Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
Operation TrustTrap represents a massive coordinated phishing infrastructure campaign comprising more than 16,800 malicious domains active since early 2026 that impersonates government services across the United States, India, Vietnam, and the United Kingdom. Operation TrustTrap targets government, defense, diplomatic, transportation, Department of Motor Vehicles (DMV), toll payment, and healthcare sectors through sophisticated domain spoofing techniques rather than relying on traditional technical exploits. The Operation TrustTrap campaign weaponizes the visual trust of the “.gov” string by embedding government labels as non-root subdomain components, combined with hyphen manipulation and benign-word insertion to defeat regex-based detection while remaining legible to human readers who believe they are visiting legitimate government websites.
Operation TrustTrap spoofed portals resolve to infrastructure concentrated in Tencent Cloud and Alibaba Cloud APAC ASNs (Autonomous System Numbers), indicating centralized hosting infrastructure supporting the massive phishing campaign. A distinct cluster within the Operation TrustTrap dataset, including domains impersonating the National Investigation Agency (NIA) of India, exhibits tactics, techniques, and procedures (TTPs) consistent with the Pakistan-nexus threat actor APT36 (also known as Transparent Tribe, ProjectM, TEMP.Lapis, Mythic Leopard, Copper Fieldstone, Earth Karkaddan, STEPPY-KAVACH, Green Havildar, APT-C-56, Storm-0156, and Opaque Draco).
The Operation TrustTrap campaign begins with bulk-registration of thousands of domains on cheap, disposable top-level domains (TLDs), holding many dormant as a pre-provisioned reserve until campaign waves are triggered. Operation TrustTrap lures are distributed through SMS, email, and adjacent social-engineering vectors, with each link engineered to look like an authentic government URL. Once Operation TrustTrap victims click a lure, they are redirected to spoofed portals hosted on Tencent Cloud and Alibaba Cloud infrastructure that replicate the visual identity of impersonated agencies, presenting fake DMV, toll, or citizen-services payment forms designed to harvest personally identifiable information, payment-card data, and credentials at scale.
Operation TrustTrap Infrastructure and Domain Registration
Operation TrustTrap is a coordinated phishing infrastructure of more than 16,800 malicious domains, active since early 2026, that impersonates government services across the United States, India, Vietnam, and the United Kingdom. The Operation TrustTrap campaign begins not with a technical exploit but with domain registration. Operation TrustTrap operators bulk-register thousands of domains on cheap, disposable TLDs, holding many of them dormant as a pre-provisioned reserve until a campaign wave is triggered.
Operation TrustTrap lures are then distributed through SMS, email, and adjacent social-engineering vectors, with each link engineered to look like an authentic government URL through sophisticated subdomain manipulation. The Operation TrustTrap campaign weaponizes how humans interpret URLs rather than how machines parse them, exploiting the visual trust associated with government identifiers embedded within domain names to bypass both automated detection systems and human scrutiny.
Operation TrustTrap Credential Harvesting Infrastructure
Once an Operation TrustTrap victim clicks a lure, they are redirected to a spoofed portal hosted on infrastructure concentrated within Tencent Cloud and Alibaba Cloud APAC ASN ranges. Active Operation TrustTrap phishing URLs across the infrastructure consistently use a double-query-string parameter pattern that serves as a session-tracking mechanism, assigning unique identifiers to individual victims and monitoring engagement throughout the phishing workflow.
The uniformity of this double-query-string pattern (format: ?var1=xxxxx?var2=xxxxx) across hundreds of Operation TrustTrap URLs confirms a kit-driven, centrally managed operation rather than ad hoc phishing activity. Operation TrustTrap cloned portals replicate the visual identity of the impersonated government agency, often presenting fake DMV, toll, or citizen-services payment forms designed to harvest personally identifiable information, payment-card data, and credentials from victims who believe they are interacting with legitimate government services.
APT36 Attribution and India-Targeted Cluster
The attribution-significant cluster within the Operation TrustTrap dataset narrows the focus to Indian government targets and aligns operationally with APT36, a Pakistan-nexus advanced persistent threat actor with a documented record of targeting Indian government entities, defense personnel, and diplomatic infrastructure. The Operation TrustTrap cluster includes APT36 impersonation domains, such as one masquerading as the National Investigation Agency (NIA) of India, demonstrating the campaign’s focus on high-value intelligence targets.
The random suffix characters in Operation TrustTrap domains mirror the automated domain-generation behavior documented in prior APT36 bulk-registration events, and the shared hosting IPs in Tencent Cloud and Alibaba APAC overlap with APT36 staging infrastructure observed in 2024 and 2025 campaigns. Attribution of the India-targeted Operation TrustTrap cluster to APT36 is assessed at moderate-to-high confidence based on the convergence of campaign overlap, infrastructure reuse, TLD and registrar patterns, India-specific trust-injection cues in the URL structure, and subdomain construction logic consistent with documented APT36 tradecraft.
Operation TrustTrap Operational Objectives
The operational endgame across the broader Operation TrustTrap dataset is credential and payment-data theft at scale, with secondary potential for follow-on intrusion against high-value targets in the APT36 sub-cluster. Because the Operation TrustTrap campaign relies on cognitive deception rather than payload execution, traditional binary-focused detection layers see little to act on during the initial compromise phase.
The Operation TrustTrap kit’s session-tracking parameters and shared cloud-hosting infrastructure are the most reliable pivots for threat hunting and takedown operations across the campaign cluster. The massive scale of Operation TrustTrap, with over 16,800 registered domains, demonstrates significant investment in infrastructure by the threat actors and suggests ongoing campaign operations targeting government service users across multiple countries.
Hunt by eTLD+1, Not by Substring
Reconfigure URL inspection to evaluate the registered eTLD+1 (effective top-level domain plus one level) of every link rather than substring-matching for “.gov” or “.gov.in” strings. Treat any URL where a government label appears as a subdomain of a non-government registered domain as high-risk by default. This fundamental shift in detection logic is necessary to identify Operation TrustTrap domains that embed government identifiers in subdomain positions rather than legitimate top-level domain positions.
Detect the Kit’s Session-Tracking Pattern
Author proxy and SIEM rules that flag URLs containing the characteristic double-query-string pattern ?var1=xxxxx?var2=xxxxx, which has been observed consistently across hundreds of Operation TrustTrap phishing URLs and provides a high-confidence campaign signature. This session-tracking mechanism is a distinctive technical indicator of Operation TrustTrap infrastructure that can be used to identify newly registered domains associated with the campaign.
Strengthen Domain Takedown Workflows
Establish or expand relationships with abuse contacts at Gname.com Pte. Ltd., the .bond and .cc registry operators, and Tencent Cloud and Alibaba Cloud abuse desks to accelerate takedowns of newly identified Operation TrustTrap infrastructure as the campaign continues to evolve. The massive scale of Operation TrustTrap requires coordinated takedown efforts across multiple registrars and hosting providers to disrupt the phishing infrastructure.
Enforce Email and Messaging Authentication on Brand Properties
Government bodies and impersonated brands should enforce DMARC, SPF, and DKIM authentication on official communication channels and publish clear citizen-facing reference URLs to reduce the success rate of look-alike-domain lures used in Operation TrustTrap campaigns. Public awareness campaigns should educate citizens to verify government URLs by checking the registered domain portion of the URL rather than relying on the presence of government keywords anywhere in the hostname.
Deploy eTLD+1-Aware Detection Tooling
Replace legacy substring-based phishing filters with detection logic that operates on the public-suffix-list-resolved registered domain, ensuring that subdomain spoofing of government labels is treated as suspicious regardless of how the rest of the hostname is constructed. This technical control addresses the core evasion technique employed by Operation TrustTrap to bypass traditional URL filtering systems.
Resource Development
Initial Access
Defense Evasion
Credential Access
Collection
Command and Control
Representative Domain Samples (from 16,800+ total domains):
Massachusetts State Government Impersonation
Arizona State Government Impersonation
North Carolina DOT Impersonation
Generic Government Impersonation
Session-Tracking Pattern
Hosting Infrastructure
Note: This represents a small sample of the 16,800+ domains identified in Operation TrustTrap. The complete IoC list is available on the Uni5Xposure platform.
https://cyble.com/blog/operation-trusttrap-domain-spoofing-campaign/
Get through updates and upcoming events, and more directly in your inbox