A threat actor known as Hazy Hawk is hijacking abandoned cloud resources from reputable organizations by exploiting DNS misconfigurations. A threat actor known as Hazy Hawk is hijacking abandoned cloud resources from reputable organizations by exploiting DNS misconfigurations.
A sophisticated cyber threat actor, Hazy Hawk, has been observed hijacking abandoned cloud resources from high-profile organizations, including U.S. government agencies, international consulting firms, and prestigious universities, by exploiting misconfigurations in Domain Name System (DNS) records. According to DNS threat intelligence firm Infoblox, the actor repurposes abandoned domains from platforms like Amazon S3, Microsoft Azure, GitHub, Akamai, Cloudflare, Bunny CDN, and Netlify to serve scams and malware.
Read also: What are DNS cyberattacks?
The operation revolves around hijacking DNS CNAME records pointing to decommissioned cloud services, known as “dangling DNS records.” Once these records are left unclaimed, attackers can simply register the missing service and instantly control the subdomain. In some instances, Hazy Hawk conceals the hijacked resource via redirection techniques, making detection harder.
Infoblox first detected Hazy Hawk in February 2025 after identifying subdomain takeovers linked to the U.S. Centers for Disease Control and Prevention (CDC). The firm has since traced the threat actor’s activities as far back as December 2023, noting additional victims such as Deloitte, PricewaterhouseCoopers (PwC), Ernst & Young (EY), and various global government and academic institutions.
Hazy Hawk’s modus operandi involves cloning legitimate websites and then drawing in users with pirated or pornographic content. Once users visit the hijacked domain, they are redirected through traffic distribution systems (TDSes) that serve up scams, scareware, fake surveys, and malicious applications. These redirects often include deceptive prompts for push notification access, opening the door to a relentless stream of spam and malware-laden alerts.
“Perhaps the most remarkable thing about Hazy Hawk is that these hard-to-discover, vulnerable domains with ties to esteemed organizations are not being used for espionage or ‘highbrow’ cybercrime,” said Infoblox researchers Jacques Portal and Renée Burton in a report shared with The Hacker News. “Instead, they feed into the seedy underworld of adtech, whisking victims to a wide range of scams and fake applications.”
Infoblox added: “We use the name Hazy Hawk for this actor because of how they find and hijack cloud resources that have dangling DNS CNAME records and then use them in malicious URL distribution. It's possible that the domain hijacking component is provided as a service and is used by a group of actors.”
The Domain Name System (DNS) is a fundamental component of the internet that acts like a phone book, translating human-readable domain names (like example.com) into machine-readable IP addresses (like 192.0.2.1) that computers use to identify and communicate with each other. When a user types a website address into their browser, the DNS is responsible for resolving that name to the correct server where the website is hosted. This system enables seamless navigation of the web without requiring users to remember complex numerical addresses. DNS also supports additional functions like email routing and load balancing, but its widespread use makes it a common target for cyber threats when misconfigured or left unmaintained.
Hazy Hawk’s campaign highlights a serious yet overlooked cybersecurity risk: the improper decommissioning of cloud resources. By exploiting something as simple as an unremoved DNS record, attackers gain access to subdomains that inherit the trust, authority, and branding of legitimate organizations. This boosts the visibility of malicious pages in search engines and enables attackers to bypass many traditional detection tools.
The broader implication is the growing overlap between cybersecurity and advertising fraud. Hazy Hawk, according to Infoblox, is among “dozens of threat actors” operating in the affiliate advertising ecosystem, earning revenue by funneling users into scams and malware through deceptive means.
Infoblox recommends that domain owners promptly remove DNS CNAME records once associated cloud resources are no longer in use. End users should avoid granting notification permissions to unknown or suspicious websites and remain vigilant when redirected from unusual content sources.
As cybercriminals continue to innovate within the digital ad ecosystem, the onus is on both organizations and individuals to close the gaps that actors like Hazy Hawk are exploiting.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Domain hijacking occurs when a malicious actor takes control of a domain or subdomain without permission, often by exploiting abandoned services or misconfigurations.
Common signs include pop-ups requesting notification access, poor design or grammar, suspicious links or downloads, and offers that seem too good to be true.