Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Triad Nexus Phishing Group Uses 175+ Rotating CNAME Domains in Global Scam
Threats

Triad Nexus Phishing Group Uses 175+ Rotating CNAME Domains in Global Scam

Key Takeaways The Triad Nexus cybercrime organization has relaunched its global fraud operations with significantly enhanced stealth and evasion tactics. The group now leverages over 175 rotating...

Jennifer sherman
Jennifer sherman
April 15, 2026 4 Min Read
43 0

Key Takeaways

  • The Triad Nexus cybercrime organization has relaunched its global fraud operations with significantly enhanced stealth and evasion tactics.
  • The group now leverages over 175 rotating CNAME domains and hijacked legitimate cloud infrastructure from providers like AWS, Google, and Microsoft.
  • Triad Nexus primarily conducts “pig butchering” scams, creating sophisticated fake investment and luxury brand portals, and has been linked to over $1 billion in victim losses.
  • Following U.S. sanctions, the group implemented “infrastructure laundering” and is now actively targeting victims in Spanish, Vietnamese, and Indonesian-speaking markets while blocking U.S. access to many fraudulent sites.

A sophisticated cybercriminal enterprise, identified as Triad Nexus and previously associated with the FUNNULL Content Delivery Network, has re-emerged with a significantly more advanced and elusive operational framework.

Table Of Content

  • Key Takeaways
  • Infrastructure Laundering and Cloud Hijacking
  • Geographic Evasion and the Rotating CNAME Infrastructure
  • What You Should Do

Following recent U.S. Treasury sanctions, Triad Nexus has meticulously rebuilt its extensive global fraud network. This revamped infrastructure now employs a dynamic pool of over 175 randomly generated CNAME domains to power numerous scam portals, targeting individuals across multiple international territories.

Triad Nexus is not a newcomer to the realm of cybercrime. The group possesses deep ties to organized criminal syndicates throughout Asia and has been actively involved in investment scams, money laundering, and illicit gambling operations since at least 2022.

In its earlier campaigns, the FUNNULL CDN served as the primary technological backbone, facilitating the rapid deployment of fraudulent websites meticulously designed to mimic trusted global brands.

The U.S. sanctions, imposed in May 2024, did not deter the group’s criminal ambitions but fundamentally altered its methods of concealment and operation.

Infrastructure Laundering and Cloud Hijacking

Subsequent to the federal sanctions, Triad Nexus quickly adopted what cybersecurity researchers have termed “infrastructure laundering.”

Instead of relying solely on low-reputation servers, the group began compromising legitimate enterprise cloud accounts hosted by major providers such as Amazon Web Services (AWS), Cloudflare, Google, and Microsoft.

By routing malicious traffic through these reputable platforms, Triad Nexus effectively created a facade of legitimacy, making its deceptive portals substantially more challenging to detect and block. Analysts at Silent Push were instrumental in identifying this pivotal tactical shift. They observed that the group had abandoned static CNAME domains in favor of a rotating pool of over 175 randomly generated CNAME domains, each linking clusters of fraudulent websites to stolen or illicitly acquired IP addresses.

The financial impact of this fraud is substantial. Triad Nexus has been implicated in over one billion dollars in reported victim losses, with individual victims typically losing around $47,000.

The group predominantly executes “pig butchering” scams, a long-con scheme where victims are groomed over weeks or months into investing significant sums into fraudulent cryptocurrency platforms.

Their array of deceptive portals includes perfect replicas of luxury brands like Tiffany, Cartier, and Chanel, financial services such as Western Union and MoneyGram, and banking portals falsely associated with institutions like Wells Fargo, Goldman Sachs, and Bank of America.

To further evade law enforcement scrutiny following the sanctions, the group also established a series of “clean” front companies. These entities feature professional branding and fabricated operational histories, engineered to cultivate trust among unsuspecting users.

A notable instance is a fictitious CDN provider operating under the domain cdnbl.com, which falsely claims to have been in service since 2007. However, domain registration records unequivocally show its creation date as March 2024, revealing the inherent deception.

Geographic Evasion and the Rotating CNAME Infrastructure

A particularly concerning technical aspect of Triad Nexus’s re-engineered operation is its deliberate implementation of multi-layered CNAME chains to obscure the true destination of its traffic.

A CNAME (Canonical Name) record is a type of DNS entry that redirects one domain name to another. Standard security tools typically only resolve a single step in this redirection chain, often failing to identify the actual final endpoint.

Triad Nexus actively exploits this blind spot. Its infrastructure routes malicious traffic through multiple intermediate CNAME domains—sometimes three or four layers deep—before ultimately reaching a final IP address hosted on a reputable enterprise cloud platform.

This multi-layered redirection significantly impedes automated detection tools from tracing the traffic back to its genuine origin.

To further avoid scrutiny, the group has implemented a deliberate U.S. block across many of its portals, displaying an error message stating “The region has been denied” to American visitors. Concurrently, Triad Nexus has expanded its scam operations into Spanish, Vietnamese, and Indonesian markets, ensuring its fraudulent profits continue to flow.

What You Should Do

  • Implement advanced CNAME chain analysis capabilities to uncover hidden redirection layers.
  • Actively monitor for newly registered lookalike domains that mimic legitimate brands or services.
  • Enforce strict DNS resolution policies and scrutinize unexpected DNS queries.
  • Maintain deep visibility across all network layers to detect and disrupt sophisticated threats before they impact end-users.
  • Educate users about the dangers of “pig butchering” scams and the importance of verifying investment opportunities independently.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

ExploitSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Microsoft Defender CVE-2023-XXXXX Zero-Day Lets Attackers Gain Admin Privileges

Next Post

Critical BitLocker Vulnerability (CVE-2024-XXXX) Lets Attackers Bypass Windows Encryption

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us