Ddos 
Fake Massachusetts RMV citation landing page
Cyble Research and Intelligence Labs (CRIL) has uncovered a massive coordinated infrastructure consisting of over 16,800 malicious domains. Active since early 2026, this campaign—dubbed “Operation Trust Trap”—represents a shift in cyberwarfare from technical exploitation to psychological manipulation.
As the report notes, “Attackers no longer compete with security controls at the binary level but target the cognitive layer—when a user’s eye scans a URL and decides whether to click”.
The sophistication of “Operation Trust Trap” lies in its simplicity. Instead of hacking government servers, attackers are “weaponizing the visual trust of *.gov”. By positioning government labels as subdomains, they create a false sense of authority without needing actual DNS permission.
CRIL identified three primary “obfuscation classes” used to trick the human eye:
- Subdomain Trust Injection: Placing a legitimate token like mass.gov at the far left of a fraudulent URL.
- Hyphen Manipulation: Using hyphens to break trust tokens into visually similar forms that bypass regex-based security filters.
- Combined Abuse: Layering both techniques with “innocuous-sounding benign word insertion” to maximize deception.
While the campaign is “heavily US-centric,” covering virtually every state, the reach is truly international. Target regions extend into India, Vietnam, and UK-adjacent geographies, including lures themed around the NHS.
In the United States, the campaign specifically targets high-volume citizen services where transactions are time-sensitive.
| Top Targeted US Entities | Impersonation Pattern | Domain Count |
| Washington State | wa.gov-[id].* |
797 |
| California | ca.gov-[id].* |
722 |
| Florida (FLHSMV) | flhsmv.gov-[id].* |
722 |
| Georgia | ga.gov-[id].* |
715 |
The primary objective is the “harvesting of credentials and payment card information” by mimicking portals for toll systems, vehicle registrations, and DMVs.
Perhaps most concerning is the identification of a distinct infrastructure cluster consistent with APT36 (also known as Transparent Tribe). This Pakistan-nexus threat actor has a documented history of targeting Indian government entities and defense personnel.
CRIL researchers observed APT36-linked domains specifically mimicking the structure of Indian portals, such as www.in.gov-[id].bond, to exploit the *.gov.in TLD convention.
The infrastructure powering these 16,800 domains is concentrated across Tencent Cloud and Alibaba Cloud APAC nodes. The campaign utilizes a “rapid rotation lifecycle,” where domains are activated for a narrow window and then quickly abandoned to stay ahead of blocklists.
Notably, over 62% of these domains had very few detections on VirusTotal at the time of the report, proving how effective this “operational reserve” strategy is at avoiding traditional security nets.
Operation Trust Trap proves that “the DNS authority rests entirely with the registrant of the rightmost domain—not with any government entity”.
As attackers continue to exploit “how humans interpret web addresses,” the best defense remains rigorous user education and advanced URL analysis that looks past the subdomain labels.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
