‘Hazy Hawk’ Hijacks Abandoned Cloud CNAMEs to Exploit Trusted Domains

‘Hazy Hawk’ Hijacks Abandoned Cloud CNAMEs to Exploit Trusted Domains in Global Scam Campaign

A newly identified threat actor dubbed ‘Hazy Hawk’ has been observed hijacking abandoned DNS CNAME records that point to decommissioned cloud infrastructure, allowing them to take over trusted subdomains of some of the world’s most reputable institutions and corporations.

According to a new report from Infoblox, Hazy Hawk exploits these overlooked DNS configurations to distribute scams, malicious ads, and fake applications, using the credibility of compromised parent domains to boost legitimacy and evade detection.

How the Attack Works

The campaign begins with scanning for forgotten DNS CNAME records that still point to expired or deleted cloud resources. By referencing passive DNS telemetry, the threat actor identifies cloud services that have been unlinked from their owning domain but still referenced in DNS.

Hazy Hawk then re-registers cloud infrastructure—such as an Azure, AWS, or GCP resource—using the same name as the abandoned one. As a result, any subdomain with a dangling CNAME record will now resolve to the attacker’s new infrastructure, effectively hijacking it without needing access to the domain itself.

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

High-Profile Victims

The impact of this campaign is global. Infoblox reports that Hazy Hawk successfully hijacked subdomains of major organizations, including:

• cdc.gov – U.S. Centers for Disease Control and Prevention
• honeywell.com – Honeywell International
• berkeley.edu – University of California, Berkeley
• michelin.co.uk – Michelin Tires UK
• ey.com, pwc.com, deloitte.com – Big Four consulting firms
• ted.com – TED Talks
• health.gov.au – Australian Department of Health
• unicef.org – United Nations Children’s Fund
• nyu.edu – New York University
• unilever.com – Global consumer goods company
• ca.gov – California State Government

A complete list is available in the Infoblox report, highlighting the widespread nature of the campaign.

Malicious Infrastructure and Tactics

Overview of the Hazy Hawk attack
Source: Infoblox

Once control over a subdomain is achieved, Hazy Hawk generates hundreds of scam URLs that inherit the trust and SEO rankings of the legitimate domain. These malicious links are indexed by search engines, giving them high visibility and further credibility to unsuspecting users.

Users who land on the URLs are routed through multiple redirection layers and Traffic Distribution Systems (TDS). These systems profile the victim based on:

• Geographic location
• IP reputation and VPN detection
• Browser fingerprinting
• Device and OS type

Qualified users are redirected to tech support scams, fake antivirus warnings, phishing pages, streaming scams, and adult content traps.

Victims who accept browser push notification requests from these pages are continually bombarded with persistent scam alerts—even after closing the site—enabling a high-revenue ad fraud model.

Push notification examples from the campaign
Source: Infoblox

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link