Request a Demo
Rewterz
CVE-2025-31650 – Apache Tomcat Vulnerability
April 29, 2025
Rewterz
Multiple Oracle MySQL Server Vulnerabilities
April 29, 2025

TAG-124: The Emerging Threat Behind Targeted Malware Campaigns – Active IOCs

Severity

High

Analysis Summary

Cybercriminals are increasingly using TAG-124, a malicious traffic distribution system (TDS), to deliver malware to high-value targets. Similar to advertising TDSs, TAG-124 collects browser data, geolocation, and user behavior to route victims to malware such as ransomware, remote access tools, and loaders like SocGholish and D3F@ck.

Threat actors tied to TAG-124 include ransomware groups Rhysida and Interlock, both known for major attacks on healthcare and academic institutions. These groups use shared infrastructure to optimize attacks and evade detection using techniques like SEO poisoning and compromised legitimate websites.

State-sponsored actors, such as TA866 (Asylum Ambuscade), also leverage TAG-124 to carry out espionage, particularly targeting European and Central Asian institutions. The system’s ability to evade sandboxes and its role early in the attack chain make it hard to detect, increasing the chances of high-impact breaches.

Researchers highlights the need for early identification, as seen in the Sunflower Medical breach where detection delays led to legal and operational consequences. Effective defense requires a combination of advanced detection tools and user awareness.

Impact

  • Data Theft
  • Financial Loss
  • Unauthorized Access

Indicators of Compromise

Domain Name

  • academictutoringcenters.com
  • adpages.com
  • advanceair.net
  • airbluefootgear.com
  • allaces.com.au
  • antiagewellness.com
  • winworld.es
  • true-blood.net
  • ambiwa.com
  • boneyn.com

IP

  • 45.61.136.9
  • 45.61.136.40
  • 45.61.136.41
  • 45.61.136.67
  • 45.61.136.89

MD5

  • f29598ff2ac18f80e821f30d9a982c01

  • e24c88a450c8908eb4be0d4eceb7e2e6

SHA-256

  • 7683d38c024d0f203b374a87b7d43cc38590d63adb8e5f24dff7526f5955b15a

  • 950f1f8d94010b636cb98be774970116d98908cd4c45fbb773e533560a4beea7

SHA1

  • 36fcae593b2f603822241d71c249568fe927c8d2

  • 1e88a4a28889b23bbb94aada6d1c136e9a691d63

Remediation

  • Use threat intelligence feeds to monitor indicators related to TAG-124.
  • Implement YARA-based custom scanning rules to detect early-stage payloads.
  • Deploy advanced EDR solutions that monitor browser and user behavior anomalies.
  • Block access to known malicious TDS domains and IP addresses.
  • Apply DNS filtering to prevent redirection from compromised sites.
  • Train users to avoid suspicious downloads and pop-ups triggered by SEO poisoning.
  • Keep browsers and plugins updated to prevent exploitation via web vectors.
  • Restrict web traffic from untrusted sources using firewall and proxy rules.
  • Use pop-up blockers and safe browsing features on all endpoints.
  • Conduct regular website audits if you manage public-facing web infrastructure.