163 Organizations Hit by Thai Gambling SEO Poisoning Campaign

The Thai gambling SEO‑poisoning operation illustrates a growing trend where threat actors weaponize forgotten cloud infrastructure rather than infiltrating corporate networks. By targeting orphaned Azure and DigitalOcean DNS delegations, the attackers gain authoritative control over subdomains that appear to belong to reputable entities such as government agencies, universities, and financial institutions. This method sidesteps traditional perimeter defenses, allowing malicious pages to inherit the trust signals of established domains and rank highly in search engines, thereby attracting unsuspecting users seeking gambling content.

Technically, the campaign leverages Next.js deployments protected by legitimate Let's Encrypt wildcard certificates, which prevents browsers and security tools from flagging the sites as unsafe. Over 1,000 subdomains were identified, each embedding affiliate tracking codes that redirect Thai users to gambling platforms where bets can start at just 1 Thai Baht (about $0.03 USD). The backend infrastructure consists of a homogeneous fleet of 103 servers in Hong Kong, sharing TLS fingerprints, MySQL configurations, and administrative tools, indicating a highly coordinated operation designed for scalability and revenue maximization through affiliate commissions.

For enterprises, the incident underscores the critical need for rigorous DNS hygiene. Continuous monitoring of Certificate Transparency logs, regular audits of DNS delegations, and immediate removal of stale NS records are essential controls. As cloud adoption expands, attackers will increasingly exploit misconfigurations to conduct SEO poisoning at scale, turning trusted domains into profit‑driving channels without ever touching internal systems. Proactive governance of DNS assets is now a frontline defense against this subtle yet lucrative threat vector.