Savvy Seahorse, a DNS threat actor, employs sophisticated techniques to lure victims into fake investment platforms through Facebook ads. They use DNS CNAME records to create a traffic distribution system, enabling dynamic IP address updates and evasion of detection. The campaigns target multiple languages and involve fake ChatGPT and WhatsApp bots. Victims are convinced to create accounts, make deposits, and unknowingly transfer funds to Russian banks. The actor has been operating since August 2021, using dedicated hosting and frequently changing IP addresses. Their infrastructure includes approximately 4,200 base domains with CNAME records linked to subdomains of b36cname[.]site. The campaigns are short-lived, typically lasting 5-10 days per subdomain.