Operation TrustTrap Reveals 16,800 Fake Domains Exploiting User Trust

Domain‑spoofing has evolved from simple typo‑squatting to sophisticated visual deception. Operation TrustTrap demonstrates how threat actors manipulate URL structures, inserting trusted government tokens into subdomains to create the illusion of legitimacy. This subdomain trust injection sidesteps many security solutions that only scan the root domain for .gov or other trusted suffixes, allowing phishing sites to capture login credentials, driver‑license numbers, and credit‑card details with alarming efficiency.

The campaign’s reliance on Tencent Cloud and Alibaba Cloud APAC underscores a broader trend: cybercriminals are leveraging globally available, low‑cost cloud infrastructure to scale malicious operations. Hosting on these platforms provides rapid provisioning, geographic dispersion, and resilience against takedown requests, complicating attribution and mitigation. The dominance of Gname.com as a registrar—accounting for more than 70% of the malicious domains—highlights how certain registrars become preferred pipelines for threat actors, especially when they serve regions with lax oversight. The overlap of tactics with APT36 further suggests that state‑linked groups are adapting commercial phishing techniques to serve espionage and financial gain.

Defending against such campaigns requires a multi‑layered approach. Organizations should implement advanced URL‑analysis tools that inspect full domain strings, not just top‑level domains, and educate users about the risks of subdomain manipulation. Threat‑intelligence feeds that flag newly registered suspicious domains, especially those using .bond, .cc, and .cfd TLDs, can accelerate response times. Cloud providers and registrars must enhance verification processes and cooperate with law‑enforcement to disrupt the hosting and registration pipelines that enable large‑scale spoofing operations.