A threat actor named Hazy Hawk is hijacking abandoned cloud resources of major organizations. These resources include Amazon S3 buckets and also Microsoft Azure cloud computing endpoints. Hazy Hawk cleverly leverages misconfigurations found in Domain Name System (DNS) CNAME records. The hijacked domains are then used to host URLs that direct users to various scams. These malicious URLs also distribute malware via various traffic distribution systems or TDSes. Infoblox first discovered this active threat actor after it gained control of CDC sub-domains. This occurred in February 2025 impacting the U.S. Center for Disease Control. Other victims include global government agencies prominent universities and large international corporations. These widespread attacks have been ongoing since at least December of the year 2023.
Remarkably Hazy Hawk does not use these valuable hijacked domains for typical espionage activities.
Instead these compromised domains feed into the rather seedy underworld of online adtech. Unsuspecting victims are often whisked away to a wide range of online scams. They also encounter many fake applications hosted on these reputable but hijacked domain names. Malicious browser notifications are used to trigger processes that will have lingering negative impact. Hijacking trusted domains boosts credibility in search results for their malicious spammy content. This makes the harmful content appear much more legitimate to the average internet user. Even more concerningly this sophisticated approach enables the threat actors to bypass security detection. The operation relies on seizing abandoned domains that possess dangling DNS CNAME records.
Hazy Hawk actively finds abandoned cloud resources then quickly commandeers them for malicious purposes.
In some specific cases the threat actor also employs URL redirection concealment techniques. These are used to effectively hide which exact cloud resource was actually hijacked. Infoblox named this actor Hazy Hawk due to their method of hijacking cloud resources. It is quite possible the domain hijacking component is provided as a separate service. This service could then be utilized by a larger group of malicious online actors. Hazy Hawk’s attack chains often involve cloning the legitimate content of well-known websites. This cloned content is hosted on their newly hijacked domains to appear trustworthy. Victims are lured with pornographic content or offers for popular pirated software downloads. Site visitors are then funneled via a TDS to determine their next malicious destination.
Hazy Hawk is one of dozens of threat actors tracked within advertising affiliate programs. Actors in these programs drive users into specifically tailored malicious online content streams. They are often incentivized to include requests for users to allow push notifications. The main idea is to then flood a victim’s device with many push notifications. This action delivers an endless torrent of various malicious content to the user. Each separate notification often leads to different scams scareware and also fake online surveys. To prevent Hazy Hawk domain owners should remove DNS CNAME records for shut down resources. End users on the other hand are advised to deny all notification requests from unknown websites. Hazy Hawk’s efforts show these advertising affiliate programs are successful enough to pay well.
Reference:
