Infoblox Threat Intel

Hazy Hawk

Hazy Hawk is a DNS‑savvy threat actor first detected by Infoblox when they hijacked subdomains of the U.S. Center for Disease Control (CDC) via dangling CNAME records that point to decommissioned cloud resources (e.g. Azure, AWS, GitHub, Cloudflare) from high‑profile organizations like Deloitte, Berkeley, UNICEF, and more. After registering the abandoned resource names, Hazy Hawk takes control of legitimate‑looking subdomains and hosts hundreds of malicious URLs that leverage the parent domains’ credibility and SEO visibility. Victims are sent through traffic distribution systems (TDSs) to tech support scams, fake antivirus pages, malware downloads, phishing pages, or porn/fake streaming sites.

Operating since: At least 2023
Infoblox discovered: February 2025
Infoblox published: May 2025
Prevalence: Uncommon

Threat actor resources

Blog

Infoblox Threat Intel
May 20, 2025

Cloudy with a Chance of Hijacking Forgotten DNS Records Enable Scam Actor

Learn about a threat actor who discovers lingering DNS records from discontinued cloud services and uses them to deliver scams through adtech.

Infoblox Threat Intel

Hazy Hawk

Threat actor resources

Blog

Cloudy with a Chance of Hijacking Forgotten DNS Records Enable Scam Actor

Products

Solutions

Company

Resources

Get Infoblox Email Updates