Hazy Hawk Leverages DNS Vulnerabilities to Compromise CDC and Corporate Domains for Malware Distribution

A threat actor identified as Hazy Hawk has been observed exploiting abandoned cloud resources from prominent organizations, such as Amazon S3 buckets and Microsoft Azure endpoints, utilizing misconfigurations within Domain Name System (DNS) records.

The compromised domains are repurposed to host URLs that lead users to scams and malware via traffic distribution systems (TDS). Additional resources targeted by Hazy Hawk include those hosted on Akamai, Bunny CDN, Cloudflare CDN, GitHub, and Netlify.

Infoblox first detected this threat actor after it successfully gained control of several sub-domains associated with the U.S. Centers for Disease Control and Prevention (CDC) in February 2025. Subsequent investigations have revealed that various government agencies globally, along with respected universities and international corporations such as Deloitte, PricewaterhouseCoopers, and Ernst & Young, have also fallen victim to this actor since at least December 2023.

Infoblox experts, Jacques Portal and Renée Burton, highlighted a notable aspect of Hazy Hawk’s operations: instead of using these compromised domains for espionage or high-end cybercrime, they leverage them for nefarious activities within the adtech ecosystem. This involves directing victims toward a myriad of scams and fraudulent applications, employing browser notifications to initiate further harmful actions.

The operations of Hazy Hawk are particularly concerning because they involve the hijacking of trusted domains from legitimate organizations, enhancing the credibility of their malicious content in search results and facilitating evasion of detection mechanisms. The attackers exploit a technique involving the seizing of abandoned domains that feature dangling DNS CNAME records. This method was previously exposed by Guardio in early 2024 as being susceptible to exploitation for spam distribution and monetization. The hijacking can occur by simply registering the missing resource associated with the domain.

Hazy Hawk uniquely finds and commandeers abandoned cloud resources for malicious intents. In some instances, the threat actor employs URL redirection strategies to mask the compromised cloud resource.

Infoblox noted, “We refer to this actor as Hazy Hawk due to their method of locating and misappropriating cloud resources with dangling DNS CNAME records for malicious URL propagation. It is likely that the domain hijacking element is offered as a service for use by a coalition of threat actors.”

The attack patterns often involve replicating content from legitimate websites on the hijacked domains to attract victims, drawing them in through sexually explicit or pirated material. Once visitors are on these sites, they are channeled through a TDS to determine their subsequent interactions.

Hazy Hawk operates within the extensive landscape of affiliate advertising, where malicious actors are incentivized to guide users toward tailored harmful content, often requesting permission for push notifications from the redirected sites. The ultimate goal is to inundate the victim’s device with relentless push notifications that deliver various forms of harmful content, including scams, scareware, and deceptive surveys, while prompting further notification requests.

To mitigate risks associated with Hazy Hawk’s activities, domain owners should promptly remove any DNS CNAME records associated with decommissioned resources. Similarly, end users are advised to reject notification requests from unfamiliar websites.

Infoblox underscored that while perpetrators like Hazy Hawk initiate the lure, it’s ultimately the user who may unwittingly navigate a complex and dubious network of malicious advertising tech. The effort expended by Hazy Hawk in identifying vulnerable domains underscores the profitability of these advertising affiliate programs, validating the ongoing concerns related to cybersecurity vulnerabilities.