Real-Time Security Intelligence

Learn about CVE-2025-0994 affecting Trimble Cityworks products. Patch now to prevent remote code execution.

Discover the latest threat intelligence outlooks for 2025, including AI-enabled phishing, SaaS attacks, and executive-targeted cyber threats. Learn key strategies to protect your organization from evolving digital risks.

Learn how North Korea’s IT workers infiltrate global companies, posing cybersecurity threats, committing fraud, and supporting the regime. Discover key findings and mitigation strategies to safeguard your business.

Discover how Chinese state-sponsored group RedMike exploited unpatched Cisco devices, targeting telecommunications providers globally. Learn about vulnerabilities CVE-2023-20198 and CVE-2023-20273, and how organizations can protect critical infrastructure.

Discover how Russia-linked influence operations, including Doppelgänger and Operation Overload, are attempting to undermine Germany’s 2025 elections. Learn about their tactics, impacts, and how to mitigate the risks to media integrity and public trust.

Explore intelligence reports from Recorded Future’s Insikt Group at the 2025 Munich Security Conference. Key topics include Taiwan invasion risk, Russian influence in German elections, RedMike exploiting Cisco devices, and North Korea’s IT worker scam.

Prepare your business for potential geopolitical disruptions from a Taiwan invasion. Assess evolving risks, global economic impacts, and strategic measures to safeguard supply chains and critical operations in Asia.

Explore the critical role of cyberattacks in shaping the modern space race. Learn how nation-states and organizations must adapt their cybersecurity measures to protect global economies, military operations, and the future of space exploration.

Discover the vibrant culture at Recorded Future’s Singapore office. Learn about our growth, team dynamics, and exciting work environment.

Analysis cut-off date: January 7, 2025Executive SummaryInsikt Group has identified multi-layered infrastructure linked to a traffic distribution system (TDS) tracked by Recorded Future as TAG-124, which overlaps with threat activity clusters known as LandUpdate808, 404TDS, KongTuke, and Chaya_002. TAG-124 comprises a network of compromised WordPress sites, actor-controlled payload servers, a central server, a suspected management server, an additional panel, and other components. The threat actors behind TAG-124 demonstrate high levels of activity, including regularly updating URLs embedded in the compromised WordPress sites, adding servers, refining TDS logic to evade detection, and adapting infection tactics, as demonstrated by their recent implementation of the ClickFix technique. Insikt Group identified multiple threat actors using TAG-124 within their initial infection chains, including operators of Rhysida ransomware, Interlock ransomware, TA866/Asylum Ambuscade, SocGholish, D3F@CK Loader, TA582, and others. Notably, the shared use of TAG-124 reinforces the connection between Rhysida and Interlock ransomware, which are already linked through similarities in tactics, tools, encryption behaviors, ransom note themes, code overlaps, and data exfiltration techniques. Insikt Group expects that TAG-124 will continue its operations within the increasingly sophisticated and specialized cybercriminal ecosystem, enhance its effectiveness, and attract additional users and partners.Key FindingsInsikt Group identified multi-layered infrastructure linked to a TDS tracked as TAG-124. This infrastructure includes a network of compromised WordPress sites, likely actor-controlled payload servers, a central server, a suspected management server, and an additional panel, among other components.The threat actor(s) associated with TAG-124 appear highly active, regularly updating URLs on compromised WordPress sites to evade detection, adding new servers to their infrastructure, and improving TDS-linked conditional logic and infection tactics. Multiple threat actors are assessed to incorporate TAG-124s service into their initial infection chains, including operators of Rhysida ransomware, Interlock ransomware, TA866/Asylum Ambuscade, SocGholish, D3F@CK Loader, TA582, and others.While Rhysida and Interlock ransomware have been associated with each other due to similarities in tactics, tools, encryption behaviors, ransom note themes, overlaps in code, and data exfiltration techniques, the shared use of TAG-124 reinforces this connection.BackgroundTAG-124, which overlaps with LandUpdate808, 404TDS, KongTuke, and Chaya_002, is a TDS used to distribute malware on behalf of various threat actors, including operators of Rhysida ransomware, Interlock ransomware, TA866/Asylum Ambuscade, SocGholish, D3F@CK Loader, and TA582, among others (1, 2, 3). A TDS typically refers to a system used to analyze and redirect web traffic based on parameters like geolocation or device type, funneling only specific visitors to malicious destinations such as phishing sites, malware, or exploit kits, while evading detection and optimizing cybercriminal campaigns. More specifically, TAG-124 operates by injecting malicious JavaScript code into compromised WordPress websites. When visitors access an infected website, they unknowingly load attacker-controlled resources designed to manipulate them into completing actions that result in the download and execution of malware. TAG-124 often deceives victims by presenting the malware as a required Google Chrome browser update. In more recent variations, TAG-124 has been observed using the ClickFix technique. This approach displays a dialog instructing visitors to execute a command pre-copied to their clipboard. Once a visitor runs the command, it initiates a multi-stage process that downloads and executes the malware payload.Threat AnalysisTAG-124Insikt Group identified multi-layered infrastructure associated with the TDS TAG-124. This infrastructure comprises a network of compromised WordPress sites, likely actor-controlled payload servers, a central server whose exact purpose remains unclear at the time of analysis, a suspected management server, and an additional management panel. If visitors fulfill specific criteria, the compromised WordPress websites display fake Google Chrome update landing pages, which ultimately lead to malware infections as discussed in the Users of TAG-124 section of this report (see Figure 1).Figure 1: TAG-124s high-level infrastructure setup (Source: Recorded Future)Compromised WordPress WebsitesTAG-124s infrastructure consists of an extensive network of WordPress websites (see Appendix A). These websites appear to lack a consistent theme regarding industry, topic, or geography, suggesting they were likely compromised opportunistically through exploits or by acquiring credentials, such as those obtained via infostealers. First-Stage WordPress Websites in Initial DeliveryThe compromised websites of the first stage in the initial delivery phase typically include a script tag with an async attribute at an arbitrary location in the document object model (DOM), enabling the loading of an external JavaScript file in parallel with the page to avoid rendering delays (see Figure 2).Figure 2: Script tag in DOM used to load external JavaScript file (Source: URLScan)The JavaScript filename has changed frequently over time, with earlier names following recognizable patterns (such as metrics.js) and more recent ones appearing to be randomly formatted (such as hpms1989.js). Example filenames include:3561.js365h.jse365r.jshpms1989.jsmetrics.jsnazvanie.jsweb-analyzer.jsweb-metrics.jsweb.jswp-config.jswp.jsNotably, the threat actors appear to be regularly updating the URLs on the compromised websites. For instance, the website associated with www[.]ecowas[.]int has consistently changed the URL used to fetch the JavaScript file. This behavior indicates that the threat actors maintain ongoing access to these WordPress sites and frequently alter the URLs, including the domain and JavaScript filename, likely to evade detection.Although many of the compromised WordPress websites appear to be associated with lesser-known organizations, Insikt Group identified notable cases, including a subdomain linked to the Polish Centre for Testing and Certification, www[.]pcbc[.]gov[.]pl, and the domain of the Economic Community of West African States (ECOWAS) (www[.]ecowas[.]int). Both have been compromised and used in TAG-124 campaigns.Final Stage WordPress Websites in Initial DeliveryIf visitors meet specific criteria, which could not be fully determined, the compromised WordPress domains typically present fake Google Chrome update landing pages. These pages prompt users to click a download button, triggering the download of the actual payload from designated endpoints on a secondary set of compromised WordPress websites, including but likely not limited to:/wp-admin/images/wfgth.php/wp-includes/pomo/update.php/wp-content/upgrade/update.php/wp-admin/images/rsggj.phpFake Google Chrome Update Landing PagesInsikt Group discovered two variants of fake Google Chrome update landing pages associated with TAG-124 (see Figure 3). According to URLScan submission data, Variant 1 has been active longer, with its earliest submission recorded on April 24, 2024.Figure 3: Fake Google Chrome update variant 1 (left) and 2 (right) (Source: URLScan, URLScan)Only victims meeting a specific set of still unknown conditions are directed to the fake Google Chrome update landing page, resulting in the observation of only a limited number of domains (see Table 1). These domains can be attributed to TAG-124 based on the URLs embedded in the DOM, public reporting, or other indicators. Notably, the threat actors consistently misspell the word referer as refferer in the query parameter, a typographical error observed in earlier reports.DomainNotesVariantwww[.]reloadinternet[.]comLinked towww[.]netzwerkreklame[.]de1selectmotors[.]netLinked towww[.]netzwerkreklame[.]de1mgssoft[.]comLinked towww[.]netzwerkreklame[.]de1www[.]lovebscott[.]comLinked tosustaincharlotte[.]org1evolverangesolutions[.]comLinked tosustaincharlotte[.]org1www[.]ecowas[.]intLinked towww[.]pawrestling[.]net1ns1[.]webasatir[.]irLinkedtotrue-blood[.]net, which has been previously associated with TAG-1242avayehazar[.]irLinked totrue-blood[.]net2cvqrcode[.]lpmglobalrelations[.]comLinked totrue-blood[.]net2mktgads[.]comLinked totrue-blood[.]net2incalzireivar[.]roLinked totrue-blood[.]net2gmdva[.]orgLinked totrue-blood[.]net2www[.]de[.]digitaalkantoor[.]onlineLinked totrue-blood[.]net2elamoto[.]comLinkedto TAG-124 and has the typographical error in the query parameter; it was redirected fromwinworld[.]es, a domain associated with Spain-based WinWorld, a company specializing in computer support and services2Table 1: Likely compromised websites hosting fake Google Chrome update pages (Source: Recorded Future)Likely Threat Actor-Owned DomainWhile the domains listed in Table 1 are likely compromised, Insikt Group analyzed URLs present on websites hosted on two additional domains (see Table 2). Our analysis suggests these domains are highly likely connected to TAG-124.DomainNotesVariantupdate-chronne[.]comContainedlink totrue-blood[.]net1sollishealth[.]comContainedlinks toedveha[.]comandespumadesign[.]com; both were previously associated with TAG-1242Table 2: Additional domains found via visual similarity search (Source: Recorded Future)The domain update-chronne[.]com, hosted behind Cloudflare, appears to be owned by the threat actors as it directly impersonates Google Chrome (see Figure 4). At the time of analysis, the domain was still active, indexed by Google Search, and hosted the file Release.zip, which was identified as REMCOS RAT.Figure 4: Google Chrome fake update landing page on update-chronne[.]com (Source: Recorded Future)Notably, when a victim clicks the Update Chrome button, the website redirects to downloading[.]bplnetempresas[.]com, which shows the IP address 146.70.41[.]191 combined with three different ports (see Figure 5). This IP address has previously been associated with REMCOS RAT. Figure 5: Suspected REMCOS RAT command-and-control (C2) server shown on downloading[.]bplnetempresas[.]com (Source: Recorded Future)Additionally, the domain hosted a file named moc.txt, containing a PowerShell script designed to download and execute the contents of Release.zip (see Figure 6). The URL was redirected via the shortened URL https://wl[.]gl/25dW64.Figure 6: PowerShell script hosted on https://update-chronne[.]com/moc.txt as of September 12, 2024 (Source: URLScan)Suspected Shell WebsiteBoth update-chronne[.]com and downloading[.]bplnetempresas[.]com hosted a website seemingly associated with “YSOFEL”, which appears to be a Brazilian organization (see Figure 7). However, no information about this organization could be found online, indicating that it is likely a fictitious entity.Figure 7: Suspected shell website linked to a fake Brazilian organization (Source: URLScan)Insikt Group identified several other domains, some of which are noted in the Compromised WordPress Websites section (such as mktgads[.]com), while others appear to impersonate Google (such as check-googlle[.]com) (see Table 3). This suggests that the website may function as a “shell website”, potentially used to age domains or to display content only when visitors meet specific criteria.DomainIP AddressFirst SeenLast SeenNoteschallinksch[.]comCloudflare2024-09-052025-01-05Hosted PowerShell script to download PuTTY and linked to AsyncRATchalnlizt[.]orgCloudflare2024-08-212025-01-07Hosted PowerShell scriptcheck-googlle[.]comCloudflare2024-09-092025-01-07N/Acihainlst[.]orgCloudflare2024-08-212025-01-07N/Aio-suite-web[.]comCloudflare2024-08-142025-01-07N/Aminer-tolken[.]comCloudflare2024-09-062025-01-07N/Aronnin-v2[.]comCloudflare2024-05-272025-01-07N/Asymdilatic[.]comCloudflare2024-08-202025-01-07N/Asymbieitc[.]comCloudflare2024-08-212025-01-04N/Asymdlotic[.]comCloudflare2024-08-212025-01-07N/Asynbioltic[.]comCloudflare2024-08-212025-01-07N/Asymbliatc[.]comCloudflare2024-08-202024-12-30N/Asymbietic[.]comCloudflare2024-08-192025-01-07N/Acomteste[.]comCloudflare2024-08-192025-01-07N/Asymdilotic[.]comCloudflare2024-08-202024-12-30N/Av2-rubby[.]comCloudflare2024-05-222025-01-07N/ATable 3: Domains linked to the same suspected shell website linked to the fake Brazilian organization referenced above (Source: Recorded Future)It remains uncertain whether all the domains in Table 3 are malicious or connected to the same activity. However, their shared hosting of the same website, impersonation of other brands (such as ChainList), and partial verification of links to infections make them, at the very least, suspicious.TAG-124 Delivery ServersTAG-124 leverages compromised WordPress websites for various components of its infection chains. The servers embedded in the DOMs of these compromised first-stage WordPress sites, as detailed in the First-Stage WordPress Websites in Initial Delivery section, are likely owned by the threat actors. Insikt Group identified a significant network of servers connected to and likely controlled by the TAG-124 threat actors (see Table 4).DomainIP AddressFirst SeenLast SeenNotesambiwa[.]com45[.]61[.]136[.]92024-12-282025-01-07gcafin[.]com45[.]61[.]136[.]92024-12-292025-01-06discoves[.]com45[.]61[.]136[.]92024-12-262025-01-06xaides[.]com45[.]61[.]136[.]402025-01-022025-01-07usbkits[.]com45[.]61[.]136[.]402025-01-022025-01-07mirugby[.]com45[.]61[.]136[.]402025-01-022025-01-07ecrut[.]com45[.]61[.]136[.]412025-01-062025-01-07pursyst[.]com45[.]61[.]136[.]412025-01-062025-01-07pushcg[.]com45[.]61[.]136[.]672024-09-182025-01-07piedsmontlaw[.]com45[.]61[.]136[.]672022-12-222025-01-06pemalite[.]com45[.]61[.]136[.]672022-12-222025-01-07howmanychairs[.]com45[.]61[.]136[.]672024-03-142025-01-06calbbs[.]com45[.]61[.]136[.]892024-12-182025-01-07habfan[.]com45[.]61[.]136[.]1322024-12-072025-01-07iognews[.]com45[.]61[.]136[.]1322024-12-062025-01-07safigdata[.]com45[.]61[.]136[.]1962024-11-192025-01-07z-v2-071924[.]kailib[.]com45[.]61[.]136[.]1962024-11-132024-11-29z-v2-071810[.]kailib[.]com45[.]61[.]136[.]1962024-11-102024-11-13nyciot[.]com45[.]61[.]136[.]1962024-11-202025-01-07pweobmxdlboi[.]com64[.]7[.]198[.]662024-08-272025-01-07boneyn[.]com64[.]94[.]85[.]982024-12-222025-01-07satpr[.]com64[.]94[.]85[.]982024-12-222025-01-07coeshor[.]com64[.]94[.]85[.]2482024-12-062025-01-07mtclibraries[.]com64[.]94[.]85[.]2482024-12-112025-01-07z-v2-072122[.]kailib[.]com64[.]94[.]85[.]2482024-11-182024-11-29sdrce[.]com64[.]95[.]11[.]652024-12-132025-01-07theinb[.]com64[.]95[.]11[.]652024-12-132025-01-07elizgallery[.]com64[.]95[.]11[.]1842024-11-202025-01-07enethost[.]com64[.]95[.]12[.]382024-12-262025-01-07dhusch[.]com64[.]95[.]12[.]382024-12-242025-01-07fastard[.]com64[.]95[.]12[.]382024-12-252025-01-07franklinida[.]com64[.]95[.]12[.]982024-10-182025-01-07nastictac[.]com64[.]190[.]113[.]412024-11-252025-01-07dncoding[.]com64[.]190[.]113[.]412024-11-262025-01-07djnito[.]com64[.]190[.]113[.]1112024-12-112025-01-07opgears[.]com64[.]190[.]113[.]1112024-12-112025-01-07tickerwell[.]com162[.]33[.]177[.]362024-11-192025-01-07selmanc[.]com162[.]33[.]177[.]822024-12-162025-01-07tibetin[.]com162[.]33[.]177[.]822024-12-162025-01-07mercro[.]com162[.]33[.]178[.]592024-10-312025-01-07esaleerugs[.]com162[.]33[.]178[.]632024-11-222025-01-07tayakay[.]com162[.]33[.]178[.]752024-11-152024-11-15ilsotto[.]com162[.]33[.]178[.]1132024-11-232025-01-07chewels[.]com193[.]149[.]176[.]1792024-12-052025-01-07sokrpro[.]com193[.]149[.]176[.]2232024-12-202025-01-07hdtele[.]com193[.]149[.]176[.]2232024-12-202025-01-07chhimi[.]com193[.]149[.]176[.]2482024-08-152025-01-07dechromo[.]com216[.]245[.]184[.]1792024-12-092025-01-07enerjjoy[.]com216[.]245[.]184[.]1792024-12-092025-01-07dsassoc[.]com216[.]245[.]184[.]1792024-12-182025-01-07gwcomics[.]com216[.]245[.]184[.]2102024-12-192025-01-07genhil[.]com216[.]245[.]184[.]2252024-11-182025-01-07vicrin[.]com216[.]245[.]184[.]2252024-11-052025-01-07eliztalks[.]com216[.]245[.]184[.]2252024-11-162025-01-07rshank[.]com216[.]245[.]184[.]2252024-11-132025-01-06Table 4: Likely threat actor-controlled TAG-124 delivery servers (Source: Recorded Future)Most of the domains began resolving in November 2024, suggesting that TAG-124 gained momentum during this period, with the majority of the domains still active at the time of analysis. Of note, two domains hosted on 45[.]61[.]136[.]67, namely piedsmontlaw[.]com and pemalite[.]com, were already resolving to this IP address in 2022, indicating that the server may have already been under the control of the threat actor during that time.Suspected Higher-Tier InfrastructureThe majority of the suspected threat actor-controlled TAG-124 delivery servers, as listed in the TAG-124 Delivery Servers section, have been seen communicating with a server over TCP port 443 (see Figure 1). The configurations of this server are similar to those of the delivery servers and host a domain that returns only a generic HTML page when accessed. At the time of analysis, Insikt Group could not determine the exact purpose of this server but suspects it plays a central role in the operation. One possibility is that it contains the core logic of the TDS.Additionally, Insikt Group identified a suspected management server linked to TAG-124. This server has been observed communicating with the delivery servers via TCP ports 80 and 443. It has also interacted with another panel linked to TAG-124, referred to as the “Ads Panel”, whose purpose includes serving the latest delivery server through a specified endpoint, among others (see Figure 1).Appendix A Indicators of CompromiseLikely Compromised WordPress Domains Used by TAG-124:1stproducts[.]com3hti[.]comacademictutoringcenters[.]comadpages[.]comadsbicloud[.]comadvanceair[.]netairbluefootgear[.]comairinnovations[.]comallaces[.]com[.]aualumni[.]clemson[.]eduambir[.]comamericanreloading[.]comantiagewellness[.]comarchitectureandgovernance[.]comastromachineworks[.]comathsvic[.]org[.]aubaseball[.]razzball[.]combastillefestival[.]com[.]aubigfoot99[.]comblacksportsonline[.]comblog[.]contentstudio[.]iobluefrogplumbing[.]comcanadamotoguide[.]comcanadanickel[.]comcapecinema[.]orgcareers[.]bms[.]comcareers[.]fortive[.]comcastellodelpoggio[.]comcatholiccharities[.]orgchamonixskipasses[.]comchangemh[.]orgchicklitplus[.]comclmfireproofing[.]comcomingoutcovenant[.]comcomplete-physio[.]co[.]ukcomplete-pilates[.]co[.]ukconical-fermenter[.]comcssp[.]orgdeathtotheworld[.]comdeerfield[.]comdenhamlawoffice[.]comdev[.]azliver[.]comdevelopment[.]3hti[.]comdigimind[.]nldotnetreport[.]comdrcolbert[.]comdzyne[.]comearthboundfarm[.]comeivcapital[.]comelitetournaments[.]comergos[.]comesfna[.]orgespumadesign[.]comexceptionalindividuals[.]comexperiencebrightwater[.]cafirstpresbyterianpaulding[.]comfractalerts[.]comfusionstone[.]caglobal-engage[.]comgobrightwing[.]comgov2x[.]comhksusa[.]comhmgcreative[.]comhmh[.]orghoodcontainer[.]comhospitalnews[.]comhousingforhouston[.]comhoustonmaritime[.]orghrsoft[.]comhungryman[.]comicmcontrols[.]comijmtolldiv[.]cominnsbrook[.]comjewelryexchange[.]comjodymassagetherapyclinic[.]comjoelbieber[.]comknewhealth[.]comlamaisonquilting[.]comlegacy[.]orlandparkprayercenter[.]orglevyso[.]comluxlifemiamiblog[.]commagnoliagreen[.]commagnotics[.]commanawatunz[.]co[.]nzmantonpushrods[.]commichiganchronicle[.]commichigantownships[.]orgmonlamdesigns[.]commontessoriwest[.]commovinbed[.]commy[.]networknuts[.]netmyrtlebeachgolf[.]comncma[.]orgoglethorpe[.]eduoningroup[.]comorlandparkprayercenter[.]orgoutdoornativitystore[.]comparksaverscom[.]kinsta[.]cloudpeoria[.]orgperidotdentalcare[.]caphfi[.]orgpikapp[.]orgpowerlineblog[.]comprek4sa[.]compsafetysolutions[.]compuntademita-rentals[.]comresf[.]comretaildatallc[.]comrhodenroofing[.]comrm-arquisign[.]comrvthereyet[.]comschroederindustries[.]comsec-group[.]co[.]uksixpoint[.]comslotomoons[.]comsollishealth[.]comsparkcarwash[.]comspectralogic[.]comsramanamitra[.]comstg-seatrail-staging[.]kinsta[.]cloudstg-townandcountryplanningassoci-staging[.]kinsta[.]cloudsustaincharlotte[.]orgteamtoc[.]comterryrossplumbing[.]comtheawningcompanc[.]mrmarketing[.]ustheepicentre[.]comtheyard[.]comtristatecr[.]comtrue-blood[.]netturtl[.]cotustinhistory[.]comtysonmutrux[.]comuk[.]pattern[.]comunsolved[.]comvanillajoy[.]ykv[.]ijh[.]mybluehost[.]mevectare[.]co[.]ukvillageladies[.]co[.]ukwalkerroofingandconstruction[.]comwildwestguns[.]comwildwoodpress[.]orgwlplastics[.]comworldorphans[.]orgwww[.]211cny[.]comwww[.]6connex[.]comwww[.]900biscaynebaymiamicondos[.]comwww[.]accentawnings[.]comwww[.]acvillage[.]netwww[.]airandheatspecialistsnj[.]comwww[.]als-mnd[.]orgwww[.]americancraftbeer[.]comwww[.]anoretaresort[.]comwww[.]architectureandgovernance[.]comwww[.]atlantaparent[.]comwww[.]atlas-sp[.]comwww[.]atmosera[.]comwww[.]belvoirfarm[.]co[.]ukwww[.]betterengineering[.]comwww[.]bluefoxcasino[.]comwww[.]boatclubtrafalgar[.]comwww[.]bordgaisenergytheatre[.]iewww[.]brandamos[.]comwww[.]cairnha[.]comwww[.]cdhcpa[.]comwww[.]cds[.]coopwww[.]cgimgolf[.]comwww[.]cheericca[.]orgwww[.]conwire[.]comwww[.]cssp[.]orgwww[.]dces[.]comwww[.]disabilityscot[.]org[.]ukwww[.]doctorkiltz[.]comwww[.]drivenbyboredom[.]comwww[.]ecowas[.]intwww[.]evercoat[.]comwww[.]facefoundrie[.]comwww[.]foxcorphousing[.]comwww[.]genderconfirmation[.]comwww[.]gofreight[.]comwww[.]gunnerroofing[.]comwww[.]hayeshvacllc[.]comwww[.]hksusa[.]comwww[.]hollingsworth-vose[.]comwww[.]hollywoodburbankairport[.]comwww[.]hopechc[.]orgwww[.]icmcontrols[.]comwww[.]inboundlogistics[.]comwww[.]infra-metals[.]comwww[.]jasperpim[.]comwww[.]koimoi[.]comwww[.]louisvillemechanical[.]comwww[.]lsbn[.]state[.]la[.]uswww[.]mallorcantonic[.]comwww[.]marketlist[.]comwww[.]mocanyc[.]orgwww[.]motherwellfc[.]co[.]ukwww[.]murphyoilcorp[.]comwww[.]myrtlebeachgolfpackages[.]cowww[.]napcis[.]orgwww[.]nelsongonzalez[.]comwww[.]netzwerkreklame[.]dewww[.]onthegreenmagazine[.]comwww[.]orthodontie-laurentides[.]comwww[.]pamelasandalldesign[.]comwww[.]parajohn[.]comwww[.]parksavers[.]comwww[.]parmacalcio1913[.]comwww[.]patio-supply[.]comwww[.]pcbc[.]gov[.]plwww[.]perfectduluthday[.]comwww[.]powerlineblog[.]comwww[.]progarm[.]comwww[.]rafilawfirm[.]comwww[.]reddiseals[.]comwww[.]riaa[.]comwww[.]robertomalca[.]comwww[.]sevenacres[.]orgwww[.]sigmathermal[.]comwww[.]sisdisinfestazioni[.]itwww[.]spectralink[.]comwww[.]sramanamitra[.]comwww[.]sunkissedindecember[.]comwww[.]sweetstreet[.]comwww[.]system-scale[.]comwww[.]tcpa[.]org[.]ukwww[.]thatcompany[.]comwww[.]the-kaisers[.]dewww[.]thecreativemom[.]comwww[.]thedesignsheppard[.]comwww[.]therialtoreport[.]comwww[.]thetrafalgargroup[.]co[.]ukwww[.]thetruthaboutguns[.]comwww[.]totem[.]techwww[.]ultrasound-guided-injections[.]co[.]ukwww[.]urbis-realestate[.]comwww[.]vending[.]comwww[.]venetiannj[.]comwww[.]visitarundel[.]co[.]ukwww[.]wefinanceanycar[.]comwww[.]wilsonsd[.]orgwww[.]wilymanager[.]comwww[.]wvwc[.]eduzerocap[.]comLikely Compromised Websites Showing Fake Google Chrome Update Pages:avayehazar[.]ircvqrcode[.]lpmglobalrelations[.]comelamoto[.]comevolverangesolutions[.]comgmdva[.]orgincalzireivar[.]romgssoft[.]commktgads[.]comns1[.]webasatir[.]irselectmotors[.]netsollishealth[.]comupdate-chronne[.]comwww[.]de[.]digitaalkantoor[.]onlinewww[.]ecowas[.]intwww[.]lovebscott[.]comwww[.]reloadinternet[.]comTAG-124 Domains:ambiwa[.]comboneyn[.]comcalbbs[.]comchewels[.]comchhimi[.]comcoeshor[.]comdechromo[.]comdhusch[.]comdiscoves[.]comdjnito[.]comdncoding[.]comdsassoc[.]comecrut[.]comelizgallery[.]comeliztalks[.]comenerjjoy[.]comenethost[.]comesaleerugs[.]comfastard[.]comfranklinida[.]comgcafin[.]comgenhil[.]comgwcomics[.]comhabfan[.]comhdtele[.]comhowmanychairs[.]comilsotto[.]comiognews[.]commercro[.]commirugby[.]commtclibraries[.]comnastictac[.]comnyciot[.]comopgears[.]compemalite[.]compiedsmontlaw[.]compursyst[.]compushcg[.]compweobmxdlboi[.]comrshank[.]comsafigdata[.]comsatpr[.]comsdrce[.]comselmanc[.]comsokrpro[.]comtayakay[.]comtheinb[.]comtibetin[.]comtickerwell[.]comusbkits[.]comvicrin[.]comxaides[.]comTAG-124 IP Addresses:45[.]61[.]136[.]945[.]61[.]136[.]4045[.]61[.]136[.]4145[.]61[.]136[.]6745[.]61[.]136[.]8945[.]61[.]136[.]13245[.]61[.]136[.]19664[.]7[.]198[.]6664[.]94[.]85[.]9864[.]94[.]85[.]24864[.]95[.]11[.]6564[.]95[.]11[.]18464[.]95[.]12[.]3864[.]95[.]12[.]9864[.]190[.]113[.]4164[.]190[.]113[.]111162[.]33[.]177[.]36162[.]33[.]177[.]82162[.]33[.]178[.]59162[.]33[.]178[.]63162[.]33[.]178[.]75162[.]33[.]178[.]113193[.]149[.]176[.]179193[.]149[.]176[.]223193[.]149[.]176[.]248216[.]245[.]184[.]179216[.]245[.]184[.]210216[.]245[.]184[.]225Additional Domains Observed in TAG-124 Activity:winworld[.]estrue-blood[.]netMatomo Instance:dating2go[.]storeDomains Likely Linked to apple-online[.]shop:micronsoftwares[.]commysamsung7[.]shopnvidias[.]shopexpressbuycomputers[.]shopamdradeon[.]shopmobileyas[.]shopcryptotap[.]siteREMCOS RAT C2 IP Address:146.70.41[.]191Domains Likely Linked to TA582 and MintsLoader Cluster:527newagain[.]topabhbdiiaehdejgh[.]topadednihknaalilg[.]topanjmhjidinfmlci[.]topazure-getrequest[.]icuazurearc-cdn[.]topazuregetrequest[.]icubkkeiekjfcdaaen[.]topcignjjgmdnbchhc[.]topckebfjgimhmjgmb[.]topcljhkcjfimibhci[.]topcmcebigeiajbfcb[.]topcmcuauec[.]topcryptoslate[.]cceebchjechginddk[.]topehnediemcaffbij[.]topejlhaidjmhcmami[.]topfaybzuy3byz2v[.]topfpziviec[.]topfutnbuzj3nh[.]topgbkffjcglabkmne[.]topgdihcicdghmcldd[.]topget-azurecommand[.]icuget-iwrreq[.]topgetazurecommand[.]icugnmdjjckbgddaie[.]topgubyzywey6b[.]topiadkainhkafngnk[.]topikhgijabfnkajem[.]topikjfjkkagafbdke[.]topimfiejalbhhgijl[.]topkffgkjmjangegkg[.]topkhcjgjmfjgdleag[.]topkjalcimbfaaddff[.]topmcajijknegnbbga[.]topmelmejkjaakiakn[.]topmgjabikgjhhambm[.]toppretoria24[.]toprifiziec[.]topriuzvi4tc[.]toprobnzuwubz[.]topsaighbuzu32uvv[.]topPyInstaller Hashes:7683d38c024d0f203b374a87b7d43cc38590d63adb8e5f24dff7526f5955b15a950f1f8d94010b636cb98be774970116d98908cd4c45fbb773e533560a4beea77f8e9d7c986cc45a78c0ad2f11f28d61a4b2dc948c62b10747991cb33ce0e241CleanUpLoader Loader Hashes:183c57d9af82964bfbb06fbb0690140d3f367d46d870e290e2583659609b19f222dc96b3b8ee42096c66ab08e255adce45e5e09a284cbe40d64e83e812d1b9109d508074a830473bf1dee096b02a25310fa7929510b880a5875d3c316617dd5028c49af7c95ab41989409d2c7f98e8f8053e5ca5f7a02b2a11ad4374085ec6ff2da62d1841a6763f279c481e420047a108da21cd5e16eae31661e6fd5d1b25d7342b889d1d8c81b1ba27fe84dec2ca375ed04889a876850c48d2b3579fbac20642c1550b035353ae529e98304f89bf6065647833e582d08f0228185b493d002242d7135378ed8484a6a86a322ea427765f2e4ad37ee6449691b39314b5925a27430fd4d18d22d0704db1c4a1037d8e1664bfc003c244650cb7538dbe7c3be63e43f4ca1c7474c0476a42d937dc4af01c8ccfc20331baa0465ac0f3408f52b2e246aac6bf94551c259b4963157e75073cb211310e2afab7a1c0eded8a175d0a284fa213970fdef39d2506a1bd4f05a7ceee191d916b44b574022a768356951a2357e9e1e3ebd78d4878d7bb69e9a2b0d0673245a87eb56cf861c7c548c4e7b4576464cdbfddd98f3bf6301f2bf525ad3642fb18b434310ec731de08c79e933b3e67b5b54c85e7590d81a404d6c7ea7dd90d4bc773785c83b85bcce82cead60c37700f1afeb67c105760a9086b0345cb477737ab62616fd83add3f7adf9016c5e577dc705cecbc29089c8e9eea3335ba83de57a17ed99b0286b3d9301953a84eca7b8d4b1ab46f9ad4ef2fd97d526e936186503ecde745f5a9ab9f88397678bc967ea83cca00623a8fdb6c2d6268fa0d5c4e50dbb67ab190d188b8033d884e4b758d911ef72bdb4ec5b99b7548c0c89ffc8639068834a5e2b684c9d7850455092792d2488e401d24a4bfc1598d813bc53af5c225769efedf0c7e5e4083623f4486941fa9119eb1413fdd4f05333e285c49935280cc85f167fb31627012ef71a6b395b9c9bf8fa3874ad9e6204f408ce162cd4ae7a8253e69c3c493188cb9d1f4da97105ed172e5202bc219d99980ebbd01c3dfd7cd5f5ac29ca96c5a09caa8af679d508074a830473bf1dee096b02a25310fa7929510b880a5875d3c316617dd50Suspected MintsLoader:d738eef8756a03a516b02bbab0f1b06ea240efc151f00c05ec962d392cfddb9377bd80e2a7c56eb37a33c2a0518a27deb709068fdc66bd1e00b5d958a25c7ad8ccdf82b45b2ee9173c27981c51958e44dee43131edfbce983b6a5c146479ac33Appendix B Mitre ATT&CK TechniquesTactic: TechniqueATT&CK CodeResource Development:Acquire Infrastructure: DomainsT1583.001Resource Development:Acquire Infrastructure: Virtual Private ServerT1583.003Resource Development:Acquire Infrastructure: ServerT1583.004Resource Development:Compromise Infrastructure: DomainsT1584.001Resource Development:Develop Capabilities: MalwareT1587.001Initial Access:Stage Capabilities: Drive-by TargetT1608.004Defense Evasion:ImpersonationT1656

Discover key insights from Recorded Future’s 2024 report on cyber threats, criminal networks, SaaS identity risks, and strategies for 2025 cybersecurity.

Explore how the “Crazy Evil” cryptoscam gang operates, infecting thousands worldwide with infostealer malware. Learn how its tactics pose a threat to the Web3 ecosystem and digital asset security.

Explore 2024 payment fraud trends with Recorded Future: e-skimming, scam e-commerce, dark web insights, and 2025 predictions.

Learn about CVE-2024-50623 affecting Cleo MFT products. Patch now to prevent RCE attacks and secure your systems.

Between July 2023 and December 2024, RedDelta, a Chinese state-sponsored group, targeted Mongolia, Taiwan, and Southeast Asia using advanced spearphishing campaigns with evolving infection chains and the PlugX backdoor.

Discover our 2024 Hispanic Heritage Month series: overcoming adversity, fostering community, and empowering growth through inclusion.

A new report by Recorded Future’s Insikt group finds that countries across Central Asia and Latin America are increasingly basing their digital surveillance practices on Russia’s System for Operative Investigative Activities (SORM). Learn more about the privacy and security risks, as well as risks to corporate organizations operating in these regions.

Editor’s note: The following blog post originally appeared on Levi Gundert’s Substack page.IntroductionA past conversation with an undercover federal agent who specializes in money laundering revealed staggering amounts of currency moving across geographic boundaries, skirting traditional Anti-Money Laundering (AML) processes. From local and transnational crime syndicates to presidential spouses and those looking to evade sanctions or tax regimes, the need to wash and move illicit funds into reputable banking channels has never been greater. The FTs recent AML coverage highlights the scale of the problem and provides timely background reading on money laundering networks, suspects, and indictments. One story is particularly relevant as it centers around proof of address compliance failures. Coincidentally, address verification is precisely the problem highlighted by a recent Recorded Future Payment Fraud Intelligence (PFI) report.Big Fraud and a Hong Kong AddressThe address in question is:12th Floor, San Toi Building,137-139Connaught Road Central, Hong KongThe San Toi Building (and 12th-floor visual estimate) provided by Google MapsThe address is linked to two scam website (fraud) clustersdesignated Misspelled and Brand as a Coverwhich share merchant accounts and payment processing logic. The three merchant accounts include CAMHUBSTORE, AQAPAY*xmvmxft, SMARTTECHHK, and gracefashionhub. Hundreds, if not thousands, of scam websites are connected to these merchants.A scam website snapshot. A victim articulates why Camhubstore is a scam site. These merchant accounts that process payments for fraudulent, non-existent goods are tied to the 12th floor of the San Toi Building as the registered business address. The address is even placed directly on some of the sites as a contact address. Heres where it gets interesting. The address is listed on the U.S. Treasury OFAC list for ties to an Iranian terrorism group. The 12th floor is presumably large enough to house multiple businesses and likely sufficiently small such that businesses transit through reasonably often. Of course, it would be difficult to draw a direct connection between these merchant accounts and terrorism based on a shared space address. Still, other questions remain, namely: how are these scam merchants acquiring the ability to process payment cards when their physical address is on the OFAC list? Remedying AML / KYC Compliance FailuresKnowing your customer (KYC) might be difficult when bad actors go to great lengths to obscure their identity and purpose, but this is an egregious case of acquiring banks and payment processors missing obviously problematic contact details.Geoff Whites book, The Lazarus Heist, documented that even routine checks can lead to better outcomes. In it, White details North Korean hackers’ inability to transfer a more significant amount (hundreds of millions of dollars) from Bangladesh Bank to a bank branch in Manila because the branch is located on Jupiter Street, and “Jupiter is also the name of a sanctioned Iranian shipping vessel. Addresses matter. Suppose the US pursues a more friendly regulatory environment for cryptocurrencies under President Trump, and exchanges find it easier to acquire bank accounts. In that case, the potential for money laundering may explode without rigorous AML / KYC / KYT efforts. The SEC may have fewer teeth, but banks and processors are still gambling if anyone can obtain a merchant account with little to no compliance checks. Indeed, the business incentives are aligned to offer maximum merchant accounts to generate more processing fees, and historically, compliance costs have eroded profitability. However, this may be an emerging opportunity for GenAI. Semi-autonomous agents trained to flag basic AML violations (for example, website contact details listed on OFAC, perhaps) and elastic agents that deploy on demand when a new merchant application is submitted would assist AML compliance efforts and help the financial services industry grappling with a tsunami of fraudulent merchant transactions.

China’s ICCs reshape global propaganda via targeted messaging, social media, and influence networks to amplify the Communist Party’s voice globally.

Discover the rising costs of data breaches, including disruption, legal risks, and lost trust. Learn proactive steps to protect your business from escalating threats.