Cyble Research and Intelligence Labs (CRIL) uncovered Operation TrustTrap, a coordinated phishing campaign involving over 16,800 malicious domains active since early 2026. The campaign exploits cognitive trust by embedding legitimate government domain tokens (e.g., 'mass.gov', 'wa.gov') as subdomains in fraudulent URLs, making them appear as official government portals. Three obfuscation techniques are used: subdomain trust injection, hyphen-based semantic manipulation, and combined strategies. Infrastructure is concentrated on Tencent Cloud and Alibaba Cloud APAC nodes, with Gname.com as the dominant registrar and .bond, .cc, and .cfd as preferred TLDs. Targeting is primarily US-focused (DMV, toll, and vehicle registration portals across all states) but extends to India, Vietnam, and the UK. A distinct cluster within the dataset shows TTPs consistent with APT36 (Transparent Tribe), targeting Indian government entities. Over 62% of domains had very few VirusTotal detections. Recommendations include eTLD+1-aware URL parsing, structural domain risk scoring, and revised security awareness training.
Table of contents
Executive SummaryKey TakeawaysCampaign overviewWhat Are These Domains Actually Used For?Targeting Geography: Who Is Being Impersonated?Top Targeted US EntitiesBeyond the United States: International FootprintRegistrar DominanceOperational LifecycleDeceptive Domain Spoofing: Core Technique BreakdownAPT36 Infrastructure Cluster: Attribution SignalsConclusionRecommendationsThe need for a proactive cyberdefense stanceMITRE ATT&CK® TechniquesIndicators of Compromise (IOCs)Sort: