ninvitehub[.]site<br \/>\nlinkhub1.online<br \/>\nlinkhub2.space<br \/>\ntalagram[.]online<br \/>\ntalagram[.]store<br \/>\nyour-link[.]online<br \/>\nyour-lnk[.]online<br \/>\nyourlnk[.]online<\/td>\n<td>Domains used by an unnamed actor associated with online gambling<\/td>\n<\/tr>\n<tr>\n<td>leadshub[.]trk-links[.]com<br \/>\ntds[.]favbet[.]partners<\/td>\n<td>TDS domains seen in association with the same online gambling actor in the row above<\/td>\n<\/tr>\n<tr>\n<td>yellowusheart[.]net<br \/>\nmeetdatefind[.]com<\/td>\n<td>Domain and TDS domain seen in association with an unnamed actor hijacking domains to deliver pornography.<\/td>\n<\/tr>\n<\/table>\n<style>\n.savy-seahorse-table {\nfont-size:14px;word-break: keep-all;}.savy-seahorse-table td:last-child, .savy-seahorse-table th:last-child {padding-right:10px;}.code-format {\tfont-family: 'Courier New';}.image-caption {    font-size: 12px;margin-top:auto;}.list-spacing li{margin-bottom:20px}.img-container, .img-container-3-col {display: flex;flex-wrap: wrap;justify-content: space-between;}.img-container img {width: 49%;margin-bottom: 10px;}.img-container-3-col img {width: 30%;margin-bottom: 10px;}@media (max-width: 767px) {.img-container, .img-container-3-col {display: block;}.img-container img, .img-container-3-col img {width: 100%;}.grid-container {    grid-template-columns: 1fr!important;  }}@media (min-width: 767px) {.img-50{width:50%;}}.grid-container {  display: grid;  grid-template-columns: repeat(2, 1fr);  gap: 40px;  max-width: 800px;  margin: 0 auto;  align-items: stretch;margin-bottom: 20px;}.grid-item {   display: flex;  flex-direction: column;  justify-content: flex-start;}.grid-item img {  width: 100%;  height: auto;}<\/style>\n<p><script>\njQuery('.single h1').html('<span class=\"gradient\">No Reach, No Risk<\/span>: The Keitaro Abuse in Modern Cybercrime Distribution');\n<\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authors: Infoblox Threat Intel and Confiant Executive Summary Recently we published the first part of a four-month-long study conducted with Confiant on the abuse of Keitaro, an advertising performance tracker frequently abused by threat actors. We ran out of pages before we ran out of examples. The first blog focused on the use of AI, [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":13139,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[254],"tags":[965,1626,1082,902,1037,307,774,1105,1628,1636,1637,925,930,30,16,1638],"class_list":{"0":"post-13138","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence","8":"tag-keitaro","9":"tag-cloaking","10":"tag-traffic-distribution-system","11":"tag-tds","12":"tag-scams","13":"tag-phishing","14":"tag-malvertising","15":"tag-threat-actors","16":"tag-cybercriminals","17":"tag-tracker","18":"tag-cryptotheft","19":"tag-lookalike","20":"tag-cybercrime","21":"tag-dns","22":"tag-infoblox","23":"tag-confiant","24":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Inside Keitaro Abuse Part 2: One Platform, Many Threats<\/title>\n<meta name=\"description\" content=\"Keitaro is abused for a lot more than investment scams. This installment covers malware and other ways threat actors use the tracker to locate victims.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Inside Keitaro Abuse Part 2: One Platform, Many Threats\" \/>\n<meta property=\"og:description\" content=\"Keitaro is abused for a lot more than investment scams. This installment covers malware and other ways threat actors use the tracker to locate victims.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-26T16:04:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-2-thumbnail.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"408\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Inside Keitaro Abuse Part 2: One Platform, Many Threats\" \/>\n<meta name=\"twitter:description\" content=\"Keitaro is abused for a lot more than investment scams. This installment covers malware and other ways threat actors use the tracker to locate victims.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-2-thumbnail.jpeg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"32 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"No Reach, No Risk: The Keitaro Abuse in Modern Cybercrime Distribution\",\"datePublished\":\"2026-03-26T16:04:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\\\/\"},\"wordCount\":5816,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/keitaro-ai-campaign-2-thumbnail.jpeg\",\"keywords\":[\"Keitaro\",\"cloaking\",\"Traffic Distribution System\",\"TDS\",\"scams\",\"Phishing\",\"malvertising\",\"threat actors\",\"cybercriminals\",\"tracker\",\"cryptotheft\",\"lookalike\",\"Cybercrime\",\"DNS\",\"Infoblox\",\"Confiant\"],\"articleSection\":[\"Infoblox Threat Intel\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\\\/\",\"name\":\"Inside Keitaro Abuse Part 2: One Platform, Many Threats\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/keitaro-ai-campaign-2-thumbnail.jpeg\",\"datePublished\":\"2026-03-26T16:04:10+00:00\",\"description\":\"Keitaro is abused for a lot more than investment scams. This installment covers malware and other ways threat actors use the tracker to locate victims.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/keitaro-ai-campaign-2-thumbnail.jpeg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/keitaro-ai-campaign-2-thumbnail.jpeg\",\"width\":612,\"height\":408},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"No Reach, No Risk: The Keitaro Abuse in Modern Cybercrime Distribution\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Inside Keitaro Abuse Part 2: One Platform, Many Threats","description":"Keitaro is abused for a lot more than investment scams. This installment covers malware and other ways threat actors use the tracker to locate victims.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/","og_locale":"en_US","og_type":"article","og_title":"Inside Keitaro Abuse Part 2: One Platform, Many Threats","og_description":"Keitaro is abused for a lot more than investment scams. This installment covers malware and other ways threat actors use the tracker to locate victims.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/","og_site_name":"Infoblox Blog","article_published_time":"2026-03-26T16:04:10+00:00","og_image":[{"width":612,"height":408,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-2-thumbnail.jpeg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_title":"Inside Keitaro Abuse Part 2: One Platform, Many Threats","twitter_description":"Keitaro is abused for a lot more than investment scams. This installment covers malware and other ways threat actors use the tracker to locate victims.","twitter_image":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-2-thumbnail.jpeg","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"32 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"No Reach, No Risk: The Keitaro Abuse in Modern Cybercrime Distribution","datePublished":"2026-03-26T16:04:10+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/"},"wordCount":5816,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-2-thumbnail.jpeg","keywords":["Keitaro","cloaking","Traffic Distribution System","TDS","scams","Phishing","malvertising","threat actors","cybercriminals","tracker","cryptotheft","lookalike","Cybercrime","DNS","Infoblox","Confiant"],"articleSection":["Infoblox Threat Intel"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/","name":"Inside Keitaro Abuse Part 2: One Platform, Many Threats","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-2-thumbnail.jpeg","datePublished":"2026-03-26T16:04:10+00:00","description":"Keitaro is abused for a lot more than investment scams. This installment covers malware and other ways threat actors use the tracker to locate victims.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-2-thumbnail.jpeg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/keitaro-ai-campaign-2-thumbnail.jpeg","width":612,"height":408},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"No Reach, No Risk: The Keitaro Abuse in Modern Cybercrime Distribution"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/13138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=13138"}],"version-history":[{"count":26,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/13138\/revisions"}],"predecessor-version":[{"id":13203,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/13138\/revisions\/13203"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/13139"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=13138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=13138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=13138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}