Operation TrustTrap Uncovers 16,800 Fake Domains Targeting User Data

Severity: High (Score: 70.6)

Sources: Thecyberexpress, Scworld

Summary

Cyble Research and Intelligence Labs (CRIL) has identified Operation TrustTrap, a significant domain spoofing campaign involving over 16,800 fraudulent domains that mimic legitimate U.S. government portals, particularly those related to transportation services. This operation, which began in early 2026, aims to harvest sensitive user data through credential and payment card phishing. Attackers utilized subdomain trust injection techniques, embedding government-like tokens in subdomains to deceive users. Most of the malicious domains were hosted on Tencent Cloud and Alibaba Cloud APAC, and they often used top-level domains such as .cc, .cfd, and .bond to evade detection. While primarily targeting the U.S., the campaign also impersonated government portals in the UK, India, and Vietnam. Researchers have linked the operation to the Pakistan-based threat group APT36, also known as Transparent Tribe. The complexity of the attack lies not in advanced hacking techniques but in exploiting human cognitive biases regarding URL interpretation. Key Points: • Operation TrustTrap involves over 16,800 fake domains targeting U.S. government services. • Attackers used subdomain trust injection to deceive users into providing sensitive information. • The campaign is linked to the Pakistan-based threat group APT36.

Key Entities

• Apt36 (apt_group)
• Transparent Tribe (apt_group)
• Data Breach (attack_type)
• Phishing (attack_type)
• Operation TrustTrap (campaign)
• India (country)
• Singapore (country)
• United Kingdom (country)
• United States (country)
• Vietnam (country)
• gname.com (domain)
• gov.in (domain)
• mass.gov (domain)
• wa.gov (domain)
• Government (industry)
• T1566.002 - Spearphishing Link (mitre_attack)
• Alibaba Cloud (company)
• Tencent Cloud (platform)