Hazy Hawk Gang Exploits DNS Misconfigs to Hijack Trusted Domains
Summary:
Hazy Hawk is a technically adept threat actor that specializes in hijacking abandoned cloud resources by exploiting misconfigured DNS records, particularly dangling CNAME entries. These entries point to decommissioned services that were never properly removed from DNS configurations. Hazy Hawk locates and reclaims these subdomains by recreating the abandoned cloud infrastructure, allowing them to assume control over web addresses tied to trusted and reputable domains. The process requires access to passive DNS data and a deep understanding of how different cloud providers handle dropped or unclaimed resources, making this type of hijacking difficult to detect and uncommon among typical cybercriminals.
The actor gained significant attention in February 2025 when it hijacked a subdomain of the U.S. Centers for Disease Control and Prevention, flooding search engine results with hundreds of malicious URLs linked to pornography and scam advertisements. Investigators traced the activity to a subdomain, which was still mapped via a dangling CNAME record to an Azure website. Hazy Hawk exploited this abandoned cloud endpoint by setting up an identical Azure service, effectively hijacking the subdomain. This attack pattern has since been replicated across other high-profile targets.
Once in control of these subdomains, Hazy Hawk generates a high volume of malicious URLs that redirect users through multiple stages of obfuscation and redirection. These URLs often employ adtech infrastructure, traffic distribution systems, and open relay vulnerabilities to lead victims to scams and fraudulent downloads. In some cases, the actor disguises these URLs by borrowing content from legitimate websites such as PBS or the New York Times, either by copying HTML or mimicking site structure. This cloaking technique helps the actor bypass basic threat detection and gain temporary legitimacy in the eyes of search engines and automated crawlers.
Security Officer Comments:
Hazy Hawk also uses complex redirection chains that rely on link shorteners and previously hijacked infrastructure to guide victims through fake CAPTCHA pages, push notification prompts, and eventually scam websites. These campaigns are designed not only for broad reach but also to maximize revenue through affiliate ad networks. By delivering fake alerts or enticing content, they lure users, often on mobile devices, into granting permission for push notifications. These notifications become persistent attack vectors, enabling the delivery of ongoing scams, fake antivirus alerts, and fraudulent offers long after the initial visit.
Despite the considerable technical sophistication involved, Hazy Hawk’s objective is not espionage but profit through fraudulent advertising schemes. Their work reflects a calculated abuse of neglected cloud infrastructure and DNS records, exploiting the trust associated with reputable domains to deliver low-tier scams at massive scale.
Suggested Corrections:
There are two types of victims with Hazy Hawk activities: those whose domains are hijacked and the users who visit the malicious URLs.
For domain owners, the best protection against Hazy Hawk and similar DNS hijacking threat actors is well-managed DNS. This can be difficult in complex, multi-national organizations where management of projects, domain registration, and DNS records may all be in separate organizations. These attacks are common after mergers and acquisitions. Infoblox recommends the establishment of processes that trigger a notification to remove a DNS CNAME record whenever a resource is shut down, as well as tracking active resources.
The best way to shield end users from Hazy Hawk is through protective DNS solutions. Threat actors who work in the affiliate marketing space utilize TDSs to maximize their profits, and DNS is the optimal solution to disrupt all activity through these systems. When the threat intelligence used in a protective DNS product is designed to track and detect TDS actors, as Infoblox Threat Intel does, Hazy Hawk and others can change their domain names and still be thwarted.
Education is a final component. Urge users to deny notification requests from websites they don’t know. If they start receiving messages, unwanted notifications can be turned off in the browser settings.
Link(s):
https://www.bleepingcomputer.com/ne...its-dns-misconfigs-to-hijack-trusted-domains/
Hazy Hawk is a technically adept threat actor that specializes in hijacking abandoned cloud resources by exploiting misconfigured DNS records, particularly dangling CNAME entries. These entries point to decommissioned services that were never properly removed from DNS configurations. Hazy Hawk locates and reclaims these subdomains by recreating the abandoned cloud infrastructure, allowing them to assume control over web addresses tied to trusted and reputable domains. The process requires access to passive DNS data and a deep understanding of how different cloud providers handle dropped or unclaimed resources, making this type of hijacking difficult to detect and uncommon among typical cybercriminals.
The actor gained significant attention in February 2025 when it hijacked a subdomain of the U.S. Centers for Disease Control and Prevention, flooding search engine results with hundreds of malicious URLs linked to pornography and scam advertisements. Investigators traced the activity to a subdomain, which was still mapped via a dangling CNAME record to an Azure website. Hazy Hawk exploited this abandoned cloud endpoint by setting up an identical Azure service, effectively hijacking the subdomain. This attack pattern has since been replicated across other high-profile targets.
Once in control of these subdomains, Hazy Hawk generates a high volume of malicious URLs that redirect users through multiple stages of obfuscation and redirection. These URLs often employ adtech infrastructure, traffic distribution systems, and open relay vulnerabilities to lead victims to scams and fraudulent downloads. In some cases, the actor disguises these URLs by borrowing content from legitimate websites such as PBS or the New York Times, either by copying HTML or mimicking site structure. This cloaking technique helps the actor bypass basic threat detection and gain temporary legitimacy in the eyes of search engines and automated crawlers.
Security Officer Comments:
Hazy Hawk also uses complex redirection chains that rely on link shorteners and previously hijacked infrastructure to guide victims through fake CAPTCHA pages, push notification prompts, and eventually scam websites. These campaigns are designed not only for broad reach but also to maximize revenue through affiliate ad networks. By delivering fake alerts or enticing content, they lure users, often on mobile devices, into granting permission for push notifications. These notifications become persistent attack vectors, enabling the delivery of ongoing scams, fake antivirus alerts, and fraudulent offers long after the initial visit.
Despite the considerable technical sophistication involved, Hazy Hawk’s objective is not espionage but profit through fraudulent advertising schemes. Their work reflects a calculated abuse of neglected cloud infrastructure and DNS records, exploiting the trust associated with reputable domains to deliver low-tier scams at massive scale.
Suggested Corrections:
There are two types of victims with Hazy Hawk activities: those whose domains are hijacked and the users who visit the malicious URLs.
For domain owners, the best protection against Hazy Hawk and similar DNS hijacking threat actors is well-managed DNS. This can be difficult in complex, multi-national organizations where management of projects, domain registration, and DNS records may all be in separate organizations. These attacks are common after mergers and acquisitions. Infoblox recommends the establishment of processes that trigger a notification to remove a DNS CNAME record whenever a resource is shut down, as well as tracking active resources.
The best way to shield end users from Hazy Hawk is through protective DNS solutions. Threat actors who work in the affiliate marketing space utilize TDSs to maximize their profits, and DNS is the optimal solution to disrupt all activity through these systems. When the threat intelligence used in a protective DNS product is designed to track and detect TDS actors, as Infoblox Threat Intel does, Hazy Hawk and others can change their domain names and still be thwarted.
Education is a final component. Urge users to deny notification requests from websites they don’t know. If they start receiving messages, unwanted notifications can be turned off in the browser settings.
Link(s):
https://www.bleepingcomputer.com/ne...its-dns-misconfigs-to-hijack-trusted-domains/