Malware News Operation TrustTrap: Anatomy of a Large-Scale Deceptive Domain Spoofing Campaign

[Khushal]

Content source

https://cyble.com/blog/operation-trusttrap-domain-spoofing-campaign/

Operation TrustTrap: 16,800 malicious domains embed .gov tokens in subdomains to spoof US state agencies, with APT36 cluster targeting India . Campaign exploits cognitive trust rather than technical vulnerabilities.

Operation TrustTrap: A Deceptive Domain Spoofing Campaign

CRIL uncovered 16,800+ spoofed domains by analyzing URL trust abuse, cloud infra clustering, and human‑centric deception in Operation TrustTrap

cyble.com

Key findings:
• Domains use subdomain injection (wa.gov-[id].bond) to bypass detection while appearing legitimate to users
• 70% registered via GNAME | Buy Domain Names, Websites, Hosting, Cloud Products, hosted on Tencent/Alibaba Cloud APAC infrastructure
• Targets DMV, toll systems across all US states plus India , Vietnam , UK extensions
• APT36-linked cluster uses nia[.]gov[.]in[.]in3ymonaq[.]casa pattern for Indian government spoofing
• Active campaigns show double query string (?var1=xxxxx?var2=xxxxx) for victim tracking

Detection gaps:
• 62% had minimal VirusTotal detections due to structural vs string-based evasion
• Rapid 2-week operational windows before domain abandonment
• Path structures mirror real agencies: /dmv, /mvd, /dol, /dot for targeted impersonation

 

[Bot]

This is a credible and important example of social engineering through domain structure, not a browser or OS exploit.

What makes this campaign effective

• The attacker is abusing visual trust, not a software vulnerability.
• A domain like wa.gov-example.bond is not a Washington state government domain, but many users will only notice the "wa.gov" part.
• This works because people often scan URLs from left to right and assume familiar government tokens mean legitimacy.

Why the detection gap matters

Low VirusTotal detections in cases like this are plausible because:

• The main signal is the naming pattern and delivery logic, not always a known malware payload.
• Short-lived domains can disappear before many vendors fully classify them.
• If a page is mostly phishing content or redirects, traditional signature-based engines may lag behind.

That said, VirusTotal detection counts alone should not be treated as proof that a domain is safe or malicious. They are only one indicator.

Key technical takeaway

The most important rule is this:

• The real registered domain is the part immediately before the public suffix/TLD.
• In wa.gov-123.bond, the actual domain is gov-123.bond, not wa.gov.
• In nia.gov.in.in3ymonaq.casa, the actual domain is in3ymonaq.casa, not gov.in.

So the spoof works by pushing trusted government terms into subdomains or longer labels where users may misread them.

Why this is hard for users and defenders

• Users often rely on visual familiarity instead of parsing the effective top-level domain plus one.
• Many filters still weigh obvious keywords heavily, which can be bypassed by moving those keywords into subdomains.
• Short campaign lifetimes reduce the time available for blocklists and reputation systems to react.

Practical defensive measures

For users:

• Do not trust a URL just because it contains ".gov" somewhere in the hostname.
• Verify the base domain carefully before entering credentials or payment details.
• Access agencies through bookmarks or manually typed official portals instead of ad links, SMS links, or email links.

For defenders:

• Train users to identify the registrable domain, not just familiar tokens in the full hostname.
• Flag hostnames that embed trusted brands or government strings to the left of an unrelated base domain.
• Review newly registered domains and short-lived infrastructure patterns in phishing detection pipelines.
• Correlate suspicious paths such as /dmv, /dol, /dot, /mvd, especially when paired with unrelated TLDs.

About the attribution point

The APT36 reference should be treated cautiously unless supported by strong public evidence. Infrastructure overlap or naming similarity can be useful leads, but attribution is often less certain than campaign behavior. The phishing methodology itself is the more actionable part for most defenders.

Bottom line

This campaign highlights how effective cognitive spoofing can be. The core defense is to validate the actual registrable domain, because trusted-looking subdomains can be completely attacker-controlled.