Infoblox has revealed new research showing how cybercriminals are abusing Keitaro, a widely used advertising performance tracker, to hide scams and malware behind normal web traffic. The study, conducted with Confiant, highlights how attackers cloak malicious activity and often pose as AI investment opportunities.

Moreover, cloaking has become a core element of modern cybercrime. It allows malicious websites to appear safe to users and security systems. The joint research offers the first longitudinal analysis of how a commercial tracker like Keitaro Tracker is exploited by threat actors.

Over a four-month period, starting October 1, 2025, researchers identified around 15,500 domains linked to malicious Keitaro instances. These domains used cloaking to redirect victims to scams and information-stealing malware. At the same time, they displayed harmless content to others. Traffic to these domains came from compromised websites, spam, social media, and online advertisements.

In addition, the findings show that many cybercriminals no longer build their own infrastructure. Instead, they rely on commercial tracking tools like Keitaro. Its self-hosted design, advanced features, and easy deployment make it attractive to both marketers and attackers. Although Keitaro no longer supports cloaker integrations, threat actors continue to misuse its capabilities.

Furthermore, the research confirms that domain cloaking, enabled through traffic distribution systems and cloaking kits, is now a key part of cybercriminal operations. It helps attackers bypass ad restrictions, target victims more effectively, and even hide activities from other threat actors.

Notably, AI-branded investment scams have emerged as the dominant threat category. Many scam pages promote “Smart AI Trading Technology” or “Intelligent Trading Solutions,” claiming automated trading and high returns. These campaigns often include deepfake images or videos to increase credibility. Researchers also observed the use of generative AI to create large volumes of scam content, including headlines, text, and visuals.

Meanwhile, the collaboration between Confiant and Infoblox provided a broader view of the threat landscape. Confiant offered visibility into the advertising ecosystem, while Infoblox analyzed threats at the DNS level, supported by spam and web content analysis. This combined approach revealed the scale and complexity of the ecosystem.

“For years, Keitaro has appeared in individual investigations, but no one assessed its overall impact,” said Dr. Renée Burton, Vice President of Infoblox Threat Intel. “We found it frequently in malicious campaigns. However, the issue extends beyond Keitaro to a wider ecosystem used by attackers globally.”

The research marks the first part of a three-part blog series. It focuses on AI-driven lures and Keitaro-based routing. Upcoming parts will examine additional fraud schemes and how coordinated vendor efforts can disrupt such abuse. Overall, the findings underscore the growing role of Infoblox in exposing large-scale cyber threats.

Related post

View all