We've written about Keitaro-based cloaking before, and the investment scam ecosystem abusing it remains as active as ever.
🚨 New campaigns continue to blend fake news/investment opportunity lures with global brand impersonation (SoftBank, Channel NewsAsia, CNN Brasil, etc.), paired with tightly controlled cloaking to target victims by region.
The campaign setup is all too familiar:
- Traffic cloaking with Keitaro: Operators use multiple Keitaro accounts to segment campaigns by geography and filter out non-targeted traffic
- Layered social engineering: Fake media narratives build credibility before directing users to investment or crypto registration forms
- Ad-driven distribution: Campaigns use Facebook and Twitter ads to drive victims to scam pages
- Reusable JavaScript kits: Pages deploy Russian-language scripts with fingerprinting and strict validation checks to vet victims
- TDS routing: TDS redircts funnel users who pass validation to fake or sketchy investment platforms or "advisor callback" pages
The consistency of this approach shows how effective and repeatable these techniques remain for driving victim engagement at scale.
Domain sample: justa-solvendaria-es[.]online, newstable[.]online, newsmini18[.]shop, news66[.]shop, news444[.]shop, news534[.]shop, smartrock24[.]shop, timeshe[.]shop
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #keitaro #investmentscam #tds #cloaking






