Known as a danger actor Quarrel Taking advantage of misunderstanding in the domain name system (DNS) records, the Amazon S3 buck and Microsoft Azure Endpoints have been seen kidnapping cloud resources kidnapped by high-profile organizations.
According to Infoblox, the kidnapped domain is used to host the URLs, which directs users to scams and malware through traffic distribution system (TDSS). Some other resources carried out by the danger actor include Akamai, Bani CDN, Claudflare CDN, Jethb and Hosted people hosted on Netalize.
The DNS Threat Intelligence firm said that in February 2025, he discovered the danger actor for the first time after getting control of several sub-domains associated with the US Center for Disease Control (CDC).
Since then it has been determined that other government agencies, major universities, and international corporations such as Deloite, PricewaterhousesCupers, and Ernst & Young have been suffering from the same danger actor since at least December 2023.
“Perhaps the most remarkable thing about Hausi Hawk is that Infoblox’s Jacques portal and Renny Burton said in a report shared with Hacor News, that these hard-to-discover, relations of respected outfits with weak domains are not being used for spying or ‘hybrid’ cyber crime.”
“Instead, they feed in the underworld with Edtech seeds, whispering the victims for a wide range of scams and fake applications, and using trigger processes using browser notifications, which have an effect.”
What makes the operation of Hawk Hawk notable is the abduction of reliable and iconic domains related to legitimate organizations, thus when they are being used to serve malicious and spamy materials, to promote their credibility in search results. But even more, approach, approach enables danger actors to find out.
Underlining the operation is the ability of the attackers to confiscate the control of the abandoned domain with DNS CNAME records, a technique that was first exposed by the guards in the early 2024, being exploited by bad actors for spam spread and click on mood. All a danger actor needs to register the missing resources to hijack the domain.
HAGY HAWK moves a step forward by discovering abandoned cloud resources and then commanding them for malicious purposes. In some cases, the actor has employed which cloud resources were kidnapped to hide the URL redirect techniques.
Infoblox said, “We use the name Hausi Hawk for this actor because they hijack the cloud resources, in which DNS hangs CNAME records and then use them in malicious URL distribution.” “It is possible that the domain kidnapping component is provided as a service and is used by a group of actors.”
The attack chain often involves cloning the contents of legitimate sites for its initial site hosted on the hosted domain, while the victims attract victims to go with porn or pirated materials. Site visitors are then funnel via TDS to determine where they descend forward.
The company said, “Haj Hawk is one of dozens of danger actors we track within the affiliated world,” the company said. “The danger actors who belong to affiliate advertising programs are encouraged to include users to malicious materials and request requests to allow push notifications from ‘websites’ with the redirect path.”
In doing so, this idea is to give an endless edge of floods and malicious materials with push notifications to a victim’s equipment, in which each notification is leading to separate scams, scarware and fake surveys, with requests to allow more push notifications.
Domain owners are recommended to remove a DNS CNAME record to the domain owners as soon as a resource is closed. On the other hand, final users are advised to reject notification requests from websites that they do not know.
“While operators such as Haj Hawk are responsible for initial greed, the clicking user is taken to a maze of sketch and lump sum malicious Edtech. The fact that the spot makes a lot of efforts to detect weak domains and then uses them to operate the scams that these advertising programs succeed to pay well,” said that “said.
