Infoblox has unveiled Hazy Hawk, a new cybersecurity threat that has been exploiting abandoned cloud resources (including S3 and Azure) and gaps in DNS since December 2023. Understanding their methods is crucial for protecting your organization and users.
Cybersecurity analysts at Infoblox Threat Intelligence have disclosed significant findings regarding a recently identified threat, referred to as Hazy Hawk. This group has been actively hijacking unattended cloud resources since at least December 2023, demonstrating an alarming level of sophistication.
In an exclusive report shared with Hackread.com, the researchers identified Hazy Hawk as an advanced group recognized for its expertise in Domain Name System (DNS) manipulation. By exploiting weaknesses in DNS records, they redirect unsuspecting users to fraudulent websites and malware-laden content.
This information is particularly concerning in light of the Federal Trade Commission’s (FTC) recent report detailing a 25% rise in scam-related financial losses in 2023, which reached a staggering $12.5 billion.
The Attack
Infoblox first detected Hazy Hawk’s activity in February 2025 when the group successfully commandeered subdomains from the U.S. Centers for Disease Control (CDC). Cybersecurity journalist Brian Krebs was the first to report on the suspicious behavior associated with the CDC domain.
Subsequent investigations uncovered that various global government agencies, including alabama.gov and health.gov.au, alongside prestigious academic institutions such as berkeley.edu and ucl.ac.uk, as well as major corporations like Deloitte.com and PwC.com, had also fallen victim to this threat.
The group’s methodology involves identifying dangling DNS records—specifically CNAME records tied to abandoned cloud resources like Amazon S3 buckets and Azure endpoints. By registering these resources, Hazy Hawk gains control and hosts multiple malicious URLs, earning the moniker due to their unique strategies for locating and hijacking specific cloud resources.
Deception and Evasion Tactics
Hazy Hawk employs various deceptive strategies to mislead victims, including fake browser notifications and illegitimate applications. They obscure the final destination of URLs and repurpose code from legitimate websites to create seemingly trustworthy landing pages. Additionally, they alter URLs or redirect to trusted domains, such as the University of Bristol’s website.
Upon clicking a malicious link, users are directed through a series of redirection mechanisms involving platforms like Blogspot or link-shortening services, such as TinyURL and Bitly, ultimately leading to domains like viralclipnow.xyz. This intricate process complicates efforts for cybersecurity professionals to trace attack origins.
The tactics employed are designed not only to maximize financial gain for the scammers but also to obfuscate tracking efforts by dynamically altering content. Victims often find themselves ensnared in scams ranging from tech support fraud to gift card schemes.
Research by Infoblox highlights push notifications as a critical element in these scams. The perpetrators can secure up to a 90% revenue share from affiliate services, which encourages repeated targeting of victims. To mitigate such risks, organizations should ensure robust DNS management, particularly removing CNAME records related to retired cloud resources. Individuals can also enhance their security posture by employing protective DNS solutions that block access to harmful domains, regardless of changes made by attackers, while remaining vigilant regarding unsolicited website notifications.
