www.sh.consulting
Hazy Hawk Campaign Hijacks Subdomains at 34 US Universities
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
In early April 2026, a coordinated subdomain takeover campaign was discovered, affecting 34 major US universities, including MIT, Harvard, and Stanford. The attackers, identified as Hazy Hawk, exploited abandoned CNAME records to hijack subdomains and serve explicit pornographic spam that was indexed by Google. The attack method involves registering accounts on external platforms that match orphaned subdomains, allowing full control over the content served. This incident highlights a significant security gap in university IT practices, as many institutions fail to maintain a comprehensive inventory of their DNS records. The campaign's impact is extensive, potentially affecting many more universities given the number of abandoned subdomains across the .edu domain space. The Department of Defense Education Activity was also flagged as having a vulnerable domain. The situation remains critical as affected institutions work to regain control of their subdomains.
Key Points: • 34 major US universities had subdomains hijacked by the Hazy Hawk threat actor. • Attackers served explicit content through abandoned CNAME records, indexed by Google. • The incident reveals significant vulnerabilities in university IT management practices.