The CDC was serving malware, and the CDC was not hacked

By the zmam.ai team · 19 May 2026 · updated 29 May 2026

There is a particular kind of breach where nothing inside the organization is ever touched, and the organization is nonetheless responsible. The login pages work. The servers are patched. The security team is competent. And yet somesubdomain.yourbrand.com is quietly serving scams, fake antivirus, and pornographic spam to anyone who clicks — all under your name, all riding your reputation, all indexed by Google as yours.

This is the world of dangling DNS, and 2025 was a banner year for it.

Hazy Hawk and the abandoned cloud

In May 2025, Infoblox’s threat intelligence team published its work on an actor it called Hazy Hawk. The mechanic is almost embarrassingly simple. Modern organizations spin up cloud resources constantly — an Amazon S3 bucket, an Azure endpoint, a GitHub Pages site, a Netlify app — and point a subdomain at each one with a CNAME record. When the project ends, the cloud resource gets deleted. The CNAME, pointing at a name that no longer belongs to anyone, gets left behind.

Hazy Hawk’s contribution was to do this at industrial scale: find those orphaned CNAMEs across high-reputation domains, re-register the now-unclaimed cloud resource, and inherit all the trust the parent domain had accumulated. According to Infoblox, the victims included the U.S. Centers for Disease Control and Prevention, Deloitte, PwC, Ernst & Young, Honeywell, UC Berkeley, and UNICEF. A fresh wave in April 2026 hit more than 30 universities — MIT, Harvard, Stanford, Columbia, Johns Hopkins among them — serving spam that Google dutifully indexed under their .edu names.

The CDC was not breached. It had simply forgotten a DNS record. As Infoblox’s Renée Burton has put it, abandoned cloud resources are a goldmine precisely because the parent domain’s reputation survives the resource that earned it.

Sitting Ducks: the same idea, one level up

If Hazy Hawk hijacks a subdomain, the Sitting Ducks attack hijacks the whole domain — without ever touching the registrar account. Disclosed jointly by Infoblox and Eclypsium in 2024 and actively exploited ever since, it abuses lame delegations: a domain that delegates its DNS to a provider where the actual zone was never configured, or has lapsed. At certain providers, an attacker can simply walk up and claim that unconfigured zone in their own account, then serve whatever records they like.

The numbers are the alarming part. Eclypsium and Infoblox estimated more than a million domains exposed to the technique, with tens of thousands actually hijacked — Infoblox’s November 2024 follow-up put the hijacked figure near 70,000 (earlier reporting had cited 35,000; the two numbers are different snapshots in time). Whole criminal crews — Infoblox named “Vacant Viper,” “VexTrio Viper,” “Horrid Hawk” — run their spam and fraud infrastructure on top of other people’s domains.

The $1.2 million version

In April 2026, the decentralized exchange CoW Swap lost roughly $1.2 million of users’ funds to a variation of the same theme — except the takeover happened at the registry. According to CoW DAO’s post-incident account, an attacker submitted falsified identity documents to Traficom, the Finnish authority that runs the .fi registry, impersonating a senior contributor. A dispute was raised against the registrar; when it went unanswered in time, control of cow.fi transferred to the attacker, who repointed DNS to a pixel-perfect phishing clone. The smart contracts were never touched. The front door simply started belonging to someone else.

The fix CoW enabled afterward — a registry lock — is exactly the kind of control that costs nothing and is invisible until the day it saves you.

What the outside view would have shown

Every attack above turns on something an outside-in look at your own domain can surface, using nothing but public DNS and the TLS handshake:

• Dangling CNAMEs. Enumerate your subdomains, follow each CNAME to its target, and check whether the target still serves your content or returns a provider’s “no such bucket / no such site” error. That error page is the takeover fingerprint.
• Lame delegations. Compare the nameservers your registrar advertises against what those nameservers actually answer. A delegated nameserver that does not respond authoritatively for your zone is a Sitting Duck.
• Missing hardening. Whether DNSSEC is enabled, whether a restrictive CAA record limits who can issue certificates for you, and whether a registry/registrar lock is in place — all externally observable, all the difference between a hardened domain and a soft target.

These are not exotic checks. They are the boring, unglamorous DNS hygiene that nobody owns until it is the subject of a headline. A scan that reads your public DNS — the kind zmam.ai runs — finds them while they are still free to fix.

For the fundamentals, see DNS records that affect your security and How to tell if your website is exposed or compromised .

Sources

• Infoblox, “Who is Hazy Hawk?” (May 2025): https://www.infoblox.com/blog/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/
• The Hacker News, “Hazy Hawk exploits DNS records to hijack CDC, corporate domains”: https://thehackernews.com/2025/05/hazy-hawk-exploits-dns-records-to.html
• Eclypsium & Infoblox, “Ducks Now Sitting (DNS infrastructure insecurity)”: https://eclypsium.com/blog/ducks-now-sitting-dns-internet-infrastructure-insecurity/
• Infoblox, “DNS Predators hijack domains” (November 2024): https://blogs.infoblox.com/threat-intelligence/dns-predators-hijack-domains-to-supply-their-attack-infrastructure/
• Domain Name Wire, “Domain hijack led to crypto heist” (CoW Swap, April 2026): https://domainnamewire.com/2026/04/17/domain-hijack-led-to-crypto-heist/