New Cyber Threat ‘Hazy Hawk’ Hijacks Major Domains – Are You At Risk?

Sydney, Australia, 21 May, 2025 – Subdomain hijacking through abandoned cloud resources is an issue that probably every major organisation has experienced, and these attacks are on the rise. Infoblox Threat Intel has tracked some of this activity to a threat actor, dubbed Hazy Hawk, that uses hijacked domains to conduct large-scale scams and malware […]

Posted: Wednesday, May 21

KBI.Media
$
New Cyber Threat ‘Hazy Hawk’ Hijacks Major Domains – Are You At Risk?

New Cyber Threat ‘Hazy Hawk’ Hijacks Major Domains – Are You At Risk?

Sydney, Australia, 21 May, 2025 – Subdomain hijacking through abandoned cloud resources is an issue that probably every major organisation has experienced, and these attacks are on the rise.

Infoblox Threat Intel has tracked some of this activity to a threat actor, dubbed Hazy Hawk, that uses hijacked domains to conduct large-scale scams and malware distribution. This discovery highlights the critical need for organisations to manage their domain name systems (DNS) records and cloud resources vigilantly.

What is Hazy Hawk?

Hazy Hawk is a sophisticated threat actor that hijacks forgotten DNS records from discontinued cloud services such as Amazon S3 buckets and Azure endpoints. By taking control of these abandoned resources, Hazy Hawk is able to host malicious URLs that lead unsuspecting users to scams and malware.

Identifying vulnerable DNS records in the cloud is significantly more challenging than identifying regular unregistered domains. As cloud usage has grown, the number of abandoned “fire and forget” resources has skyrocketed. Especially for those companies that do not use a comprehensive visibility and management solution for managing all their assets across their digital real estate.

Hazy Hawk has successfully hijacked subdomains of reputable organisations, including the U.S. Center for Disease Control (CDC), various government agencies, universities, and international companies since December 2024.

Hazy Hawk Details:

Sophisticated Techniques: Unlike traditional domain hijackers, Hazy Hawk targets DNS misconfigurations in the cloud and must have access to commercial passive DNS services to do so
Wide-Reaching Impact: The hijacked domains are used to distribute a variety of scams, including fake advertisements and malicious push notifications, affecting millions of users globally
Economic Consequences: The scams facilitated by Hazy Hawk contribute to the multi-billion-dollar fraud market, with significant financial losses reported, particularly among the elderly population
Obfuscation: Hazy Hawk uses layered defenses to protect its operations, including hijacking reputable domains, obfuscating URLs, and redirecting traffic through multiple domains.

Protective Measures

To thwart threat actors like Hazy Hawk, organisations should implement robust DNS management practices, including regular audits of DNS records and prompt removal of records associated with discontinued cloud services. Additionally, users should be educated to deny push notification requests from unfamiliar websites to avoid falling victim to scams. For more information on Hazy Hawk read the full research Blog here.