- Outdated DNS records create invisible openings for criminals to spread malware through legitimate sites
- Hazy Hawk turns misconfigured cloud links into silent redirection traps for fraud and infection
- Victims think they’re visiting a real site, until popups and malware take over
A troubling new online threat is emerging in which criminals hijack subdomains of major organizations, such as Bose, Panasonic, and even the US CDC (Centers for Disease Control and Prevention), to spread malware and perpetrate online scams.
As flagged by security experts Infoblox, at the center of this campaign is a threat group known as Hazy Hawk, which has taken a relatively quiet but highly effective approach to compromise user trust and weaponize it against unsuspecting visitors.
These subdomain hijackings are not the result of direct hacking but rather of exploiting overlooked infrastructure vulnerabilities.
You may like
An exploit rooted in administrative oversight
Instead of breaching networks through brute force or phishing, Hazy Hawk exploits abandoned cloud resources linked to misconfigured DNS CNAME records.
These so-called “dangling” records occur when an organization decommissions a cloud service but forgets to update or delete the DNS entry pointing to it, leaving the subdomain vulnerable.
For example, a forgotten subdomain like something.bose.com might still point to an unused Azure or AWS resource, and if Hazy Hawk registers the corresponding cloud instance, the attacker suddenly controls a legitimate-looking Bose subdomain.
This method is dangerous because misconfigurations are not typically flagged by conventional security systems.
The repurposed subdomains become platforms for delivering scams, including fake antivirus warnings, tech support cons, and malware disguised as software updates.
Hazy Hawk doesn’t just stop at hijacking – the group uses traffic distribution systems (TDSs) to reroute users from hijacked subdomains to malicious destinations.
These TDSs, such as viralclipnow.xyz, assess a user’s device type, location, and browsing behavior to serve up tailored scams.
Often, redirection begins with seemingly innocuous developer or blog domains, like share.js.org, before shuffling users through a web of deception.
Once users accept push notifications, they continue to receive scam messages long after the initial infection, establishing a lasting vector for fraud.
The fallout from these campaigns is more than theoretical and has affected high-profile organizations and firms like the CDC, Panasonic and Deloitte.
Individuals can guard against these threats by refusing push notification requests from unfamiliar sites and exercising caution with links that seem too good to be true.
For organizations, the emphasis must be on DNS hygiene. Failing to remove DNS entries for decommissioned cloud services leaves subdomains vulnerable to takeover.
Automated DNS monitoring tools, especially those integrated with threat intelligence, can help detect signs of compromise.
Security teams should treat these misconfigurations as critical vulnerabilities, not minor oversights.
