Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Researchers Gained Access to Hacker Domain Server Using Name Server Delegation
Threats

Researchers Gained Access to Hacker Domain Server Using Name Server Delegation

Recent findings from an investigation into a deceptive push-notification network reveal how a fundamental DNS misconfiguration can expose underlying criminal infrastructure. The campaign abused...

Sarah simpson
Sarah simpson
January 19, 2026 2 Min Read
32 0

Recent findings from an investigation into a deceptive push-notification network reveal how a fundamental DNS misconfiguration can expose underlying criminal infrastructure.

The campaign abused browser notifications to flood Android users with fake security alerts, gambling lures, and adult offers. Random-looking domains and hidden hosting tried to hide the operator while keeping the flow of clicks and ad money moving.

Trouble surfaced when one domain stopped resolving, even though notifications kept arriving. Instead of live landing pages, victims saw browser errors.

What looked like a routine outage was in fact a misconfigured name server setup, leaving the domain in a lame delegation state that no longer pointed to a valid backend.

Infoblox researchers identified this weakness and realized the threat actor had let DNS control slip while devices worldwide still called home.

By legitimately claiming the same domain at the DNS provider, the team redirected traffic to infrastructure they managed, without touching victim devices or the attacker’s servers.

From that point, every push message and tracking request sent by the hacker’s network also reached the researchers’ server, creating a live view into the operation.

How push notifications work (Source - Infoblox)
How push notifications work (Source – Infoblox)

Over the following days, thousands of infected browsers connected from across the globe. Each request carried rich JSON logs about the device, language, lure text, and click behavior.

In total, the team captured tens of millions of records, revealing aggressive use of brand impersonation and scare tactics to chase clicks.

An example of the false information included in notifications received from this commercial push network (Source - Infoblox)
An example of the false information included in notifications received from this commercial push network (Source – Infoblox)

Logs showed that a typical user might receive more than one hundred notifications per day, often for months.

Infection Mechanism: From One Click to Ongoing Control

The infection path began with a visit to a compromised or shady site. Users were shown a browser pop-up asking them to allow notifications, mixed in with cookie banners and captcha prompts.

Once permission was granted, the site installed a custom service worker in the browser, acting like a background agent that kept the subscription active.

That service worker regularly checked in with the attacker’s push server, fetched updated scripts, and pulled scam or ad templates. If the user closed the tab, the worker stayed active and continued to trigger notifications.

In this way, the attackers gained persistent reach without classic malware files, relying instead on web standards and weak DNS hygiene.

When lame name server delegation exposed their abandoned domain, defenders used the same plumbing to watch rather than spread the campaigns.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Windows SMB Client Vulnerability Enables Attacker to Own Active Directory

Next Post

PDFSIDER Malware Actively Used by Threat Actors to Bypass Antivirus and EDR Systems

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us