A sophisticated cybercriminal group dubbed Hazy Hawk has been linked to a widespread campaign hijacking abandoned cloud infrastructure, including Amazon S3 buckets and Microsoft Azure endpoints, by exploiting misconfigured Domain Name System (DNS) records, according to a report published by cybersecurity firm Infoblox.
The campaign, which has been active since at least December 2023, targets high-profile entities including government agencies, universities, and multinational corporations such as Deloitte, PricewaterhouseCoopers, and Ernst & Young. Hazy Hawk leverages “dangling” DNS CNAME records, which are misconfigured DNS entries that point to decommissioned cloud resources, allowing attackers to register those abandoned services and assume control of subdomains associated with trusted brands.
Infoblox researchers say the group’s operations were first uncovered in February 2025 after the hijacking of several subdomains belonging to the US Centers for Disease Control and Prevention (CDC).
“Perhaps the most remarkable thing about Hazy Hawk is that these hard-to-discover, vulnerable domains with ties to esteemed organizations are not being used for espionage or “highbrow” cybercrime,” the report notes. “Instead, they feed into the seedy underworld of adtech, whisking victims to a wide range of scams and fake applications, and using browser notifications to trigger processes that will have a lingering impact. Hazy Hawk is indicative of the lengths scam artists will go to get a portion of the multi-billion-dollar fraud market.”
The hijacked domains are used to host URLs that redirect users through traffic distribution systems (TDSes), delivering them to malicious websites. The attack often begins by mimicking legitimate content on the compromised subdomain before redirecting victims—frequently through enticing bait like pirated media or adult content—to spam, scams, and malware.
Among the cloud services exploited are those operated by Akamai, Bunny CDN, Cloudflare CDN, GitHub, and Netlify.
Hazy Hawk’s methodology builds on a previously documented threat technique highlighted by cybersecurity firm Guardio in early 2024. The method involved seizing control of abandoned cloud services that were still referenced by DNS CNAME records. All an attacker needs to do is identify these ‘dangling" records and register the associated cloud resource to commandeer the domain.
What sets Hazy Hawk apart is their systematic targeting of these abandoned assets at scale, often using URL obfuscation and redirection to conceal the true origin of malicious content. In some instances, the threat actor replicate the original site’s content to make detection even more difficult.
“We use the name Hazy Hawk for this actor because of how they find and hijack cloud resources that have dangling DNS CNAME records and then use them in malicious URL distribution,” Infoblox explained. “It's possible that the domain hijacking component is provided as a service and is used by a group of actors.”
