Infoblox Threat Intel

Hasty Hawk

Since at least March 2022, Hasty Hawk has hijacked domains to operate widespread phishing campaigns that primarily spoof DHL shipping pages and fake donation sites to support Ukraine. The actor exploits many authoritative DNS providers, often reconfiguring hijacked domains to host content on Russian IPs. We’ve observed Hasty Hawk using online ads to distribute malicious content, but they may also use other means such as spam messages. They operate a TDS to route users to different webpages that vary in content and language depending on the user’s geolocation and other characteristics. Hasty Hawk switches some of their domains back and forth between campaign themes.

Operating since: At least 2022
Infoblox discovered: July 2024
Infoblox published: November 2024
Prevalence: Uncommon

Threat actor resources

Blog

Infoblox Threat Intel
November 14, 2024

DNS Predators Hijack Domains to Supply their Attack Infrastructure

Learn how DNS threat actors hijack domains and use them in their malicious campaigns.

Research Report

Infoblox Threat Intel
November 14, 2024

DNS Predators Attack: Vipers and Hawks Hijack Sitting Ducks Domain

Get insights from the Infoblox Threat Intel team in this Research Report covering key tactics, emerging threats, and practical steps to protect your DNS, brand, and users.

Infoblox Threat Intel

Hasty Hawk

Threat actor resources

Blog

DNS Predators Hijack Domains to Supply their Attack Infrastructure

Research Report

DNS Predators Attack: Vipers and Hawks Hijack Sitting Ducks Domain

Products

Solutions

Company

Resources

Get Infoblox Email Updates