A large-scale cyber campaign has compromised 163 organisations across more than 30 countries by exploiting abandoned cloud DNS configurations to host Thai-language gambling content on legitimate enterprise domains, according to new research from Cyble Research & Intelligence Labs (CRIL).
The campaign targeted organisations spanning government agencies, healthcare providers, financial institutions, universities and critical infrastructure operators.
Researchers found that 161 of the affected organisations remained actively compromised at the time the report was published.
According to CRIL, the primary attack method involved abandoned Azure DNS delegations. When organisations decommission cloud infrastructure but fail to remove associated DNS records, threat actors can reclaim the orphaned DNS zones under new cloud subscriptions. This allows them to publish content under trusted corporate domains without breaching the organisations' networks.
The researchers identified four compromise methods, with Azure DNS zone takeovers accounting for more than 150 cases. Additional incidents involved abandoned DigitalOcean DNS zones, wildcard DNS misconfigurations and large-scale creation of individual DNS records.
Rather than distributing malware, the campaign focused on search engine optimisation (SEO) poisoning. Attackers deployed Thai-language gambling websites featuring valid TLS certificates, structured search metadata and affiliate links directing users to gambling platforms.
Server-side filtering ensured that only visitors from Thailand were redirected, helping the campaign remain less visible to security researchers.
CRIL also traced the operation to a dedicated backend infrastructure consisting of 103 servers hosted in Hong Kong. Researchers linked the servers through shared certificates, identical TLS fingerprints and common application configurations, suggesting they were operated by a single entity.
The report noted that conventional security tools are unlikely to detect this type of activity because the malicious content is served through trusted domains using legitimate certificates. Instead, CRIL recommends organisations regularly audit cloud DNS delegations, monitor Certificate Transparency logs and remove obsolete DNS records when cloud environments are retired to reduce the risk of similar attacks.
The findings come amid broader efforts to clamp down on illegal online gambling in Thailand, with authorities having blocked over 158,000 gambling-linked Facebook pages since October 2025 through an expanded partnership with Meta.
The campaign promoted Thai-language gambling sites using affiliate marketing infrastructure, with advertised minimum deposits as low as one Thai baht ($0.03)
