Do Son 
At a Glance
- Actor: Suspected single Chinese operator
- Activity Type: Cloud DNS takeover, SEO poisoning
- Targets: 163 organizations (government, healthcare, universities)
- Scale: Global impact across 30+ countries
- Jurisdiction: Hong Kong infrastructure
- Source: Cyble Research & Intelligence Labs (CRIL)
TL;DR
Cyble researchers recently uncovered a massive SEO poisoning operation. Threat actors exploit abandoned cloud DNS delegations to hijack enterprise subdomains. They host Thai gambling content under highly trusted corporate domains to manipulate search engine rankings.
What Happened
The discovery started with a single anomaly on a Verizon subdomain. Researchers noticed an unusual DNS resolution during a routine assessment. They soon found over a thousand individually named subdomains hosting Thai gambling content. All these endpoints resolved to a single IP address hosted by OVH. This initial finding quickly expanded. Investigators cross-referenced the server IP and page fingerprints. This pivot revealed 162 other compromised organizations.
The vulnerability stems from improper cloud infrastructure decommissioning. Many enterprises use Azure for project environments. They delegate a subdomain to an Azure DNS zone. However, companies often forget to remove these records later. The CRIL report notes, “What consistently fails is the decommissioning step.” When projects end, the NS delegation remains active in the parent DNS zone.
The attacker scans for these orphaned delegations. They claim the abandoned zones using new Azure subscriptions. Next, they generate legitimate Let’s Encrypt wildcard certificates. The report explains, “The actor systematically identifies these abandoned delegations, claims the orphaned zones under a fresh Azure subscription, and deploys a Next.js gambling kit.” This makes the malicious content look completely legitimate. Browsers and search engines trust the enterprise domain.
The campaign also targets DigitalOcean DNS zones. Two organizations suffered breaches through abandoned DigitalOcean accounts. In rare cases, attackers exploit direct wildcard misconfigurations within corporate DNS consoles. This allows them to bypass cloud takeovers entirely.
Who Is Behind It
Cyble suspects a single Chinese operator runs this entire campaign. Researchers base this attribution on twelve independent technical evidence points. The attackers use a dedicated 103-node application backend located in Hong Kong. Every server shares the exact same MD5 hash on port 80. They also use a single shared Let’s Encrypt certificate across the entire fleet. Furthermore, an identical Envoy proxy fingerprint appears on port 443. These factors strongly point to a centralized operation.
The operation functions as a highly structured affiliate marketing business. The backend validates the geographic origin of each visitor. The system only redirects users coming from Thailand. This geographic filter hides the campaign from global security scanners. The operators earn money through a dual-tier commission system. They receive publisher-level credit for delivering traffic. They also earn per-registration payouts when users create gambling accounts.
Impact or Scale
This cloud DNS takeover campaign compromises 163 organizations across more than 30 countries. Victims include federal government agencies and national healthcare systems. Financial institutions and major universities also suffer from these hijackings. The attackers gain massive search engine authority by piggybacking on these trusted brands. This SEO poisoning pushes the gambling sites to the top of search results.
The campaign serves identical Thai-language gambling content across all compromised sites. The web pages feature Schema.org structured data. This helps Google index their frequently asked questions. The platform advertises a minimum deposit of just one Thai Baht. This low barrier to entry removes typical registration friction. The unified kit fingerprint confirms centralized deployment by the operator. At the time of the report’s publication, 161 organizations remained actively compromised.
What Comes Next
Security teams must urgently audit their external DNS records. Administrators need to identify and remove all unused NS delegations immediately. You should also monitor your domains for unexpected wildcard Let’s Encrypt certificates. Certificate Transparency logs can reveal dormant subdomains that suddenly acquire new certificates.
Companies must update their cloud infrastructure decommissioning procedures. Deleting an Azure resource group is not enough. You must also sever the DNS link at the parent zone. For deeper insights into the attack infrastructure, read the full Cyble analysis on cloud DNS takeover. Staying vigilant helps protect your organization’s domain reputation from similar abuse.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
