Intro

First, we examine Google and Cloudflare as infrastructure providers with broad operational reach. Their services power a significant portion of the internet, and as such, they carry a wide scope of responsibility. When these platforms enable long-term abuse — such as cloaked phishing sites or illegal operations (e.g.APT41 Group tactics ) — their role shifts from passive intermediary to potential enabler, especially when threat intelligence sources have already flagged the relevant infrastructure identifiers (e.g., domains, IPs, certificates) as malicious and no action is taken, we aware about Cloudflare Policy and Google’s Shared responsibility, but since these organizations practically routing most of the internet, we believe where inaction may be interpreted as willful blindness.

Second, we address a vendor like Lockheed Martin, a company with substantial national security relevance and public trust. As a defense contractor and prominent publicly traded entity, Lockheed Martin has both the visibility and technical capability to detect cloned or spoofed versions of its digital assets — as we ourselves have identified. From this standpoint, we believe Lockheed Martin and other similar companies should implement stronger monitoring and proactive detection mechanisms to prevent abuse like phishing, brand hijacking, or impersonation. In our view, this is not just a technical gap, but a responsibility tied to their status and trust profile.

Executive Summary

Deep Specter Research exposes a multi-year, industrial-scale phishing and brand impersonation scheme operating for over 3 years on Google Cloud (Nasdaq:GOOG) and Cloudflare (NYSE:NET) platforms. Despite repeated alerts, these tech giants failed to act, exposing public companies to millions in potential regulatory penalties. This failure constitutes industry-wide willful blindness. Key findings:

• 48,000 hosts, >80 clusters abusing high-trust expired domains
• Multiple impersonations of Fortune 500 companies incl. Lockheed Martin
• Malware and gambling content served from brand-trusted resources
• Cloaked sites receive traffic from Google, Meta, Android apps
• Cloudflare & Google failed to respond despite >265 public detections
• Potential GDPR, DMCA, and FTC exposure for involved companies

What happens when a forgotten domain resurfaces — not as a blank page, but as a perfect clone of a Fortune 500 defense contractor?

We uncovered a large-scale, cloud-hosted infrastructure that hijacks abandoned or expired domains, then pairs them with cloned websites of major global brands — including Lockheed Martin and many other US and non-US companies. These clones aren’t theoretical risks. They’ve been live, undetected, and interacting with users and malware for years.

But the real issue isn’t just technical. It’s business-critical:

Many of the cloned sites still load resources from the original brand’s cloud infrastructure — meaning the original brand may actively be serving content to a malicious impersonator

From a legal and regulatory standpoint, this creates significant regulatory and legal liability. Not only is the impersonation possible, but it continues with the unintentional assistance of the original asset owner. This suggests a failure to monitor and raises serious questions about due diligence, data protection, and customer safety.

At Deep Specter Research, we don’t just surface security anomalies.

We translate technical findings into business vulnerabilities and regulatory exposure — assigning real-world accountability to organizations who fail to take reasonable steps to protect their digital assets.

We work closely with legal experts and privacy advocates to ensure the public is informed, regulators are aware, and enterprises are held responsible.

The Research

Several years ago, I was a fan of fighter jets. I collected their pictures and figures, constructed them from LEGO and, of course, read news about them. My favorite movie was “Top Gun”, and I watched them both (old and new one) at least 5 times.

One of the sources, constantly providing pictures and news was this Facebook page (100K subscribers):

They also had a website, while it seems like most people in 2022–2023 mostly viewed their Facebook page:

militaryfighterjet[.]com

All was good, until 2024–09–14 18:00:32 (last September)..

What happened is their “DNS record expired” 2 months before approximately. This means, somebody “forgot to pay the bill”, causing them to lose ownership over the domain militaryfighterjet[.]com and their domain was “on sale” and bought by somebody else.

This happens sometimes. Not too often, but happens.

What followed, however, was highly unusual.

On 2024–09–16 14:49:50 this domain started to show this “168 Lottery Results” gambling page:

when accessed directly using Desktop Browsers…

But when You search for this domain in Google:

or when accessed from Mobile Devices or just by adding “/index-2.html” to the domain address:

This is clearly a clone of Lockheed Martin’s site!

This means, that someone who acquired militaryfighterjet[.]com now showing there clone of Lockheed Martin website (including login pages for employees and partners), and gambling website altogether!

This is something that called “Cloaking”.

It is SEO (Search Engine Optimization) black-hat technique where content presented to search engine crawlers (like GoogleBot) is different from the content presented to human users. The main goal is to manipulate search engine ranking or to hide illicit content from detection.

The software under the “cloak” checking the User-Agent Header and other fingerprints to decide if this is a Bot or real user (sometimes even from which country) and shows different content according to it. It shows sanitized content to crawlers and illicit content to real users**.**

This is problematic and punishable practice:

• Violation Of Search Engine Guidelines — Cloaking is a direct violation of Google’s Webmaster Guidelines and similar policies from other search engines. Sites caught cloaking can face severe penalties, including being de-indexed (removed entirely from search results).
• Deceptive User Experience — It creates misleading and frustrating experience for users who expect to see one type of content but are presented with something entirely different, often unwanted or harmful.
• Security Risks — Copied sites used in cloaking can also pose security risks to visitors, potentially hosting malware or phishing attempts.

The Brand Reputation

There can be significant brand damage for the owner of the copied site, even if they are unaware of the cloaking taking place:

SEO Penalties and Loss of Visibility

1. Duplicate Content Issues: Search engines like Google actively penalize duplicate content. If the “known brand’s” legitimate content is copied and hosted elsewhere, Google’s algorithms might see it as duplicate and struggle to determine the original source. This can lead to the original site being de-ranked, losing its hard-earned visibility in search results.
2. “Spammy Association” — If the copied content is associated with a site that also hosts gambling (or other illicit) content, search engines might flag the entire domain as low-quality or spammy. This negative association can indirectly harm the reputation of the legitimate brand in the eyes of search engines, even if their site isn’t directly involved in the gambling.

Erosion of Trust and Reputation

1. User Confusion — If users stumble upon the copied content on the gambling domain (even if it’s eventually redirected or hidden), it can create confusion. They might wonder why a reputable brand’s content is appearing on such a site, leading to a loss of trust in the original brand.
2. Association with Illicit Activities: The most significant damage is the potential association with gambling or other undesirable activities. Even if the brand is completely innocent, the mere presence of their content on a site promoting illegal or unethical activities can tarnish their image and reputation. Consumers might mistakenly believe the brand is involved or endorses such content.
3. Perception of Weak Security -If a brand’s content can be easily scraped and used for malicious purposes, it might suggest to customers (and even competitors) that the original brand’s website security is lax. This can erode confidence in the brand’s ability to protect its own assets and, by extension, customer data if they engage with the brand online.

Financial Losses

1. We identify a clear risk that this systemic willful blindness may result in substantial exposure under GDPR and SEC disclosure requirements. By prioritizing continued revenue from these clients over the immediate termination of accounts engaged in malware and gambling campaigns, service providers could be seen as enabling persistent regulatory violations and consumer harm.
2. Lost Traffic and Revenue — If the original site is de-ranked due to duplicate content, it loses organic search traffic, which can directly translate to lost leads, sales, and advertising revenue.
3. Brand Dilution -When a brand’s unique content appears on multiple, unrelated sites, it dilutes the brand’s identity and makes it harder for consumers to associate that content solely with the legitimate brand.
4. Legal Costs (if they pursue action) — While the original brand is the victim, they might incur significant legal costs if they decide to pursue a Digital Millennium Copyright Act (DMCA) takedown notice or other legal action to have the copied content removed.

Difficulty in Monitoring and Enforcement:

1. Hidden Cloaking — Cloaking makes it harder for the legitimate brand to even discover that their content is being used in this way, as the deceptive site might only show the “clean” version to them or their monitoring tools.
2. Ongoing Battle — Even if they manage to get the content removed from one site, determined scrapers or black-hat SEOs might simply copy it to another, creating an ongoing “whack-a-mole” problem for the brand.

So, how big this problem? Let’s see

When we discovered this (only this year) — we immediately looked at the source code:

And saw the “how” and “when”:

HTTrack Website Copier/3.x [XR&CO'2014], Mon, 16 Sep 2024 19:45:00 GM

HTTrack is one of the oldest website copying tools available. This is software that allows you to copy entire website, with all its images, scripts and so on.

Once, we know “how”, maybe we will find “where”?

Quick check reveals that this IP has 414 or more domains resolving to it (historically).

Let’s introduce another great service: Censys.io:

So, we now know, that this is Google Cloud IP, hosting this clearly violating Lockheed Martin brand rights for almost a year, undetected. Perhaps they hadn’t noticed… Let’s tell them (and we did).

We continued investigating

We isolated properties which are unique to this “cloaking effort” and searched it in Censys.io:

• we found 86 physical IP addresses, all hosted on Google Cloud (Hong Kong, Taiwan)
• entire infrastructure contains 44K virtual IP addresses from Google Cloud and 4K from other hosting providers (new cloned sites now show up on CloudFlareNet).
• Virtual hosts organized in 86 clusters, each physical host is the managing host of its cluster.
• 8 physical hosts are upper tier management, managing the cluster managers.
• 78 physical hosts are “regular” clusters.
• they use cloned content of 200 known organizations
• all industries are targeted (military, healthcare, manufacturing, even “cat pics forums” and “cat food shops”)

All of these is growing and dynamically changing, rolling cloned websites between them.

This is big and costly infrastructure (table created using Censys.io):

It is clear, that Google Cloud is the major platform. Others used as testing ground, administration or for specific targeting.

On some hosts, port 80 displays:

Note: This aaPanel reference will be relevant in future investigations. It is widely used by various malicious-services platforms.

Again, using ZoomEye.ai, we created a graph, that shows number of observations of one cluster. More observation — more active is the cluster.

By creating a profile for such activity and looking it in historical data we detected that:

Some findings from 2021 (34 hosts, 56 observations):

www.style-files.com mirror hosted as m[.]fjwjygr[.]com on 2021-07-04 10:45:11
...
zenfolio.com mirror hosted as gkpot[.]com 2021-12-21 18:37:42

Some findings from 2022 (663 hosts, 6,444 observations):

icicilombard.com mirror hosted as 0598998[.]com 2022-01-06 04:55:46
...
colorbarcosmetics.com mirror hosted as busancvb[.]org on 2022-12-31 01:21:40

The last quarter of 2022 was a record-shattering period for phishing. The APWG (Anti-Phishing Working Group) observed over 1.35 million total phishing attacks in Q4 2022, which was a new quarterly high. Number of observations in November is x60 times higher than in October. Number of hosts involved increased x 7.5 times.

• some findings from 2023 (3,012 hosts, 48,830 observations, 8 detected as malicious):

artannapola.com mirror hosted as artannapola[.]com on 2023-01-01 07:35:54
...
watchfinder.co.uk  mirror hosted as letfreedomsingfestival[.]org on 2023-12-31 14:05:05

May 2023 (”MOVEit Transfer Zero-Day Exploitation”) shows x 244 times increase in observations, and x 22 times in number of hosts.

• 2024–1,217 hosts (14,809 observations, 8 identified as malicious). After “ALPHV/BlackCat Ransomware Disruption” in the end of 2023 it looks like the infrastructure is kept on “low flame”, without spikes of activity (dropped x 2 times in hosts number and x 7.2 times drop in observations). Restoring activity in August (x 2 times more hosts, x 3 times more observations) and in December (x 2 times more hosts, x 5 times more observations).
• 2025–2,791 hosts (56,075 observations, 3 identified as malicious). March registered all years maximum: 33,890 observations, 1,997 hosts. Multiple breaches occurred in March — like “GitHub Actions Supply Chain Attack” and “Oracle Cloud Breach”.

Each domain they use to serve this cloned website is carefully picked from available, selecting only ones with high reputation or live Facebook communities on so on. It also MATCH the cloned website by content or industry (technically by keywords), therefore:

militaryfighterjet[.]com ⇒ lockheedmartin.com

We collected a comprehensive list of organizations impacted, both whose website was copied and whose domain was overtaken to host such copy. Between them, private companies and publicly traded ones, Government-related organization, communities, and many others.

Some domains included in this “cloak” were just “abandoned” by their owners — keep showing their content, so for unsuspecting visitors — nothing changed…

So, you’ve found cloaked websites?

We will answer:

• the scale — 48K active virtual hosts/domains
• the time — 4 years at least
• the abuse of copied brands (many many known and big inside the victims list)
• the abuse of Trustworthy hosting solutions like Google Cloud and CloudFlareNet and their failure in detecting this
• carefully picked tandem of cloned website and domain that now serves it
• unified scripting infrastructure to support all this
• gambling content can be illegal in some countries — under this cloak can be accessed freely
• communication from/to this infrastructure from confirmed malware (Windows executables and Android Applications)
• these websites activity corelates with malware campaigns worldwide
• the main core of this platform is evolving continuously and we counted already more than 7 generations of it
• biggest “cluster’ of hosts showing same cloned content of one organization contains almost virtual 6000 hosts! This means, that this organization name used in super-massive phishing campaign right now. It may be also true, that this is the Next Big Breach.
• we are assuming that this is very successful phishing-as-service platform.

We have a feeling, that this “gambling” page by itself, is just another “cloak” hiding something completely different beneath.

It looks like, gambling content is taken from here:

and any time that You press “Bet Now” it will lead You to one of the “dead end” domains like this:

What do You think? Please, share Your ideas with us!

All this make this effort — work of the INDUSTRY level player (Phishing as Service).

Few actors have the resources to execute this at such scale (both time and size).

This infrastructure operated in plain sight — seen by everyone, noticed by no one, until we came.

Google, Cloudflare, Lockheed Martin and other big companies were helpless for almost 4 years, unable to detect the abuse of their own infrastructure. .

You can ask, “May be this was so hard to detect, that no one could? Maybe no one complained?”

There is a wonderful resource, called urlquery.net, where people check potentially phishing links. On this resource alone there 39 checks for this infrastructure in 2023, 91 in 2024, and 135 this year already.

Additionally, In many cases, HTTrack does not copy external resources, so, for example, when copied website use Victim organization logo image stored in Amazon S3 bucket or even Google Analytics — it is not copied, leaving instead a link to it (similar at original website). This allows the Victims — whose website was cloned to identify clones by examining HTTP Headers of incoming requests trying to access such resources.

GET /<victim domain>/fonts/<some font specific to Victim>.woff2 HTTP/1.1
Host: [s3.amazonaws.com](<http://s3.amazonaws.com/>)
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: <cloaked domain>
DNT: 1
Connection: keep-alive
Referer: <cloaked domain>
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

If, just, organizations simply collected and analyzed HTTP headers from requests to external resources..

P.S. Interesting, but only 1000 hosts from 48K total of this infrastructure are using HTTPS. But those which do, have these TLS fingerprints:

JARM: 3fd3fd0003fd3fd21c42d42d000000bdfc58c9a46434368cf60aa440385763
TLSv1.3:
 ja3s: 15af977ce25de452b96affa2addb1036
 ja4s: t130200_1302_a56c5b993250
TLSv1.2:
  ja3s: 76d88c75d798a42d6ea08ab2b9006623
  ja4s: t120300_cca8_eac207b63351
TLSv1.1:
  ja3s: f43f6aaa857b937a9728a6760c1cb77e
  ja4s: t110300_c013_eac207b63351

that look like Sliver malware C2 server match.