Operation TrustTrap: Anatomy of a Large-Scale Deceptive Domain Spoofing Campaign

Executive Summary

Cyble Research and Intelligence Labs (CRIL) identified a campaign of over 16,800 malicious domains active since early 2026. It uses a potent technique — embedding government labels as subdomains to fake trust without DNS authority. We have dubbed this ‘Operation TrustTrap’.

Spoofed portals resolve to infrastructure concentrated across Tencent Cloud and Alibaba Cloud APAC nodes, impersonating citizen-facing government services across several US states, with targeting extending into India, Vietnam, and UK-adjacent geographies. A distinct infrastructure cluster within the dataset we investigated carries TTPs consistent with APT36.

The campaign’s sophistication isn’t in technical exploits but in exploiting how humans interpret web addresses. Attackers no longer compete with security controls at the binary level but target the cognitive layer—when a user’s eye scans a URL and decides whether to click.

Key Takeaways

• 16,800 unique malicious domains identified across major US states and agencies
• Domains weaponize the visual trust of “*.gov” by positioning it in non-root subdomain positions
• Three distinct obfuscation classes: subdomain injection, hyphen manipulation, and combined abuse
• Infrastructure clustering reveals overlapping IPs concentrated in Tencent Cloud ASNs (China)
• Campaign extends beyond the US to India, Vietnam, and NHS-themed lures in the UK
• Over 62% of these domains had very few detections on VirusTotal
• Registrar concentration: Gname.com Pte. Ltd. dominant; TLDs of choice were .bond, .cc, .cfd
• Infrastructure and TTPs show consistency with known government-targeting threat clusters
• A distinct APT36-consistent infrastructure cluster identified within the dataset targeting Indian Government Entities

Campaign overview

A routine sweep by Cyble Research and Intelligence Labs (CRIL) uncovered a coordinated infrastructure of over 16,800 malicious domains. These domains were designed to make fraudulent URLs appear as government websites.

Our expanded search yielded infrastructure correlation, registrar clustering, certificate metadata, and shared hosting IP analysis. The campaign grew from dozens to thousands of domains, ultimately producing a dataset of 16,800 confirmed malicious domains with a consistent construction logic.

What Are These Domains Actually Used For?

Though several domains appear to be benign at the point of registration — serving no active content — they function as a pre-provisioned operational reserve. Domains are registered in bulk and held dormant until a campaign wave is triggered. At this point, they are rapidly activated to host government-themed phishing portals designed to harvest credentials and device information.

A subset operates as staging infrastructure, dynamically loading second-stage payloads — credential exfiltration endpoints or malicious scripts — after the victim has already landed on the spoofed page. This separation between the delivery domain and the payload host is deliberate: it keeps the user-facing URL clean while the actual malicious logic lives one layer deeper, significantly narrowing the window for detection and takedown.

Targeting Geography: Who Is Being Impersonated?

Analysis of the 16,800 domains reveals a heavily US-centric campaign, with systematic coverage of virtually every US state. The targeting is not random — it skews toward states with high-volume citizen-facing digital services, particularly Department of Motor Vehicles (DMV) portals, toll payment systems, and vehicle registration renewals. These are services characterized by time-sensitive transactions, financial exchange, and strong citizen familiarity — ideal conditions for social engineering.

Top Targeted US Entities

Beyond the United States: International Footprint

While the campaign is overwhelmingly US-focused, CRIL identified targeting extending into at least three additional geographies:

The variants targeting India are particularly noteworthy from a threat intelligence perspective. The pattern www.in.gov-[id].bond specifically mimics the structure of Indian government portals (which use the *.gov.in TLD convention) through subdomain injection — consistent with the analytical framework CRIL has described as trust-token positioning attacks.

Registrar Dominance

Gname.com remains dominant, but two additional registrars were identified across the extended dataset.

Dominet (HK) Limited, a Hong Kong-based registrar with a documented history of abuse across multiple phishing campaigns, accounts for 10.5% of the analyzed domains.

NameSilo, LLC accounts for a small fraction. Still, its presence alongside the primary registrars suggests the operator is diversifying provisioning sources, likely to reduce the risk of bulk registrar-level takedowns.

The concentration of infrastructure in Tencent and Alibaba Cloud ASNs is a notable attribution signal. The registrar pattern, particularly the dominance of Gname.com, a Singapore-based registrar with a significant Chinese customer base, combined with the APAC IP clustering, points to an operator or operator group with consistent access to low-cost Chinese cloud infrastructure.

Operational Lifecycle

Domains observed returning active HTTP 200 responses and live phishing content in early April 2026 were fully unresolvable by late April 2026.

This confirms the rapid rotation lifecycle the campaign relies on: domains are activated for a narrow operational window and then abandoned or rotated, deliberately narrowing the time available for detection, blocklist addition, and takedown.

Deceptive Domain Spoofing: Core Technique Breakdown

Technique 1: Subdomain Trust Injection

The most prevalent technique in the dataset involves embedding a legitimate-looking government domain token — such as mass.gov, wa.gov, or az.gov — in the leftmost subdomain position of a fraudulent domain.

The critical structural insight: in every legitimate government URL, the .gov component appears as a top-level domain directly before the rightmost domain separator. In the malicious variants, gov appears as part of a subdomain label. The DNS authority rests entirely with the registrant of the rightmost domain — not with any government entity.

Technique 2: Hyphen-Based Semantic Manipulation

A second class of obfuscation weaponizes the hyphen character to break known trust tokens into subtly altered, yet visually similar, forms. By inserting hyphens at strategic positions within familiar government identifiers, attackers construct strings that resist regex-based detection while remaining legible to the human eye.

Technique 3: Combined Obfuscation Strategy

The domains in this dataset combine both techniques: subdomain trust injection with hyphen manipulation, alongside innocuous-sounding benign word insertion. This layered approach maximizes deception while minimizing the technical footprint:

Active Phishing URL Structure

Active phishing URLs observed across the infrastructure consistently used a double-query-string parameter pattern: ?var1=xxxxx?var2=xxxxx.

This structure serves as a session-tracking mechanism, assigning unique identifiers to individual victims to monitor engagement. Its consistent use across hundreds of URLs confirms an organized, kit-driven operation rather than manually managed individual campaigns.

Path structures observed across active URLs confirm the agency-specific targeting:

• /dmv (Department of Motor Vehicles)
• /mvd (Motor Vehicle Division)
• /dol (Department of Licensing)
• /dot (Department of Transportation)
• /mve (Motor Vehicle Enforcement)
• /mvc (Motor Vehicle Commission)
• /rmv (Registry of Motor Vehicles)

Each path maps to the specific agency being impersonated by the subdomain prefix.

Some of the examples of active phishing portals are shown below (see Figure 5 and Figure 6)

APT36 Infrastructure Cluster: Attribution Signals

During infrastructure correlation, CRIL identified a distinct cluster of domains exhibiting TTPs consistent with APT36 (also tracked as Transparent Tribe, ProjectM, and TEMP.Lapis) — a Pakistan-nexus threat actor with a well-documented history of targeting Indian government entities, defense personnel, and diplomatic infrastructure.

The attribution is assessed with moderate-to-high confidence based on the convergence of the following signals across the cluster:

• Campaign overlap: Lure themes targeting Indian government portals align directly with APT36’s documented preference for spoofing Indian ministry and defense-adjacent web properties
• Infrastructure reuse: Shared hosting IPs (particularly within the Tencent Cloud and Alibaba APAC ASN ranges) overlap with previously documented APT36 staging infrastructure observed in 2024–2025 campaigns
• TLD and registrar pattern: The .bond and .cc TLD preference, combined with Gname.com registration, is consistent with APT36’s known operational playbook for disposable domain provisioning
• Target geography correlation: The India-specific trust injection pattern reflects the threat actor with specific knowledge of how Indian government URLs are structured (*.gov.in) and how to exploit that structure visually
• Subdomain construction logic: The random suffix characters mirror the automated domain-generation behavior documented in prior APT36 bulk registration events.

Conclusion

Operation TrustTrap is a coordinated campaign involving 16,800 malicious domains across all US states, as well as India, Vietnam, and the UK, often using UK-themed lures.

The campaign exploits visual and cognitive trust mechanisms rather than technical vulnerabilities, rendering traditional detection methods ineffective.

The shift from domain spoofing to trust-layer manipulation represents a meaningful evolution in adversarial capability that demands a corresponding evolution in defensive architecture. Pattern-driven discovery, eTLD+1-aware detection tooling, intent-based domain risk scoring, and revised security awareness programs are the pillars of an adequate response.

CRIL will track this campaign cluster and update IoCs as new infrastructure emerges. All indicators have been submitted to Cyble’s threat feeds and are accessible to Vision platform customers for blocking and correlation.

Organizations, especially those in US state governments, transportation agencies, and DMV-like services, should view this campaign as an active threat and prioritize detection and review against the failure modes outlined in this report.

Recommendations

Based on the findings presented above, CRIL recommends the following actions for immediate consideration by security teams and organizations:

• Implement eTLD+1-aware URL parsing across all email security, proxy, and endpoint controls.
• Build or acquire detection rules that evaluate the structural position of government trust tokens, not merely their string presence.
• Apply domain risk scoring that weights registrar identity, TLD, hosting ASN, and domain registration age as compounding signals.
• Integrate campaign-cluster pivoting from confirmed IoCs into threat hunting workflows, using shared IP resolution as the primary pivot axis.
• Revise security awareness materials to teach structural URL interpretation, with a specific focus on identifying the root registered domain as distinct from subdomain labels.
• For organizations in the transport, DMV, and toll payment space: issue proactive user advisories advising that official payment communications will never be delivered via SMS with embedded URLs.

The need for a proactive cyberdefense stance

The current threat landscape includes a multitude of Social Engineering campaigns. Security teams need more than reactive controls to keep ahead of these.

Solutions such as Cyble Vision deliver operational intelligence that enables defenders to stay ahead of adversaries through early detection, campaign-level visibility, and infrastructure mapping.

Cyble Vision specifically empowers security teams to move beyond isolated detection, providing the strategic insight needed to anticipate threats, monitor adversary activity, and respond with precision at every stage of the attack lifecycle. Security teams can take necessary preventive action with the help of:

• Real-Time IOC Monitoring
  Enable continuous tracking of indicators tied to adversary infrastructure, before they reach end users.
• Credential Phishing Infrastructure Mapping
  Map attacker-controlled infrastructure, including fake authentication portals, dynamic exfiltration endpoints, and backend logic designed to capture credentials.
• Brand and Executive Impersonation Monitoring
  Detect domain spoofing and impersonation attempts targeting internal functions such as HR and Finance—often used to increase trust and exploit user familiarity.
• Deep and Dark Web Visibility
  Surface chatter, leaked credentials, and phishing toolkits from deep/dark web sources, offering early insight into attacker preparation and target selection.
• Global Targeting Intelligence
  Track phishing activity across global regions—including North America, EMEA, and APAC—as well as over 70 industry sectors, providing defenders with contextual understanding of targeting patterns.
• Threat Actor Attribution and TTP Correlation
  Associate infrastructure, techniques, and behavioral patterns with known threat actors, empowering security teams to prioritize response based on adversary capability and intent.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.