adminA newly identified threat actor dubbed Hazy Hawk is hijacking abandoned cloud DNS records to compromise subdomains of high-profile organizations, including the CDC, Deloitte, PwC, and others. The attacker uses these trusted domains to redirect users to malware, scams, and ad-based schemes.
How the DNS Domain Hijacking Works
According to a report by Infoblox, Hazy Hawk takes advantage of dangling DNS CNAME records—entries pointing to cloud resources that have been deleted. By registering those abandoned cloud endpoints (like Amazon S3, Azure, Netlify, GitHub, and others), attackers take control of the domain’s traffic.
Notably, the CDC was among the first identified victims, with its hijacked domains observed serving malicious redirect links in February 2025. Infoblox now links Hazy Hawk’s activities to multiple global government agencies, universities, and tech corporations dating back to late 2023.
Trusted Domains Used to Evade Detection
Hazy Hawk’s use of legitimate-looking, abandoned subdomains dramatically increases the credibility of scam pages in search engines and helps bypass security filters.
Common Attack Pattern Observed
- Threat actor identifies a dangling DNS record tied to cloud services
- Registers the abandoned resource to take control of the subdomain
- Hosts cloned content or lures like adult content and pirated software
- Redirects users through a traffic distribution system (TDS)
- Delivers scams, fake surveys, scareware, and malware payloads
Infoblox researchers noted that these campaigns often ask visitors to allow push notifications, which are then used to bombard victims with fake offers and phishing schemes.
Affiliates and the Rise of Malicious Adtech
According to Infoblox, Hazy Hawk may be part of a broader affiliate advertising network where click-throughs, notification consents, and malware installations translate into financial gain for attackers. They speculate the domain hijacking component may even be offered as a service.
Prevention and Mitigation
To defend against this type of attack, experts recommend:
- DNS Hygiene: Remove DNS records for cloud resources when shutting them down
- Zero Trust Approach: Don’t allow push notifications from unknown sites
- Monitor Cloud Assets: Periodically audit cloud services and DNS records for vulnerabilities
Vpnymous Insight: DNS Weakness Can Compromise Trust
When trusted domains fall into malicious hands, even advanced users can be deceived. At Vpnymous, we emphasize end-to-end encryption, DNS leak protection, and the ability to buy VPN with crypto — protecting you from surveillance and DNS-based attacks.
- Use hardened DNS configurations and avoid exposing CNAMEs to public registries
- Access management panels securely using open-source VPN clients
- Pay anonymously — no credit cards, no tracking, no logs
Buy VPN with crypto today and protect your network from DNS-level hijacking and tracking tactics.
Featured Image (1800×1000): Coming right up.
Would you like me to generate the headline graphic now?
