Date: 06/15/2026
Severity: High
Summary
A large-scale SEO poisoning campaign is exploiting Azure DNS zone takeovers through abandoned cloud NS delegations. The threat actor hijacked orphaned DNS zones and hosted Thai-language gambling content under the trusted domains of 163 organizations across 30+ countries, including government agencies, healthcare providers, financial institutions, critical infrastructure, and universities. By leveraging Azure DNS, Next.js-based gambling kits, and valid Let’s Encrypt wildcard TLS certificates, the malicious pages appeared indistinguishable from legitimate enterprise websites. Researchers also identified a 103-node backend infrastructure in Hong Kong linked to a single Chinese operator, with 161 organizations remaining actively compromised at the time of publication.
Indicators of Compromise (IOC) List
Domains/URLs: | broker-xm.com pub-a4952b46ff9c4f6b8d5529cd21f9a1e3.r2.dev /img/ib99-hq.ico ibiza99.autos big888.store seven77.click link99.nova555.rest appbox.7y6texmeyy.com appbox.devh5api27.xyz appbox.55u4g5g4k2.com 99997778.com bevictor.com |
IP Address | 51.79.199.51 139.99.82.106 38.127.8.49 38.173.30.0/24 38.173.37.0/24 38.173.56.0/24 38.173.57.0/24 38.173.235.0/24 38.173.236.0/24 38.173.239.0/24 |
Hash : | d9799ca2f08af6992dc80c49f9889fef40ed27c7
7df3d7cf3358af3f470ac7229387ef94
|
Pixel ID | 322242757545449, 1607473696511298, 721331896825411 |
GTM ID | GTM-NP59MP3T |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "broker-xm.com" or url like "broker-xm.com" or siteurl like "broker-xm.com" or domainname like "pub-a4952b46ff9c4f6b8d5529cd21f9a1e3.r2.dev" or url like "pub-a4952b46ff9c4f6b8d5529cd21f9a1e3.r2.dev" or siteurl like "pub-a4952b46ff9c4f6b8d5529cd21f9a1e3.r2.dev" or domainname like "/img/ib99-hq.ico" or url like "/img/ib99-hq.ico" or siteurl like "/img/ib99-hq.ico" or domainname like "ibiza99.autos" or url like "ibiza99.autos" or siteurl like "ibiza99.autos" or domainname like "big888.store" or url like "big888.store" or siteurl like "big888.store" or domainname like "seven77.click" or url like "seven77.click" or siteurl like "seven77.click" or domainname like "link99.nova555.rest" or url like "link99.nova555.rest" or siteurl like "link99.nova555.rest" or domainname like "appbox.7y6texmeyy.com" or url like "appbox.7y6texmeyy.com" or siteurl like "appbox.7y6texmeyy.com" or domainname like "appbox.devh5api27.xyz" or url like "appbox.devh5api27.xyz" or siteurl like "appbox.devh5api27.xyz" or domainname like "appbox.55u4g5g4k2.com" or url like "appbox.55u4g5g4k2.com" or siteurl like "appbox.55u4g5g4k2.com" or domainname like "99997778.com" or url like "99997778.com" or siteurl like "99997778.com" or domainname like "bevictor.com" or url like "bevictor.com" or siteurl like "bevictor.com" |
Detection Query 2 : | dstipaddress IN ("51.79.199.51","139.99.82.106","38.127.8.49","38.173.30.0","38.173.37.0","38.173.56.0","38.173.57.0","38.173.235.0","38.173.236.0","38.173.239.0") or srcipaddress IN ("51.79.199.51","139.99.82.106","38.127.8.49","38.173.30.0","38.173.37.0","38.173.56.0","38.173.57.0","38.173.235.0","38.173.236.0","38.173.239.0") |
Detection Query 3 : | md5hash IN (“7df3d7cf3358af3f470ac7229387ef94”)
|
Detection Query 4 : | sha1hash IN (“d9799ca2f08af6992dc80c49f9889fef40ed27c7”)
|
Reference:
https://cyble.com/blog/borrowed-trust-cloud-dns-takeover-thai-gambling-seo-poisoning/