How Infrastructure Laundering Keeps Pig Butchering Networks Online

TLDR: Criminal networks are using CNAME mapping to rotate malicious content across bulletproof hosts and major cloud providers like Amazon to evade detection. By analyzing CNAME chains and shared infrastructure patterns, researchers can identify and map these sprawling networks. This technique, dubbed infrastructure laundering, allows attackers to maintain persistence even when individual IP addresses are blocked.

Security researchers often focus on the payload, but the real resilience of a modern criminal network lies in its infrastructure. The recent research presented at Security BSides 2025 on the Triad Nexus network exposes a sophisticated method for maintaining uptime for pig butchering and money laundering sites. Instead of relying on a single static host, these actors use a technique called infrastructure laundering. They map multiple CNAME records to a rotating pool of IP addresses, effectively creating a bulletproof hosting environment that spans both low-quality providers and major cloud platforms like Amazon Web Services.

The Mechanics of Infrastructure Laundering

At its core, this technique is about decoupling the domain name from the underlying server. When a user visits a site in the Triad Nexus, the DNS resolution process triggers a chain of CNAME lookups. The attacker controls these records, allowing them to point a single domain to different IP addresses at will. If a specific IP is flagged or blocked by a security vendor, the attacker simply updates the CNAME record to point to a fresh, clean IP address.

This is not just about simple redirection. The network uses this to distribute traffic across a global footprint, often leveraging Amazon IP space to gain legitimacy. Because the IP addresses change frequently, traditional IP-based reputation systems fail. A pentester or researcher looking at this traffic sees a legitimate cloud provider, not a malicious actor. The persistence is achieved because the attacker can spin up new infrastructure faster than defenders can blacklist it.

Identifying the Network

Mapping these networks requires looking beyond the IP address. The research highlights three primary indicators that, when combined, reveal the underlying infrastructure:

1. CNAME Chains: By monitoring DNS resolution, you can identify the specific CNAME patterns used by the network. These chains often resolve through multiple hops before reaching the final, malicious host.
2. Favicon Fingerprinting: Attackers often reuse the same web templates across hundreds of domains. By querying the favicon of a suspicious site, you can often find other domains using the exact same asset, allowing you to cluster them into a single campaign.
3. Shared Source Code: Many of these sites are built from the same repository. Finding a GitHub link or a specific comment in the source code can lead you directly to the developer's other projects.

For a researcher, the goal is to find the "anchor" of the network. Once you identify one domain that is part of the Triad Nexus, you can use tools like Silent Push to perform a reverse lookup on the CNAME records. This often reveals thousands of other domains sharing the same infrastructure.

Practical Application for Pentesters

If you are conducting a red team engagement or a bug bounty hunt, you are likely to encounter these networks when investigating phishing or social engineering campaigns. When you see a site that looks like a generic investment platform or a fake retail store, do not just report the URL. Check the DNS history. If you see a domain that has been switching IP addresses every 24 to 72 hours, you are likely looking at an infrastructure laundering setup.

During an engagement, you can use dig or nslookup to inspect the CNAME chain:

dig +short CNAME example-malicious-site.com

If the result points to a domain that then resolves to a cloud provider IP, you have found the laundering mechanism. The impact of this is significant. It means that even if you take down one site, the attacker has already moved the infrastructure to a new location. The only way to effectively disrupt these operations is to identify the entire cluster and work with the hosting providers to take down the infrastructure at the source.

Defensive Considerations

Defenders need to shift from static IP blocking to behavioral DNS analysis. If your organization is seeing traffic to domains that frequently change their CNAME records or resolve to high-risk IP ranges, that traffic should be blocked by default. Furthermore, implementing OWASP best practices for monitoring and logging can help identify when an internal asset is being used to host or interact with these malicious networks.

Collaboration is the only way to win this game. No single security team has the visibility to map the entire Triad Nexus. By sharing threat intelligence about CNAME patterns and infrastructure fingerprints, the security community can force these attackers to constantly rebuild their networks, significantly increasing their operational costs.

The next time you encounter a suspicious domain, look at the DNS chain. You might find that you are not just looking at a single phishing site, but a small, visible piece of a much larger, global criminal operation. Investigating the infrastructure is often more rewarding than analyzing the payload itself.