Hazy Hawk Campaign Hijacks Subdomains at 34 US Universities

Hazy Hawk Campaign Hijacks Subdomains at 34 US Universities

First seen 20 Apr 2026, 18:30 UTC Edscoopwww.sh.consulting 83% similarity 66.0

Article Content

Browse articles
ThreatCluster

In early April 2026, a coordinated subdomain takeover campaign was discovered, affecting 34 major US universities, including MIT, Harvard, and Stanford. The attackers, identified as Hazy Hawk, exploited abandoned CNAME records to hijack subdomains and serve explicit pornographic spam that was indexed by Google. The attack method involves registering accounts on external platforms that match orphaned subdomains, allowing full control over the content served. This incident highlights a significant security gap in university IT practices, as many institutions fail to maintain a comprehensive inventory of their DNS records. The campaign's impact is extensive, potentially affecting many more universities given the number of abandoned subdomains across the .edu domain space. The Department of Defense Education Activity was also flagged as having a vulnerable domain. The situation remains critical as affected institutions work to regain control of their subdomains.

Key Points: • 34 major US universities had subdomains hijacked by the Hazy Hawk threat actor. • Attackers served explicit content through abandoned CNAME records, indexed by Google. • The incident reveals significant vulnerabilities in university IT management practices.

ThreatCluster AI

Timeline

2026-04-01
Discovery of subdomain takeover campaign by Alex Shakhov
2026-04-20
Articles published detailing the hijacking incident

Community

Browse all →