Threat Research

Operation TrustTrap: Anatomy of a Large-Scale Deceptive Domain Spoofing Campaign

Cyble
Operation TrustTrap: Anatomy of a Large-Scale Deceptive Domain Spoofing Campaign
Cyble Research and Intelligence Labs (CRIL) uncovered a coordinated campaign of over 16,800 spoofed domains using subdomain trust injection, hyphen manipulation, and combined obfuscation to impersonate government portals for credential and payment card harvesting. Infrastructure clusters concentrate in Tencent Cloud and Alibaba Cloud APAC nodes with registrar dominance by Gname.com, and a distinct subset of domains shows TTPs consistent with APT36. #OperationTrustTrap #APT36

Keypoints

  • CRIL identified 16,800+ malicious domains engineered to visually spoof government URLs by embedding legitimate-looking .gov tokens in non-root subdomain positions.
  • Three primary obfuscation classes were observed: subdomain trust injection, hyphen-based semantic manipulation, and combined obfuscation with benign word insertion.
  • Infrastructure is concentrated in Tencent Cloud and Alibaba Cloud APAC ASNs, with registrar dominance by Gname.com and TLD preference for .bond, .cc, and .cfd.
  • Primary objective is credential and payment-card harvesting via fake citizen-facing services (DMV, tolls, vehicle registration) across US states and select international targets (India, Vietnam, UK-themed lures).
  • Domains are bulk-registered and often held dormant as an operational reserve, then rapidly activated for short-lived campaigns to reduce detection and takedown windows.
  • A distinct cluster exhibits TTPs consistent with APT36—overlapping hosting IPs, registrar/TLD patterns, India-targeted lures, and automated domain-generation behavior.
  • Recommended mitigations include eTLD+1-aware URL parsing, structural token-position detection, domain risk scoring (registrar/TLD/ASN/age), campaign-cluster pivoting, and updated user training on root domain recognition.

MITRE Techniques

  • [T1583.001 ] Acquire Infrastructure: Domains – Mass registration of lookalike government domains across .bond, .cc, and .cfd TLDs via low-cost registrars. (‘Mass registration of lookalike government domains across .bond, .cc, and .cfd TLDs via low-cost registrars.’)
  • [T1566.002 ] Phishing: Spearphishing Link – Delivery of malicious URLs via SMS (smishing) and email leveraging government-themed lures to redirect victims to spoofed portals. (‘Delivery of malicious URLs via SMS (smishing) and email, leveraging government-themed lures to redirect victims to spoofed portals.’)
  • [T1598.003 ] Phishing for Information: Spearphishing Link – Credential harvesting through fake government service portals such as DMV, toll payments, and vehicle registration sites. (‘Credential harvesting through fake government service portals such as DMV, toll payments, and vehicle registration sites.’)
  • [T1036.005 ] Masquerading: Match Legitimate Name or Location – Embedding legitimate .gov-like tokens within domain structures to impersonate trusted government infrastructure. (‘Embedding legitimate .gov-like tokens within domain structures to impersonate trusted government infrastructure.’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Use of HTTPS with TLS certificates from low-cost issuers to make phishing and exfiltration infrastructure appear legitimate. (‘Use of HTTPS with TLS certificates from low-cost issuers to make phishing and exfiltration infrastructure appear legitimate.’)
  • [T1584.001 ] Compromise Infrastructure: Domains – Use of APAC-based cloud providers (e.g., Tencent, Alibaba Cloud) to host phishing infrastructure with rapid scaling and deployment. (‘Use of APAC-based cloud providers (e.g., Tencent, Alibaba Cloud) to host phishing infrastructure with rapid scaling and deployment.’)

Indicators of Compromise

  • [Domains ] spoofed government-looking domains – mass.gov-bzyc[.]cc, mass.gov-pulk[.]cc, and 16,798 other similar domains.
  • [Domains ] APT36-consistent India-targeting example – nia[.]gov[.]in[.]in3ymonaq[.]casa and other India-targeted variants.
  • [TLDs ] deceptive TLD usage observed – .bond, .cc, .cfd (primary TLDs of abuse in the dataset).
  • [Registrars ] dominant registration providers linked to the campaign – Gname.com Pte. Ltd., Dominet (HK) Limited.
  • [Hosting ASNs / Cloud Providers ] concentrated hosting infrastructure and shared IP overlap – Tencent Cloud ASNs, Alibaba Cloud APAC ASNs (shared hosting IPs across clusters).
  • [URL paths / filenames ] phishing page structures and harvesting forms – common paths /rmv, /dmv and example file c_pay.html (mass.gov-pulk[.]cc/rmv/c_pay.html).

Read more: https://cyble.com/blog/operation-trusttrap-domain-spoofing-campaign/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint