A threat actor identified as Hazy Hawk has recently come under scrutiny for hijacking abandoned cloud resources belonging to well-known organizations such as Amazon S3 and Microsoft Azure. This exploitation is made possible by misconfigured Domain Name System (DNS) records. Once these domains are taken over, they are utilized to host deceptive URLs that direct users to scams and malware through traffic distribution systems (TDSes).

Infoblox, the DNS threat intelligence organization that uncovered this activity, reported that the group first gained notoriety in February 2025 when it took control of sub-domains associated with the U.S. Center for Disease Control (CDC). Investigations revealed that Hazy Hawk has victimized other global entities, including academic institutions and major corporations like Deloitte and Ernst & Young, spanning back to at least December 2023.

What makes this situation particularly alarming is how Hazy Hawk employs these compromised domains not for espionage or sophisticated cybercrime, but to feed into the murky world of adtech. The domains lend credibility to scams and counterfeit applications, thus making it harder for security measures to detect such malicious activities.

Hazy Hawk’s operational tactic includes taking control of neglected domains with dangling DNS CNAME records, a method previously flagged by cybersecurity experts as being abused for spamming. By registering these unutilized resources, the threat actor can hijack valuable domains.

Further complicating matters, Hazy Hawk capitalizes on cloud resources. The group distorts the original source through URL redirections to obscure the identity of the resource being exploited. This approach is indicative of a broader trend where malicious actors are leveraging cloud capabilities for fraudulent purposes.

Typically, these malicious sites replicate legitimate content to lure victims, often promoting pornographic or pirated material. Visitors are then manipulated via TDS to further direct their traffic.

Overall, Infoblox has indicated that Hazy Hawk is part of a larger network operating within the affiliate advertising world. These actors are incentivized to direct users to tailored malicious content, driving requests for push notifications from dubious sites along their pathways. Once permission is granted, victims are subject to a barrage of push notifications, each linking to various scams, scareware, and dubious surveys.

To safeguard against such threats, domain owners are advised to promptly remove DNS CNAME records when phasing out resources. Meanwhile, users are encouraged to reject notifications from unfamiliar websites to avoid falling prey to these schemes. As Hazy Hawk illustrates, while the initial bait may stem from the threat actors, the ultimate path leads users into a web of exploitative adtech that continues to thrive.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.