Ethical Hacking News
Hazy Hawk: The Sophisticated Malware Operation Hijacking Trusted Domains for Scam Delivery
A threat actor known as Hazy Hawk has been observed hijacking abandoned cloud resources of high-profile organizations, including Amazon S3 buckets and Microsoft Azure endpoints, by leveraging misconfigurations in the Domain Name System (DNS) records. This operation involves exploiting DNS CNAME records to gain control over legitimate domains, boosting their credibility when used for nefarious purposes. The group uses a range of cloud services to host malicious content, making it essential for individuals and organizations to adopt a comprehensive security posture.
Hazy Hawk is a new threat actor hijacking abandoned cloud resources of high-profile organizations. The group exploits DNS CNAME records to gain control over legitimate domains, boosting their credibility for malicious purposes. Hazy Hawk uses URL redirection techniques to conceal hijacked cloud resources and serves malicious content. The attack involves cloning legitimate sites' content on hijacked domains and luring victims with pornographic or pirated content. Infoblox discovered Hazy Hawk's activities in February 2025, tracking the group within advertising affiliate programs. Domain owners should remove DNS CNAME records as soon as resources are shut down to prevent hijacking. End users should be cautious with unfamiliar websites and deny notification requests from unknown sources.
The cybersecurity landscape is constantly evolving, and with it comes a new threat actor known as Hazy Hawk. This group has been observed hijacking abandoned cloud resources of high-profile organizations, including Amazon S3 buckets and Microsoft Azure endpoints, by leveraging misconfigurations in the Domain Name System (DNS) records. The scope of this operation is far-reaching, with Hazy Hawk targeting not only government agencies but also prominent universities, international corporations, such as Deloitte, PricewaterhouseCoopers, and Ernst & Young, since at least December 2023.
The modus operandi of Hazy Hawk involves exploiting the DNS CNAME records of abandoned domains to gain control over legitimate resources. This technique is not new, having been previously exposed by Guardio in early 2024 as a method for spam proliferation and click monetization. However, what makes Hazy Hawk's operations noteworthy is the hijacking of trusted and reputable domains belonging to esteemed organizations, thus boosting their credibility in search results when they are being used to serve malicious and spammy content.
The ability of Hazy Hawk to seize control of abandoned cloud resources and then commandeering them for malicious purposes underscores the sophistication of this operation. In some cases, the threat actor employs URL redirection techniques to conceal which cloud resource was hijacked. The attack chains often involve cloning the content of legitimate sites for their initial site hosted on the hijacked domains, while luring victims into visiting them with pornographic or pirated content.
The victim is then funneled via a traffic distribution system (TDS) to determine where they land next. This labyrinthine approach to deception is aimed at delivering an endless torrent of malicious content, with each notification leading to different scams, scareware, and fake surveys. The use of push notifications as a vector for malicious activity highlights the importance of users being cautious when interacting with unfamiliar websites.
Infoblox, a DNS threat intelligence firm, first discovered Hazy Hawk's activities after it gained control of several sub-domains associated with the U.S. Center for Disease Control (CDC) in February 2025. The firm noted that Hazy Hawk is one of the dozens of threat actors they track within the advertising affiliate world. These actors who belong to affiliate advertising programs drive users into tailored malicious content and are incentivized to include requests to allow push notifications from 'websites' along the redirection path.
The success of these operations can be attributed to the fact that the idea is to flood a victim's device with push notifications and deliver an endless torrent of malicious content, with each notification leading to different scams, scareware, and fake surveys. The use of browser notifications to trigger processes that will have a lingering impact on the user underscores the importance of being vigilant when interacting with unfamiliar websites.
To prevent and protect against Hazy Hawk's activities, domain owners are advised to remove DNS CNAME records as soon as resources are shut down. End users, on the other hand, are cautioned to deny notification requests from websites they don't know. The fact that Hazy Hawk puts considerable effort into locating vulnerable domains and then using them for scam operations shows that these advertising affiliate programs are successful enough to pay well.
The attack highlighted by this operation serves as a reminder of the need for robust cybersecurity measures in place. This includes keeping DNS records up-to-date, implementing secure notification practices, and staying vigilant when interacting with unfamiliar websites. By taking these precautions, users can significantly reduce their risk of falling victim to sophisticated malware operations like Hazy Hawk's.
The fact that Hazy Hawk uses a range of cloud services to host its malicious content underscores the importance of adopting a comprehensive security posture. This includes monitoring DNS records for suspicious activity, staying up-to-date with the latest security patches and updates, and implementing robust cybersecurity measures across all systems.
In conclusion, the operation attributed to Hazy Hawk serves as a stark reminder of the evolving threat landscape in the world of cybersecurity. As threat actors continue to adapt and innovate, it is crucial that individuals and organizations remain vigilant and proactive in their approach to security. By taking steps to prevent and protect against sophisticated malware operations like Hazy Hawk's, users can significantly reduce their risk of falling victim to these types of attacks.
Summary:
The operation attributed to Hazy Hawk involves hijacking abandoned cloud resources and using them to serve malicious and spammy content. The group exploits misconfigurations in the Domain Name System (DNS) records to gain control over legitimate domains, boosting their credibility when used for nefarious purposes. To prevent and protect against this operation, domain owners should remove DNS CNAME records as soon as resources are shut down, while end users should be cautious when interacting with unfamiliar websites and deny notification requests from unknown sources.
Related Information:
https://www.ethicalhackingnews.com/articles/Hazy-Hawk-The-Sophisticated-Malware-Operation-Hijacking-Trusted-Domains-for-Scam-Delivery-ehn.shtml
https://thehackernews.com/2025/05/hazy-hawk-exploits-dns-records-to.html
https://cloudindustryreview.com/hazy-hawk-leverages-dns-records-to-hijack-cdc-and-corporate-domains-for-malware-distribution/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://www.reddit.com/r/antivirus/comments/vu3cyu/is_guardio_a_threat/
Published: Tue May 20 13:20:00 2025 by llama3.2 3B Q4_K_M
