- 15,500 domains were actively used to deliver veiled AI investment scams
- Obfuscation ensures that malicious content is only shown to targeted victims
- Commercial tracking software allows cybercriminals to scale operations without building infrastructure
Obfuscation has shifted from a supporting tactic to a central layer of cybercriminal infrastructure, and commercial tools are now widely embedded in large-scale cybercriminal operations.
A four-month analysis of malicious activity by Infoblox and Confiant identified approximately 15,500 domains associated with malicious tracker deployments.
These domains routed traffic from compromised websites, spam messages, social media channels and online advertising ecosystems.
The article continues below
Threat actors leverage commercial tracking software to scale
Instead of building custom systems, many threat actors rely on commercial tracking software that already performs filtering, routing and campaign management functions at scale.
These domains not only host scams, but hide them through obfuscation techniques that only display malicious content to intended victims while displaying benign pages to security scanners and others.
Obfuscation works through traffic distribution systems that filter visitors using attributes such as location, device type, and referral source before determining what content is displayed.
This allows operators to circumvent advertising restrictions while refining the audience that ultimately sees the fraudulent content.
The research describes cloaking as “a fundamental building block of modern cybercrime”, reflecting how deeply integrated it has become in these operations.
It also allows threat actors to shield infrastructure not only from defenders, but also from rival groups seeking to hijack campaigns.
Investment scams accounted for the largest share of activity observed across these domains, with a clear emphasis on AI-themed narratives as the primary lure.
Sites often promote automated trading platforms that use phrases like “Smart AI Trading Technology” or “Intelligent Trading Solutions”, often paired with claims of consistent and exceptionally high returns.
In several cases, deepfake images and fabricated media content are used to bolster credibility and create a sense of urgency.
Generative AI tools are also being used to produce large volumes of campaign material programmatically.
This includes headlines, copy and visual assets that can be deployed across multiple domains with minimal variation.
The result is a scalable content pipeline that supports rapid campaign expansion across languages and regions without requiring significant manual effort.
Despite domain reporting and account suspensions by researchers and the tracker’s operators, the activity shows little sign of slowing.
Operators continue to rotate domains and reuse the same infrastructure with minimal changes, enabling campaigns to bounce back quickly after disruption.
Thousands of active domains within a short window indicate sustained and ongoing activity rather than isolated events.
Endpoint protection systems often struggle to detect these campaigns because obfuscated content is only revealed when specific conditions are met.
Firewall controls provide limited coverage when traffic is routed through legitimate advertising and web channels.
Malware removal efforts remain reactive, as damage typically occurs only after victims have already been routed through these delivery routes.
These limitations mean that standard defenses cannot stop these attacks, and the risk of cloaking and tracker abuse remains high.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
