Keitaro Tracker is being widely abused by threat actors to perform domain cloaking, conditional traffic routing, and large-scale investment and tech-support scams, often leveraging AI-generated content and deepfakes to increase credibility and scale. Collaborative research by Infoblox and Confiant found thousands of malicious Keitaro instances, extensive domain registration patterns (RDGAs), and active abuse by actors including TA2726. #Keitaro #TA2726
Keypoints
- Keitaro Tracker, a commercial ad-tracking/TDS platform, is frequently abused to cloak malicious landing pages and route victims based on geo, user-agent, ASN, and referrer signals.
- Infoblox and Confiant analyzed four months of data (starting Oct 1, 2025) and identified approximately 15,500 domains used for malicious Keitaro instances, with ~9,000 registered prior to use.
- Investment scams—especially AI-themed schemes using RDGA domains, AI-generated copy/images, and deepfake assets—were the dominant threat category observed.
- Threat actors use programmatic conditional routing and client-side fingerprinting to show persuasive lures to real users while serving benign decoys to scanners and non-targets.
- Actors leveraged ad ecosystems (native ads, Facebook Ads, Bigo Ads), spam, social media, and compromised sites to drive traffic into Keitaro cloaking flows and campaigns.
- Vendor cooperation (Apliteni/Keitaro) led to responsive takedowns: reported illicit or stolen licenses resulted in account cancellations and infrastructure removals.
MITRE Techniques
- [T1583.001 ] Domain Registration – Used to register large numbers of domains algorithmically (RDGAs) for campaigns (‘Registering large numbers of domains algorithmically over time, a technique we refer to as registered domain generation algorithms (RDGAs)’)
- [T1078 ] Valid Accounts – Abuse of valid or illicit Keitaro licenses and accounts to run cloaking infrastructure (‘we verified that TA2726 and other malware actors were using illicit copies of the tracker’)
- [T1566.002 ] Phishing: Spearphishing Link – Spam and advertising deliver links that lead victims to fraudulent landing pages and lures (‘Traffic to the instances was driven from compromised websites, spam, social media, and advertising’)
- [T1204 ] User Execution – Lures and ad creatives prompt users to click and engage with malicious pages (ads and chatbot conversions) (‘ad creatives… Victims who click through are taken to near-perfect replica sites… a web form collects visitor contact details’)
- [T1102 ] Web Service – Use of cloud-hosted resources to host short-lived scam payloads (Azure Blob Storage) (‘Victims who pass fingerprinting are redirected via HTTP 302 to a tech support scam page, often hosted on Azure Blob Storage (*.web.core.windows.net subdomains)’)
Indicators of Compromise
- [Domain ] Malicious and RDGA domains used in AI investment and fake news campaigns – fin-zen-ai[.]com, lumitexaihub[.]com, and 40+ other domains
- [Domain ] Domains associated with investment scam clusters and templates – cryptopassive-swiss-switzerland[.]org, tradingideasai[.]com, and other related RDGA subdomains
- [Subdomain ] Locale-controlled subdomains used to serve localized content – au.star-boostmedia[.]com, pl1.tradingideasai[.]com
- [Cloud host ] Short-lived scam hosting on Azure Blob Storage – *.web.core.windows.net (used as final TSS payload hosts)
- [Phone numbers ] Toll-free numbers used by call-center conversion/fraud operations – prefixes 1-844, 888 (examples used to route victims to unverified call centers)
- [Landing page examples ] Known campaign domains used by named clusters – empowerementplan[.]com (WickedWally), tryhappycards[.]ru (FishSteaks)