{
	"id": "e9bb7019-8031-4e69-84b0-c82f7e6a6cb8",
	"created_at": "2026-04-06T00:22:11.409953Z",
	"updated_at": "2026-04-10T03:34:42.77603Z",
	"deleted_at": null,
	"sha1_hash": "4b8b58965e1cb6851afba22922345357a948aba8",
	"title": "Multi-Layered TDS Infrastructure Linked to Major Cyber Threats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62191,
	"plain_text": "Multi-Layered TDS Infrastructure Linked to Major Cyber Threats\r\nBy Insikt Group®\r\nArchived: 2026-04-05 13:24:22 UTC\r\nNOTE: This report was updated on May 12, 2025, after it was discovered that TAG-124 is unrelated to 404TDS.\r\nAll references to 404TDS as an alias belonging to TAG-124 have been removed.\r\nExecutive Summary\r\nInsikt Group has identified multi-layered infrastructure linked to a traffic distribution system (TDS) tracked by\r\nRecorded Future as TAG-124, which overlaps with threat activity clusters known as LandUpdate808, KongTuke,\r\nand Chaya_002. TAG-124 comprises a network of compromised WordPress sites, actor-controlled payload\r\nservers, a central server, a suspected management server, an additional panel, and other components. The threat\r\nactors behind TAG-124 demonstrate high levels of activity, including regularly updating URLs embedded in the\r\ncompromised WordPress sites, adding servers, refining TDS logic to evade detection, and adapting infection\r\ntactics, as demonstrated by their recent implementation of the ClickFix technique.\r\nInsikt Group identified multiple threat actors using TAG-124 within their initial infection chains, including\r\noperators of Rhysida ransomware, Interlock ransomware, TA866/Asylum Ambuscade, SocGholish, D3F@CK\r\nLoader, TA582, and others. Notably, the shared use of TAG-124 reinforces the connection between Rhysida and\r\nInterlock ransomware, which are already linked through similarities in tactics, tools, encryption behaviors, ransom\r\nnote themes, code overlaps, and data exfiltration techniques. Insikt Group expects that TAG-124 will continue its\r\noperations within the increasingly sophisticated and specialized cybercriminal ecosystem, enhance its\r\neffectiveness, and attract additional users and partners.\r\nKey Findings\r\nInsikt Group identified multi-layered infrastructure linked to a TDS tracked as TAG-124. This\r\ninfrastructure includes a network of compromised WordPress sites, likely actor-controlled payload servers,\r\na central server, a suspected management server, and an additional panel, among other components.\r\nThe threat actor(s) associated with TAG-124 appear highly active, regularly updating URLs on\r\ncompromised WordPress sites to evade detection, adding new servers to their infrastructure, and improving\r\nTDS-linked conditional logic and infection tactics.\r\nMultiple threat actors are assessed to incorporate TAG-124’s service into their initial infection chains,\r\nincluding operators of Rhysida ransomware, Interlock ransomware, TA866/Asylum Ambuscade,\r\nSocGholish, D3F@CK Loader, TA582, and others.\r\nWhile Rhysida and Interlock ransomware have been associated with each other due to similarities in\r\ntactics, tools, encryption behaviors, ransom note themes, overlaps in code, and data exfiltration techniques,\r\nthe shared use of TAG-124 reinforces this connection.\r\nhttps://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base\r\nPage 1 of 4\n\nBackground\r\nTAG-124, which overlaps with LandUpdate808, KongTuke, and Chaya_002, is a TDS used to distribute malware\r\non behalf of various threat actors, including operators of Rhysida ransomware, Interlock ransomware,\r\nTA866/Asylum Ambuscade, SocGholish, D3F@CK Loader, and TA582, among others (1, 2, 3). A TDS typically\r\nrefers to a system used to analyze and redirect web traffic based on parameters like geolocation or device type,\r\nfunneling only specific visitors to malicious destinations such as phishing sites, malware, or exploit kits, while\r\nevading detection and optimizing cybercriminal campaigns.\r\nMore specifically, TAG-124 operates by injecting malicious JavaScript code into compromised WordPress\r\nwebsites. When visitors access an infected website, they unknowingly load attacker-controlled resources designed\r\nto manipulate them into completing actions that result in the download and execution of malware. TAG-124 often\r\ndeceives victims by presenting the malware as a required Google Chrome browser update.\r\nIn more recent variations, TAG-124 has been observed using the ClickFix technique. This approach displays a\r\ndialog instructing visitors to execute a command pre-copied to their clipboard. Once a visitor runs the command, it\r\ninitiates a multi-stage process that downloads and executes the malware payload.\r\nThreat Analysis\r\nTAG-124\r\nInsikt Group identified multi-layered infrastructure associated with the TDS TAG-124. This infrastructure\r\ncomprises a network of compromised WordPress sites, likely actor-controlled payload servers, a central server\r\nwhose exact purpose remains unclear at the time of analysis, a suspected management server, and an additional\r\nmanagement panel. If visitors fulfill specific criteria, the compromised WordPress websites display fake Google\r\nChrome update landing pages, which ultimately lead to malware infections as discussed in the Users of TAG-124\r\nsection of this report (see Figure 1).\r\nCompromised WordPress Websites\r\nTAG-124’s infrastructure consists of an extensive network of WordPress websites (see Appendix A). These\r\nwebsites appear to lack a consistent theme regarding industry, topic, or geography, suggesting they were likely\r\ncompromised opportunistically through exploits or by acquiring credentials, such as those obtained via\r\ninfostealers.\r\nFirst-Stage WordPress Websites in Initial Delivery\r\nThe compromised websites of the first stage in the initial delivery phase typically include a script tag with an\r\nasync attribute at an arbitrary location in the document object model (DOM), enabling the loading of an external\r\nJavaScript file in parallel with the page to avoid rendering delays (see Figure 2).\r\nThe JavaScript filename has changed frequently over time, with earlier names following recognizable patterns\r\n(such as metrics.js) and more recent ones appearing to be randomly formatted (such as hpms1989.js). Example\r\nfilenames include:\r\nhttps://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base\r\nPage 2 of 4\n\n3561.js\r\n365h.js\r\ne365r.js\r\nhpms1989.js\r\nmetrics.js\r\nnazvanie.js\r\nweb-analyzer.js\r\nweb-metrics.js\r\nweb.js\r\nwp-config.js\r\nwp.js\r\nNotably, the threat actors appear to be regularly updating the URLs on the compromised websites. For instance,\r\nthe website associated with www[.]ecowas[.]int has consistently changed the URL used to fetch the JavaScript\r\nfile. This behavior indicates that the threat actors maintain ongoing access to these WordPress sites and frequently\r\nalter the URLs, including the domain and JavaScript filename, likely to evade detection.\r\nAlthough many of the compromised WordPress websites appear to be associated with lesser-known organizations,\r\nInsikt Group identified notable cases, including a subdomain linked to the Polish Centre for Testing and\r\nCertification, www[.]pcbc[.]gov[.]pl, and the domain of the Economic Community of West African States\r\n(ECOWAS) (www[.]ecowas[.]int). Both have been compromised and used in TAG-124 campaigns.\r\nFinal Stage WordPress Websites in Initial Delivery\r\nIf visitors meet specific criteria, which could not be fully determined, the compromised WordPress domains\r\ntypically present fake Google Chrome update landing pages. These pages prompt users to click a download\r\nbutton, triggering the download of the actual payload from designated endpoints on a secondary set of\r\ncompromised WordPress websites, including but likely not limited to:\r\n/wp-admin/images/wfgth.php\r\n/wp-includes/pomo/update.php\r\n/wp-content/upgrade/update.php\r\n/wp-admin/images/rsggj.php\r\nFake Google Chrome Update Landing Pages\r\nInsikt Group discovered two variants of fake Google Chrome update landing pages associated with TAG-124 (see\r\nFigure 3). According to URLScan submission data, Variant 1 has been active longer, with its earliest submission\r\nrecorded on April 24, 2024.\r\nOnly victims meeting a specific set of still unknown conditions are directed to the fake Google Chrome update\r\nlanding page, resulting in the observation of only a limited number of domains (see Table 1). These domains can\r\nbe attributed to TAG-124 based on the URLs embedded in the DOM, public reporting, or other indicators.\r\nNotably, the threat actors consistently misspell the word “referer” as “refferer” in the query parameter, a\r\ntypographical error observed in earlier reports.\r\nhttps://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base\r\nPage 3 of 4\n\nSource: https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base\r\nhttps://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base"
	],
	"report_names": [
		"tag-124-multi-layered-tds-infrastructure-extensive-user-base"
	],
	"threat_actors": [
		{
			"id": "4390d8ec-605d-493a-81ee-d5ef80c07046",
			"created_at": "2025-05-29T02:00:03.223467Z",
			"updated_at": "2026-04-10T02:00:03.873701Z",
			"deleted_at": null,
			"main_name": "TAG-124",
			"aliases": [
				"LandUpdate808"
			],
			"source_name": "MISPGALAXY:TAG-124",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "59d91b6f-bccf-4ae4-a14c-028b198848b6",
			"created_at": "2023-03-10T02:01:52.119563Z",
			"updated_at": "2026-04-10T02:00:03.36177Z",
			"deleted_at": null,
			"main_name": "TA866",
			"aliases": [],
			"source_name": "MISPGALAXY:TA866",
			"tools": [
				"Screenshotter",
				"AHK Bot",
				"WasabiSeed"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434931,
	"ts_updated_at": 1775792082,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b8b58965e1cb6851afba22922345357a948aba8.pdf",
		"text": "https://archive.orkl.eu/4b8b58965e1cb6851afba22922345357a948aba8.txt",
		"img": "https://archive.orkl.eu/4b8b58965e1cb6851afba22922345357a948aba8.jpg"
	}
}