Hazy Hawk Attack Spotted Targeting Abandoned Cloud Assets Since 2023

Infoblox reveals Hazy Hawk, a new threat exploiting abandoned cloud resources (S3, Azure) and DNS gaps since Dec 2023. Learn about their tactics and how to protect your organization and users.

Cybersecurity researchers at Infoblox Threat Intelligence have released critical findings on a recently identified threat, dubbed Hazy Hawk, which has been actively hijacking forgotten cloud resources since at least December 2023.

In its report, shared exclusively with Hackread.com. researchers noted that this advanced group is known for its DNS-savvy tactics and exploits gaps in Domain Name System (DNS) records to redirect unsuspecting internet users to fraudulent websites and malware.

This revelation comes as the Federal Trade Commission (FTC) reports a significant 25% increase in scam-related losses from 2023, totalling a whopping $12.5 billion.

Infoblox first detected Hazy Hawk’s activities in February 2025, when the group successfully took control of subdomains belonging to the US Centers for Disease Control (CDC). Cybersecurity journalist Brian Krebs was the first to notice suspicious activity on the CDC’s domain.

Further investigation revealed that global government agencies, including alabama.gov and health.gov.au, major universities like berkeley.edu and ucl.ac.uk, and international companies including Deloitte.com and PwC.com, have also been targeted.

Hazy Hawk’s method involves finding dangling DNS records, which are CNAME records pointing to abandoned cloud resources like Amazon S3 buckets, Azure endpoints, Akamai, Cloudflare CDN, and GitHub. They register these resources, gain control, and use them to host numerous malicious URLs. Infoblox dubbed the group Hazy Hawk due to their unusual methods of locating and hijacking specific cloud resources.

Hazy Hawk employs various tactics to deceive victims, including fake browser notifications and fraudulent applications, using URL obfuscation to hide link destinations, and repurposing code from legitimate websites to make their initial pages appear trustworthy. They also alter AWS S3 bucket URLs or redirect to the University of Bristol’s website.

Once a user clicks on a malicious link, they are routed through multiple redirection sites like Blogspot or link shorteners like TinyURL, Bitly and traffic distribution systems (TDSs) before reaching viralclipnow.xyz.

These systems are designed to maximize scammers’ profits and make it difficult for security experts to trace attacks by dynamically changing content, leading victims to scams like tech support fraud or gift card schemes.

The research reveals that push notifications are a key component of scams, where the threat actor can receive a 70-90 percent revenue share from the affiliate who obtained the victim’s approval, with services like RollerAds, enabling repeated victim targeting.

To prevent such hijackings, organizations should use well-managed DNS, including removing DNS CNAME records when cloud resources are retired. End-users can protect themselves through protective DNS solutions that block access to malicious domains, even when threat actors change website names, and be careful about website notification requests