Infoblox Threat Intel and Confiant said cybercriminals are using the Keitaro advertising tracker to conceal scams and malware. Over four months, the researchers identified about 15,500 malicious domains linked to the activity.
The findings suggest growing misuse of commercial marketing software in online fraud, with investment scams framed as AI trading offers emerging as the largest category observed. The same infrastructure also supported information-stealing malware and other fraudulent schemes.
The study examined activity linked to Keitaro Tracker over four months and found thousands of malicious Keitaro instances using domain cloaking. The technique lets operators show harmless content to some visitors, including moderators or security analysts, while redirecting intended targets to scam pages or malware.
Traffic to those operations came from several sources, including compromised websites, spam, social media and online advertising. The two companies said their separate vantage points provided a broader view of how the infrastructure worked, with Confiant tracking activity across the advertising chain and Infoblox analysing DNS, spam and website content.
Commercial Tools
The research argues that many criminal groups no longer need to build dedicated cloaking systems from scratch. Instead, they can buy or pirate software already used by legitimate marketers to manage traffic, test campaigns and track performance.
Keitaro was highlighted because it is widely used as a self-hosted advertising tracker and is relatively easy to deploy. The researchers said threat actors have been able to repurpose some of its features for deceptive routing, even though Keitaro Tracker no longer supports cloaker integrations.
The use of commercial tools reflects a broader shift in cybercrime economics. Ready-made software can lower costs, reduce development time and help operators scale campaigns faster, while making the activity harder to distinguish from ordinary digital advertising traffic.
AI Lures
Among the scam categories identified, AI-branded investment schemes were the most common. Many pages promoted “Smart AI Trading Technology” or “Intelligent Trading Solutions” and claimed automated systems could generate unusually high returns.
Some of those campaigns also used deepfake imagery or video to add credibility. The researchers also saw signs that generative AI may be helping operators produce headlines, marketing copy and images at scale for lure pages and advertisements.
That combination of cloaking and AI-themed branding shows how fraud campaigns are adapting to public interest in new technologies. By wrapping traditional investment scams in the language of automation and machine intelligence, operators may be trying to improve click-through rates and reduce scepticism among potential victims.
Wider Ecosystem
The issue extends beyond one tracker. In the researchers’ view, Keitaro is part of a wider ecosystem of software, hosting, domains, ad distribution and spam delivery that can be assembled into criminal infrastructure.
Cloaking has become a core part of many cybercrime operations because it helps evade advertising and content restrictions, send different users to different destinations and limit visibility into campaigns. It can also prevent one criminal group from easily observing another’s activity.
The work on Keitaro also included efforts to disrupt some of the activity and examine the use of stolen licences. That suggests at least part of the abuse relied on pirated or compromised access rather than only legitimate subscriptions.
For ad-tech firms, cybersecurity vendors and internet platforms, the findings add to concerns about how ordinary commercial products can be turned into tools for fraud. The pattern also highlights the growing overlap between ad-tech infrastructure and cybercrime, especially where redirection, audience targeting and performance tracking are involved.
Security researchers have long warned that malicious campaigns increasingly resemble mainstream digital marketing operations. The use of trackers, routing systems, ad creatives and conversion-style optimisation means scams can be tested and refined much like legitimate online advertising.
That can make enforcement harder. If a system is designed for legitimate traffic management, abuse may only become visible when investigators correlate DNS records, ad placements, spam flows and web content over time.
Infoblox and Confiant said their combined analysis provided a fuller picture of the activity than either could alone. By linking internet infrastructure data with visibility into advertising supply chains, they said they were able to trace a broader set of domains and campaigns than a single-source investigation would typically reveal.
“For years, Keitaro has popped up in individual investigations, but no one had stepped back to ask how big the problem really is,” said Dr. Renée Burton, Vice President of Infoblox Threat Intel. “We found that Keitaro frequently appeared in malicious campaigns – but the story really isn’t about Keitaro; they are just one player in an ecosystem that malicious actors are using to scale and target attacks around the globe.”
Click Here For The Original Source.
