Hazy Hawk: Stealthy Threat Actor Hijacks High-Profile Subdomains

Infoblox researchers have uncovered a sophisticated and stealthy threat actor dubbed Hazy Hawk, a group exploiting DNS misconfigurations and abandoned cloud resources to hijack subdomains of high-profile organizations—including government agencies, Fortune 500 companies, and academic institutions—to host scams, malware, and deceptive adtech.

At the core of Hazy Hawk’s strategy is CNAME hijacking—an attack technique where a DNS record points to a cloud resource that no longer exists. The attacker simply recreates that cloud resource and takes control of the subdomain without needing to breach any system.

“While domain names can be hijacked through stolen accounts, we think the most interesting hijacks leverage DNS misconfigurations,” the report states. “These kinds of attacks can run undetected for long periods of time.”

What sets Hazy Hawk apart is their ability to identify complex, hard-to-find DNS misconfigurations, possibly using commercial passive DNS services to pinpoint abandoned cloud infrastructure.

The group first came under Infoblox’s radar after hijacking a subdomain of the U.S. Centers for Disease Control and Prevention (cdc.gov) in February 2025. URLs on the subdomain ahbazuretestapp.cdc.gov began appearing in search engines with spam advertisements.

“We were certain that the CDC had abandoned their Azure service, and that the hacker then found its corresponding, so-called dangling, DNS record,” the report states.

This hijack was possible because the subdomain’s CNAME record pointed to an Azure endpoint that was no longer active. Once the attacker re-registered the cloud service, they controlled the subdomain and its web content.

Hazy Hawk’s infrastructure is both intricate and evasive:

• Hijacked subdomains redirect to traffic distribution systems (TDSs) that deliver tailored scam content.
• Attackers clone or imitate legitimate websites like PBS or Honeywell to disguise their landing pages.
• Push notifications trick users into allowing persistent browser popups leading to scams.
• URLs are often obscured using link shorteners like TinyURL, Cuttly, and even t.co, or through alternate S3 bucket formats.

“Instead of using that domain name in the distributed scam URLs… they used an alternate format to thwart blocking based on the fully qualified domain name,” the report notes.

Infoblox links Hazy Hawk attacks to dozens of major organizations and cloud platforms, including:

Governments: alabama[.]gov, health[.]gov[.]au

• Universities: berkeley[.]edu, ucl[.]ac[.]uk
• Corporations: cdc[.]gov, honeywell[.]com, deloitte[.]com, ey[.]com
• Cloud providers used: Azure, Amazon S3, Netlify, Cloudflare, GitHub, BunnyCDN, and more

While technically advanced, Hazy Hawk’s goals aren’t espionage but profit—generating traffic for scam sites and malicious affiliate ad networks.

“They feed into the seedy underworld of adtech, whisking victims to a wide range of scams and fake applications,” the report writes.

Notably, after redirecting users through TDSs, the group deploys push monetization tactics to continuously bombard victims with fake antivirus alerts, lottery wins, and tech support scams.

Related Posts:

• CVE-2024-10217 & CVE-2024-10218: TIBCO Hawk Faces Critical Security Risks
• Report Exposes Cybercriminal Exploitation of High-Profile Events
• Phishing Campaign Hijacks High-Profile X Accounts to Promote Crypto Scams
• DigiCert Forced to Revoke Thousands of Certificates Due to Domain Validation Error
• High-Profile Organizations in Southeast Asia Hit by Targeted Cyberattacks