A threat actor known as Hazy Hawk is making headlines for hijacking abandoned cloud infrastructure tied to high-profile organizations—including U.S. government agencies, global consultancies, and major corporations—through a method known as DNS hijacking. According to a new report from Infoblox, the group exploits dangling DNS CNAME records to gain control of services hosted on platforms like Amazon S3, Microsoft Azure, Akamai, GitHub, Netlify, Cloudflare, and Bunny CDN.
The operation began surfacing in December 2023 but came into sharper focus in early 2025, when Infoblox observed Hazy Hawk taking over multiple subdomains linked to the U.S. Centers for Disease Control and Prevention (CDC). The attackers didn’t stop there—other victims include global consultancies like Deloitte, PwC, Ernst & Young, prominent universities, and government domains around the world.
What makes this campaign especially concerning is the use of reputable, often forgotten domains to run traffic distribution scams. These hijacked domains serve as launchpads for malicious links that direct users to adult content, pirated downloads, scareware, and fake apps. Once victims land on these fake pages, they’re bombarded with browser notification requests designed to continuously push scams straight to their devices.
Infoblox researchers Jacques Portal and Renée Burton emphasized that this isn’t cyber-espionage. It’s commercialized manipulation. “Hazy Hawk targets neglected infrastructure and reuses these trusted domains to bypass detection and exploit adtech loopholes,” they wrote. The group then monetizes these hijackings by feeding victims into sketchy affiliate advertising funnels, where they’re incentivized to permit push notifications. Each notification leads users deeper into a trap of scams and malicious content.
From Domain Neglect to Click Monetization
The key technique used in the Hazy Hawk DNS hijacking playbook is relatively straightforward. Many companies forget to delete DNS CNAME records pointing to cloud-hosted resources after they’re shut down. If those records remain, all a threat actor needs to do is register the old resource and immediately seize control of the domain or subdomain. It’s a form of digital squatting, but with a much darker motive.
While dangling DNS issues have been exploited before, Hazy Hawk takes it further. The attackers clone real websites, disguise hijacked links using redirect chains, and systematically scan for exposed resources to claim. According to Infoblox, it’s likely this hijacking operation is now being offered as a service to other groups in the broader affiliate scam ecosystem.
Victims are lured with promises of pirated videos or adult content, but behind the scenes, Hazy Hawk uses traffic distribution systems (TDS) to decide where the visitor is sent. The end goal is almost always the same—gain notification permission to deliver endless spam, fake surveys, or malware.
Infoblox warns that the financial success of such schemes explains the level of effort being invested. “These affiliate programs clearly pay enough to make it worthwhile,” the report concludes.
To protect against this threat, domain owners should immediately remove DNS CNAME records when decommissioning cloud resources. End users are advised to block notification requests from unfamiliar websites and avoid engaging with suspicious online offers.
As Hazy Hawk continues its DNS hijacking spree, this campaign is a stark reminder that even trusted domains can become vectors for scams when cloud hygiene is ignored.
