A large-scale Thai gambling SEO poisoning operation has compromised 163 organizations across more than 30 countries by exploiting abandoned cloud DNS delegations, according to research from Cyble Research & Intelligence Labs (CRIL).
The ongoing SEO poisoning campaign has affected government agencies, healthcare organizations, financial institutions, universities, and critical infrastructure operators, allowing attackers to host Thai-language gambling content on trusted enterprise domains.
How the SEO Poisoning Campaign Works
Researchers found that the campaign primarily abuses abandoned Azure DNS zone delegations. When organizations retire cloud projects, DNS records that delegate subdomains to Azure are often left behind. Threat actors identify these orphaned delegations, recreate the abandoned DNS zones under new Azure subscriptions, and gain authority over the affected subdomains.
Using this method, the attackers deploy a Next.js-based Thai-language gambling kit protected by valid Let’s Encrypt wildcard certificates. As a result, users, browsers, and search engines see what appears to be legitimate content hosted under trusted corporate domains.
At the time of publication, 161 of the 163 affected organizations remained actively compromised.
Discovery Leads to Global Exposure
The investigation began when CRIL identified unusual DNS activity on a Verizon subdomain environment. Researchers discovered more than 1,000 individually named subdomains serving Thai-language gambling content. Each page contains affiliate links designed to drive user registrations and generate commissions.
Further analysis revealed the same infrastructure and content fingerprints across 162 additional organizations. More than 90 compromised enterprise subdomains shared the same Next.js build ID (QQOrXCFjoI6C9oF-4YVhl), favicon path (/img/ib99-hq.ico), and affiliate redirect destinations.
Four DNS Abuse Methods Identified
The Thai gambling SEO poisoning operation relied on four compromise mechanisms:
- Azure DNS zone takeover: More than 150 organizations were affected through abandoned Azure DNS delegations.
- DigitalOcean DNS zone takeover: Two organizations were compromised using a similar technique.
- Direct wildcard DNS misconfigurations: Two organizations had wildcard records pointing to attacker-controlled infrastructure.
- Mass A-record creation: Verizon’s environment contained over 1,000 individual DNS records directing traffic to gambling content.
Certificate Transparency records showed some abandoned zones had remained dormant for years. One pharmaceutical company’s subdomain had not seen a legitimate certificate since October 2019 before attackers obtained a new certificate on April 11, 2026. Another electronics firm’s platform showed a gap between February 2023 and April 10, 2026.
Monetization and Backend Infrastructure
The SEO poisoning campaign generated revenue through affiliate tracking codes such as “ibiza99vip1,” “bigwinv1,” “seven77vip1,” and “link99.” Researchers observed server-side filtering that verified visitors originated from Thailand before redirecting them to gambling platforms.
The campaign ultimately linked to four gambling destinations: ibiza99.autos, big888.store, seven77.click, and link99.nova555.rest. The gambling pages promoted deposits as low as 1 Thai Baht (approximately $0.03 USD) and included structured SEO content, FAQ schema, and mobile optimization features.
Behind the delivery infrastructure, researchers uncovered a dedicated backend fleet of 103 servers located in Hong Kong under AS398478 (PEG TECH INC). Evidence linking the servers included identical TLS fingerprints, shared certificates, matching HTTP hashes, uniform MySQL configurations, and common administration tools.
Detection and Mitigation
CRIL noted that traditional security tools are unlikely to detect this Thai gambling SEO poisoning activity because the attackers use valid certificates, reputable domains, and clean infrastructure. The researchers recommend continuous monitoring of Certificate Transparency logs, auditing all DNS delegations, and immediately removing abandoned NS records pointing to cloud providers.
According to the report, the campaign demonstrates how a single DNS hygiene failure can be systematically exploited at scale. Rather than breaching networks or applications, the attackers capitalized on forgotten cloud configurations, turning trusted domains into vehicles for a sophisticated SEO poisoning campaign targeting Thai search traffic.
