Infoblox Threat Intel
Horrid Hawk
Horrid Hawk is a financially motivated threat actor that uses hijacked domains to prey on consumers through investment scams.
Since at least February 2023, the threat actor has embedded thousands of hijacked domains in short-lived Facebook ads that span multiple continents and target victims in more than 30 languages, including English, Italian, Polish, Turkish and Spanish.
The actor uses the Sitting Ducks attack vector to hijack domains for investment scams. The domains typically have positive reputations that Horrid Hawk uses to shield their fraudulent investment sites from security researchers and other unwanted web visitors.
Infoblox has identified close to 5,000 hijacked domains linked to this actor as of October 2024.
- Operating since: At least February 2023
- Infoblox discovered: June 2024
- Infoblox published: November 2024
- Prevalence: Uncommon
Read Infoblox’s Threat Intelligence Research Report to learn how and why Hawks and Vipers execute new Sitting Ducks attacks.