Operation TrustTrap Exposes 16,800 Deceptive Domains Targeting User Trust
In an increasingly complex digital landscape, Cyble Research and Intelligence Labs (CRIL) has unveiled one of the most extensive deceptive domain spoofing campaigns to date. Named Operation TrustTrap, this operation has utilized over 16,800 malicious domains to exploit cognitive trust mechanisms, effectively harvesting sensitive user data from unsuspecting victims. The scale and sophistication of this campaign underscore a significant evolution in cybercriminal tactics aimed at circumventing traditional security measures.
Understanding Operation TrustTrap
Since early 2026, CRIL has been monitoring a meticulously coordinated infrastructure comprising a vast network of spoofed domains. These domains were crafted to imitate legitimate government portals, particularly those associated with transportation services in the United States, such as Department of Motor Vehicles (DMV) portals, toll payment systems, and vehicle registration services. The primary objective of this campaign is clear: to harvest credentials and payment card information by exploiting the trust users place in government-facing services.
The technical complexity of Operation TrustTrap does not stem from advanced hacking techniques. Instead, it leverages the way humans visually interpret URLs. By embedding government-like subdomains, attackers have created fraudulent domains that closely resemble legitimate government addresses, tricking individuals into visiting these sites and inadvertently providing sensitive information.
Hosting Infrastructure: Tencent Cloud and Alibaba Cloud APAC
The spoofed domains were predominantly hosted on Tencent Cloud and Alibaba Cloud APAC, both of which maintain significant data centers in the Asia-Pacific region. The concentrated use of these platforms complicates the attribution process, as they are often associated with legitimate operations. CRIL identified that the domains were primarily registered through Gname.com Pte. Ltd., a registrar known for its large Chinese customer base, along with other registrars like Dominet (HK) Limited and NameSilo LLC.
These domains frequently utilized .bond, .cc, and .cfd top-level domains (TLDs), which are often employed to evade detection and blacklisting efforts.
Key Technique: Subdomain Trust Injection
A notable method employed in Operation TrustTrap is subdomain trust injection. This technique involves embedding trusted government tokens, such as mass.gov or wa.gov, within subdomains rather than the root domain. In legitimate URLs, the .gov component typically appears at the end of the domain string. However, in these malicious domains, .gov is cleverly integrated as part of a subdomain.
For example, a URL like mass.gov-bzyc[.]cc may lead users to believe they are accessing an official Massachusetts government page, while in reality, they are on a fraudulent site designed to capture personal and financial data. This manipulation of the domain structure is visually convincing and effectively bypasses traditional security filters that only check the root domain for trusted indicators like .gov.
Another obfuscation technique employed is hyphen-based semantic manipulation, where hyphens are inserted into familiar government identifiers to create visually similar URLs. This tactic further complicates the detection of malicious domains.
Global Targeting and Regional Focus
While Operation TrustTrap primarily targets the United States—focusing on state portals in California, Washington, and Florida—it is not limited to one region. CRIL has identified similar spoofing efforts aimed at government portals in India, Vietnam, and the United Kingdom.
In India, attackers have specifically targeted portals that adhere to the .gov.in domain structure. By injecting subdomains like www.in.gov-bond, they have successfully replicated the appearance of legitimate government websites, particularly those related to the Indian Department of National Investigation (NIA) and other defense-related sites. This targeted approach indicates that the threat actors possess a deep understanding of government infrastructure and its operational dynamics.
APT36 and the Connection to Operation TrustTrap
The tactics, techniques, and procedures (TTPs) observed in Operation TrustTrap bear a striking resemblance to those employed by APT36, also known as Transparent Tribe. This Pakistan-based Advanced Persistent Threat (APT) group has a long history of targeting Indian government entities, defense personnel, and diplomatic infrastructure.
The infrastructure utilized in Operation TrustTrap shows similarities to APT36’s previous campaigns, particularly regarding domain registration patterns and the use of Tencent Cloud and Alibaba Cloud APAC infrastructure. Additionally, behaviors such as domain rotation and the use of disposable domains align closely with previous APT36 activities.
Registrar and Hosting Analysis
The dominance of Gname.com as the registrar for over 70% of the spoofed domains highlights a specific trend in the operational setup of this campaign. This Singapore-based registrar serves a large number of Chinese entities and is part of a broader infrastructure strategy that emphasizes low-cost hosting in the Asia-Pacific region.
Tencent Cloud and Alibaba Cloud APAC provide cloud services with global reach, facilitating the necessary infrastructure to scale such malicious operations. These services have been instrumental in supporting the rapid deployment of phishing sites across various government services, particularly those involving time-sensitive financial transactions.
For further insights into this operation, visit the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
