Full Report
A threat actor known as Hazy Hawk has been observed hijacking abandoned cloud resources of high-profile organizations, including Amazon S3 buckets and Microsoft Azure endpoints, by leveraging misconfigurations in the Domain Name System (DNS) records. The hijacked domains are then used to host URLs that direct users to scams and malware via traffic distribution systems (TDSes), according to
Analysis Summary
# Threat Actor: Hazy Hawk
## Attribution & Identity
Threat actor identified and named "Hazy Hawk" by Infoblox. It is possible that the domain hijacking component of their operation is provided as a service to a group of actors.
## Activity Summary
Hazy Hawk specializes in exploiting misconfigurations in DNS records (specifically dangling CNAME records) associated with *abandoned* cloud resources (like S3 buckets, Azure endpoints, Akamai, Bunny CDN, Cloudflare CDN, GitHub, and Netlify instances). They register the missing resource to hijack legitimate domains, often reusing content from legitimate sites to lure victims. The primary goal is not espionage but feeding traffic into the "seedy underworld of adtech," directing victims to scams and fake applications, often using browser notifications.
## Tactics, Techniques & Procedures
- **Exploiting Dangling DNS CNAME Records:** Registering resources pointed to by dangling CNAME records of legitimate, often abandoned, domains to seize control.
- **Cloud Resource Hijacking:** Gaining control over formerly attributed cloud infrastructure (Amazon S3, Microsoft Azure, Akamai, etc.).
- **Traffic Distribution Systems (TDS):** Using TDSes to funnel victim traffic to various final destinations.
- **Content Cloning:** Cloning content of legitimate sites to host on the hijacked domains to lure initial user visits (e.g., using pornographic or pirated content lures).
- **URL Redirection:** Employing redirection techniques to help conceal which specific cloud resource was hijacked.
- **Browser Notification Abuse:** Using browser notifications triggered from malicious sites to initiate processes with a lingering impact.
## Targeting
- **Sectors:** Government Agencies, Major Universities, International Corporations (Consulting/Professional Services).
- **Geography:** Global (implied by CDC involvement and global corporation targeting).
- **Victims:** U.S. Center for Disease Control (CDC) (first discovered involvement in Feb 2025), Deloitte, PricewaterhouseCoopers (PwC), and Ernst & Young (EY).
## Tools & Infrastructure
- **Malware Families used:** None explicitly named, but the end goal involves directing users to malware delivery/scams.
- **Infrastructure (C2, domains, IPs):** Deployed malicious URLs hosted on hijacked, reputable domains, funneling through URL/Traffic Distribution Systems.
## Implications
Hazy Hawk leverages trusted, high-reputation domains associated with respected entities (like the CDC and large professional services firms). This significantly boosts the credibility of their initial landing pages in search results and aids in bypassing security detection systems that might trust these domains. The focus on adtech monetization rather than espionage suggests a financially motivated, high-volume operation.
## Mitigations
- **DNS Hygiene Audits:** Organizations must actively monitor and remediate dangling DNS records (CNAMEs pointing to non-existent or external cloud resources).
- **Cloud Resource Decommissioning:** Ensure that when spinning down cloud services (like S3 buckets or Azure endpoints), associated DNS records pointing to these resources are immediately removed or updated.
- **Monitoring for Domain Abuse:** Monitor for legitimate domains unexpectedly serving spam, scam, or malicious content, as control may have been unexpectedly ceded.
- **TDS Awareness:** Implement security measures designed to detect and block redirections through known Traffic Distribution Systems.