News Security

15,500 Malicious Domains: How Threat Actors Abuse a Popular Ad Tracker for Cloaked AI Investment Scams

Infoblox

Cybersecurity researchers have uncovered a sprawling global network of over 15,500 malicious domains abusing Keitaro, a widely used advertising performance tracker, to cloak large‑scale scams and malware campaigns many disguised as AI‑driven investment opportunities.

The findings come from a first‑of‑its‑kind joint study by Infoblox Threat Intel and Confiant, offering the most comprehensive look yet at how commercial marketing tools are being hijacked by threat actors.

According to the research, cybercriminals are exploiting Keitaro’s routing and traffic‑distribution capabilities to create a two‑layered web presence: benign, harmless content for security scanners and regulators, and highly targeted scam pages for real users. This tactic known as cloaking has rapidly become a cornerstone of modern cybercrime.

“We found Keitaro everywhere in malicious campaigns but the real story is the vast ecosystem enabling cybercriminals to scale attacks globally.”

Dr. Renée Burton, Vice President, Infoblox Threat Intel

Over a four‑month period beginning October 1, 2025, investigators identified thousands of Keitaro-powered infrastructures funnelling victims into AI-branded investment scams, deepfake‑enhanced landing pages, and information‑stealing malware. Much of this traffic originated from compromised websites, spam campaigns, social media promotions and deceptive online ads.

The study notes a sharp rise in scams promising “Smart AI Trading Technology” or “Intelligent Trading Solutions,” many of which used generative AI to automatically produce headlines, visuals, testimonials and lure copy at scale.

Researchers also discovered widespread use of stolen or pirated Keitaro licenses, allowing cybercriminals to deploy sophisticated cloaking and traffic-filtering environments without building custom infrastructure. While Keitaro no longer supports cloaker integrations, its legacy flexibility and ease of deployment continue to make it attractive to both legitimate marketers and malicious actors.

The collaboration between Infoblox and Confiant provided two complementary vantage points: DNS‑based threat visibility and advertising‑supply‑chain intelligence. Together, these revealed a far larger, interconnected ecosystem than previously documented.

Today’s publication marks Part 1 of a three‑part series exploring Keitaro-enabled cybercrime, covering AI‑scaled lures and routing abuse. Future instalments will analyse additional fraud schemes and detail how coordinated vendor action can disrupt this growing threat landscape.

Related posts

Nutanix Enterprise Cloud Index: AI Accelerates Container Adoption in Saudi Arabia as Data Sovereignty Becomes Top IT Priority

Enterprise IT World MEA

Infoblox Uncovers Lurking Lizard Campaign Behind Fake 7-Zip Downloads and Global Criminal Proxy Network

Enterprise IT World MEA

ASUS and Intel Launch AI Lab in Oman to Advance AI Education and Digital Innovation

Enterprise IT World MEA

Leave a Comment