Operation TrustTrap: Anatomy of a Large-Scale Deceptive Domain Spoofing Campaign

Executive Summary Cyble Research and Intelligence Labs (CRIL) identified a campaign of over 16,800 malicious domains active since early 2026. It uses a potent technique — embedding government labels as subdomains to fake trust without DNS authority. We have dubbed this 'Operation TrustTrap'. Spoofed portals resolve to infrastructure concentrated across Tencent Cloud and Alibaba Cloud APAC nodes , impersonating citizen-facing government services across several US states, with targeting extending