A clone of Lockheed Martin’s site
The research group Deep Specter Research has uncovered a multilayered scheme of phishing and brand impersonation that quietly operated for years on Google Cloud and Cloudflare infrastructure. According to their findings, attackers systematically acquired abandoned or expired domains, populated them with replicas of major corporate websites, and concealed illicit content behind “clean” versions of the pages shown only to search engine crawlers. The researchers stress that both hosting platforms received signals of suspicious activity yet failed to intervene — a lapse that could be interpreted as “willful neglect,” carrying regulatory consequences under GDPR, DMCA, and the FTC.
Among the named targets was Lockheed Martin. The report notes that the domain militaryfighterjet.com lost its owner in September 2024 and, by September 16, was serving a “168 Lottery Results” page to desktop visitors, while simultaneously delivering a convincing replica of Lockheed Martin’s corporate site to mobile users, complete with sections for employees and partners. This technique — known as cloaking — uses scripts to swap content based on the User-Agent and other signals, deceiving bots and real users alike. Within the source code, researchers identified traces of HTTrack with a timestamp of Mon, 16 Sep 2024 19:45:00 GMT. The serving IP, belonging to Google Cloud, hosted hundreds of domains. Both the vendor and the brand holder were notified.
Mapping the infrastructure, the analysts counted 86 physical nodes on Google Cloud (primarily in Hong Kong and Taiwan), around which were deployed roughly 44,000 virtual IPs on GCP and another 4,000 on third-party hosts. Eight nodes served as the upper management layer, while seventy-eight functioned as working clusters. The impersonation campaign targeted at least 200 organizations across industries — from defense and healthcare to niche online forums. Domains were chosen to match the victim’s profile; for instance, militaryfighterjet.com was “attached” to lockheedmartin.com. Some clones continued to pull fonts, logos, or analytics from the legitimate owner’s cloud, creating the paradox of the brand inadvertently serving its own impersonator — and potentially detecting the clone only through anomalous request headers.
The activity has been traced back to at least 2021, occurring in waves: phishing reached a record high in late 2022; May 2023 saw a surge linked to MOVEit-related campaigns; and March 2025 marked another peak amid ecosystem-wide incidents. The study connects such operations to traffic originating from Google, Meta*, and Android applications, noting correlations with wider malicious campaigns. The largest cluster of clones impersonating a single organization reportedly involved nearly 6,000 virtual hosts. Despite the scale, only about one thousand of the 48,000 nodes employed HTTPS. Some bore TLS fingerprints consistent with command-and-control servers of the Sliver malware framework.
In total, Deep Specter Research documents more than 48,000 hosts, 80+ clusters, tens of thousands of observations spanning 2021–2025, and hundreds of public indicators that, they argue, went unanswered. The researchers describe this as an industrial-scale phishing service built on a unified stack of management tools and cloaking techniques. In their view, infrastructure providers — who carry much of the world’s internet traffic — must enforce stricter monitoring to curb abuse, while major brands such as Lockheed Martin must establish continuous surveillance of impersonations and develop rapid legal and technical countermeasures to disrupt content substitution, illicit crowding, and the hijacking of user trust.
