Skip to content
.ca
sign in
7 minhigh

Inside Keitaro Abuse: A Persistent Stream of AI-Driven Investment Scams

Threat actors are extensively abusing the legitimate Keitaro Tracker platform to conduct domain cloaking, facilitating large-scale, AI-driven investment and tech support scams. By combining traffic distribution systems with AI-generated deepfakes and localized lures, attackers effectively evade automated security scanners while maximizing victim engagement and conversion rates.

Conf:highAnalyzed:2026-03-19reports

Authors: Infoblox Threat Intel

ActorsTA2726SocGholishFaiKastWickedWallyFishSteaks
DeepfakeCloakingMalvertisingInvestment ScamKeitaro

Source:Infoblox

IOCs · 5
  • domain
    empowerementplan[.]comDomain used by the WickedWally threat actor for debt relief and affiliate marketing scams.
  • domain
    fin-zen-ai[.]comDomain used by an unnamed threat actor running investment scams featuring AI-powered trading platforms.
  • domain
    marrowcliff[.]orgDomain used by unnamed actors for Tech Support Scams (TSS) utilizing cloaking.
  • domain
    tryhappycards[.]ruDomain used by the FishSteaks threat actor for gamified giveaway scams.
  • domain
    wealthlift[.]clickDomain used by the FaiKast threat actor, which leverages AI-generated deepfake news broadcasts.

Key Takeaways

  • Threat actors are heavily abusing the legitimate Keitaro Tracker platform to conduct domain cloaking, facilitating large-scale fraud.
  • AI is being used as a force multiplier to generate deepfake news anchors, localized ad copy, and fake trading platforms to increase scam legitimacy.
  • Attackers utilize Registered Domain Generation Algorithms (RDGAs) to rapidly spin up and rotate infrastructure.
  • Client-side fingerprinting (IP, geolocation, user-agent) is actively used to route targets to malicious payloads while serving benign decoy pages to security scanners.

Affected Systems

  • Web Browsers
  • Windows
  • macOS
  • AdTech Platforms (e.g., Bigo Ads)

Attack Chain

Attackers initiate campaigns by serving malvertisements or social media ads featuring AI-generated deepfakes and localized lures. When a victim clicks the ad, they are directed to a cloaking infrastructure powered by Keitaro Tracker. The tracker performs client-side fingerprinting based on IP, geolocation, and user-agent to filter out security scanners and non-targets, redirecting them to benign decoy pages. Validated targets are routed via HTTP 302 redirects to malicious landing pages, such as fake AI trading platforms, tech support scams hosted on Azure Blob Storage, or credential harvesting sites.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.) but offers a comprehensive list of IOCs and behavioral patterns for hunting.

Detection Engineering Assessment

EDR Visibility: Low — The attack primarily occurs within the browser via web traffic, redirects, and social engineering, meaning EDR has limited visibility until a secondary payload is downloaded or executed. Network Visibility: High — The reliance on DNS for RDGAs, HTTP 302 redirects, and connections to known cloaking infrastructure provides strong signals for network-based detection. Detection Difficulty: Hard — Cloaking systems actively fingerprint and evade automated scanners, and the use of RDGAs means infrastructure is constantly rotating, making static blocklists less effective.

Required Log Sources

  • DNS Logs
  • Web Proxy Logs
  • Network Flow Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
High volumes of DNS requests to newly registered domains matching specific algorithmic patterns (e.g., att.com, lumitex.com) may indicate RDGA activity.DNS LogsDeliveryLow
Unexpected HTTP 302 redirects originating from ad networks leading to Azure Blob Storage (*.web.core.windows.net) subdomains may indicate Tech Support Scam (TSS) routing.Web Proxy LogsDeliveryMedium
Web traffic exhibiting client-side fingerprinting scripts that conditionally route users based on user-agent and geolocation mismatches may indicate cloaking infrastructure.Web Proxy LogsEvasionMedium

Control Gaps

  • Ad network content filtering
  • Automated web scanner evasion

Key Behavioral Indicators

  • Rapid rotation of subdomains tied to specific language codes (e.g., au., br., swe.)
  • Use of Keitaro Tracker in non-standard or suspicious affiliate marketing flows
  • HTTP 302 redirects from native display ads to newly registered domains

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Block known malicious RDGA patterns and specific IOCs at the DNS and web proxy levels.

Infrastructure Hardening

  • Implement strict web filtering policies for newly registered domains (NRDs).
  • Restrict access to unapproved cloud storage domains (e.g., Azure Blob Storage) if not required for business operations.

User Protection

  • Deploy ad-blocking extensions or DNS-level ad filtering to endpoints to reduce exposure to malvertising.

Security Awareness

  • Train users to recognize AI-generated deepfakes and verify investment opportunities through official financial regulatory bodies.
  • Educate employees on the signs of tech support scams, emphasizing that legitimate vendors do not use browser pop-ups to demand phone calls.

MITRE ATT&CK Mapping

  • T1583.001 - Acquire Infrastructure: Domains
  • T1583.008 - Acquire Infrastructure: Malvertising
  • T1566.002 - Phishing: Spearphishing Link
  • T1036 - Masquerading
  • T1430 - Location Tracking
  • T1562.001 - Impair Defenses: Disable or Modify Tools

Additional IOCs

  • Domains:
    • synatra-nexus[.]com - AI-powered trading platform investment scam domain
    • toonie-bot[.]com - AI-powered trading platform investment scam domain
    • veltimo-ai[.]com - AI-powered trading platform investment scam domain
    • argea-ai[.]org - Investment scam domain
    • el-camino-trader[.]com - Investment scam domain
    • mizuai[.]org - Investment scam domain
    • myhomequote[.]xyz - Investment scam domain
    • nuve-ai-invest[.]vip - Investment scam domain
    • nuvei-bot-neway[.]org - Investment scam domain
    • nuvei-bot-neway[.]vip - Investment scam domain
    • plumaclean[.]com - Investment scam domain
    • powerquizmaster[.]com - Investment scam domain
    • truenorth-yachts[.]com - Investment scam domain
    • cryptopassive-swiss-switzerland[.]org - Investment scam domain
    • nexiroka[.]net - Investment scam domain
    • samsosi[.]net - Investment scam domain
    • yieldup[.]ch - Investment scam domain
    • bitget-passive-income[.]com - Investment scam domain
    • cardanocrypto[.]ch - Investment scam domain
    • clarozenvix[.]com - Investment scam domain
    • crypto-nsw-app-au[.]com - Investment scam domain
    • gentlevector[.]com - Investment scam domain
    • kyvaronedge82[.]com - Investment scam domain
    • newton-passive-income[.]net - Investment scam domain
    • opulatrix[.]ch - Investment scam domain
    • owleblo[.]net - Investment scam domain
    • wirbeldappix[.]ch - Investment scam domain
    • au[.]lpa1[.]star-boostmedia[.]com - AI-themed fake news campaign domain (Localized)
    • pl[.]star-boostmedia[.]com - AI-themed fake news campaign domain (Localized)
    • pol[.]star-boostmedia[.]com - AI-themed fake news campaign domain (Localized)
    • lumitexchainai[.]com - AI-themed fake news campaign domain
    • lumitexaihub[.]com - RDGA pattern domain (lumitex + AI/X suffix)
    • lumitexaicloud[.]com - RDGA pattern domain (lumitex + AI/X suffix)
    • lumitexsyncai[.]com - RDGA pattern domain (lumitex + AI/X suffix)
    • lumitexstackai[.]com - RDGA pattern domain (lumitex + AI/X suffix)
    • lumitexinsightai[.]com - RDGA pattern domain (lumitex + AI/X suffix)
    • lumitexconnectx[.]com - RDGA pattern domain (lumitex + AI/X suffix)
    • lumitexlaunchx[.]com - RDGA pattern domain (lumitex + AI/X suffix)
    • lumitexgridx[.]com - RDGA pattern domain (lumitex + AI/X suffix)
    • lumitexbasex[.]com - RDGA pattern domain (lumitex + AI/X suffix)
    • lumitexflowx[.]com - RDGA pattern domain (lumitex + AI/X suffix)
    • echoatt[.]com - RDGA pattern domain (ATT prefix/suffix)
    • rocketatt[.]com - RDGA pattern domain (ATT prefix/suffix)
    • tradefyatt[.]com - RDGA pattern domain (ATT prefix/suffix)
    • profitlyatt[.]com - RDGA pattern domain (ATT prefix/suffix)
    • igniteatt[.]com - RDGA pattern domain (ATT prefix/suffix)
    • autopilotatt[.]com - RDGA pattern domain (ATT prefix/suffix)
    • wizardatt[.]com - RDGA pattern domain (ATT prefix/suffix)
    • quietbotatt[.]com - RDGA pattern domain (ATT prefix/suffix)
    • autotradeatt[.]com - RDGA pattern domain (ATT prefix/suffix)
    • attgenius[.]com - RDGA pattern domain (ATT prefix/suffix)
    • tradingideasai[.]com - RDGA domain leveraging subdomains for language targeting
    • tradingideasfromai[.]com - RDGA domain leveraging subdomains for language targeting
    • star-boostmedia[.]com - RDGA domain leveraging subdomains for language targeting
    • 5000-giftcardswb[.]ru - FishSteaks giveaway scam domain
    • yourluckycard[.]ru - FishSteaks giveaway scam domain
    • nestledawn[.]org - Tech Support Scam domain
    • financialmatcher[.]com - WickedWally debt relief scam domain
    • northernavenue[.]info - FaiKast Gen AI broadcast persona impersonator domain
    • fzclbsmartcbeaa[.]com - FaiKast Gen AI broadcast persona impersonator domain
    • mcdpwmachineylpdn[.]com - FaiKast Gen AI broadcast persona impersonator domain
    • funds-treasure[.]com - FaiKast Gen AI broadcast persona impersonator domain
    • vwyitsensorjieho[.]com - FaiKast Gen AI broadcast persona impersonator domain
    • funds-allowance[.]com - FaiKast Gen AI broadcast persona impersonator domain
    • cash-revenue[.]xyz - FaiKast Gen AI broadcast persona impersonator domain
    • cognithic[.]com - FaiKast Gen AI broadcast persona impersonator domain
    • thrygate[.]com - FaiKast Gen AI broadcast persona impersonator domain
    • logithrive[.]com - FaiKast Gen AI broadcast persona impersonator domain
    • yoxjsensordkzb[.]com - FaiKast Gen AI broadcast persona impersonator domain
    • ggkngpssanil[.]com - FaiKast Gen AI broadcast persona impersonator domain
    • zoizagricultureciva[.]com - FaiKast Gen AI broadcast persona impersonator domain
    • tmgmaiwwta[.]com - FaiKast Gen AI broadcast persona impersonator domain

Related