June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
CVE-2025-31650 – Apache Tomcat Vulnerability
April 29, 2025
Multiple Oracle MySQL Server Vulnerabilities
April 29, 2025
CVE-2025-31650 – Apache Tomcat Vulnerability
April 29, 2025
Multiple Oracle MySQL Server Vulnerabilities
April 29, 2025
Severity
High
Analysis Summary
Cybercriminals are increasingly using TAG-124, a malicious traffic distribution system (TDS), to deliver malware to high-value targets. Similar to advertising TDSs, TAG-124 collects browser data, geolocation, and user behavior to route victims to malware such as ransomware, remote access tools, and loaders like SocGholish and D3F@ck.
Threat actors tied to TAG-124 include ransomware groups Rhysida and Interlock, both known for major attacks on healthcare and academic institutions. These groups use shared infrastructure to optimize attacks and evade detection using techniques like SEO poisoning and compromised legitimate websites.
State-sponsored actors, such as TA866 (Asylum Ambuscade), also leverage TAG-124 to carry out espionage, particularly targeting European and Central Asian institutions. The system’s ability to evade sandboxes and its role early in the attack chain make it hard to detect, increasing the chances of high-impact breaches.
Researchers highlights the need for early identification, as seen in the Sunflower Medical breach where detection delays led to legal and operational consequences. Effective defense requires a combination of advanced detection tools and user awareness.
Impact
- Data Theft
- Financial Loss
- Unauthorized Access
Indicators of Compromise
Domain Name
- academictutoringcenters.com
- adpages.com
- advanceair.net
- airbluefootgear.com
- allaces.com.au
- antiagewellness.com
- winworld.es
- true-blood.net
- ambiwa.com
- boneyn.com
IP
- 45.61.136.9
- 45.61.136.40
- 45.61.136.41
- 45.61.136.67
- 45.61.136.89
MD5
f29598ff2ac18f80e821f30d9a982c01
e24c88a450c8908eb4be0d4eceb7e2e6
SHA-256
7683d38c024d0f203b374a87b7d43cc38590d63adb8e5f24dff7526f5955b15a
950f1f8d94010b636cb98be774970116d98908cd4c45fbb773e533560a4beea7
SHA1
36fcae593b2f603822241d71c249568fe927c8d2
1e88a4a28889b23bbb94aada6d1c136e9a691d63
Remediation
- Use threat intelligence feeds to monitor indicators related to TAG-124.
- Implement YARA-based custom scanning rules to detect early-stage payloads.
- Deploy advanced EDR solutions that monitor browser and user behavior anomalies.
- Block access to known malicious TDS domains and IP addresses.
- Apply DNS filtering to prevent redirection from compromised sites.
- Train users to avoid suspicious downloads and pop-ups triggered by SEO poisoning.
- Keep browsers and plugins updated to prevent exploitation via web vectors.
- Restrict web traffic from untrusted sources using firewall and proxy rules.
- Use pop-up blockers and safe browsing features on all endpoints.
- Conduct regular website audits if you manage public-facing web infrastructure.
