A detailed analysis by the Insikt Group has uncovered a sophisticated cyber threat known as TAG-124, characterized by a multi-layered Traffic Distribution System (TDS) infrastructure.
This system, employed by a diverse set of cybercriminals, is responsible for injecting malicious payloads through an extensive network of compromised WordPress sites and dedicated servers.
The research indicates that TAG-124’s infrastructure can evade detection while supporting high-profile ransomware groups and other malware operators.
TAG-124 and Its Complex Ecosystem
Recorded Future’s analysis, cut off as of January 7, 2025, links TAG-124 to several known threat activity clusters, including LandUpdate808, 404TDS, and KongTuke.
The TDS utilizes a network of compromised websites, payload delivery servers, suspected management servers, and auxiliary panels.
TAG-124 employs obfuscation tactics such as regularly changing URLs and JavaScript filenames within compromised sites to avoid detection.
The group’s ability to adjust its infection logic demonstrates a level of operational agility rarely seen among low-tier cybercriminal actors.
Victims unknowingly encounter TAG-124 when they visit WordPress sites compromised by malicious JavaScript injections.
These scripts redirect visitors to fake landing pages, often masquerading as legitimate software updates like Google Chrome.
One newly observed tactic, dubbed “ClickFix,” involves social engineering techniques where visitors are prompted to execute commands copied to their clipboard.
This multi-stage infection process eventually delivers malicious payloads, such as ransomware or remote access tools.
Key Associations
TAG-124’s infrastructure is leveraged by multiple cybercriminal groups for their initial infection chains.
Notably, operators of Rhysida and Interlock ransomware, already linked through shared tactics and encryption methods, further solidify their connection via the utilization of TAG-124.
Additional actors exploiting TAG-124 include SocGholish, TA866/Asylum Ambuscade, and operators of the D3F@CK loader.
The infrastructure’s versatility and adaptability make it an attractive tool within the evolving cybercrime ecosystem.
Analysis of TAG-124’s operations also reveals high-profile compromises, including WordPress websites linked to government and regional organizations like the Economic Community of West African States (ECOWAS).
Such breaches demonstrate the indiscriminate nature of TAG-124’s victim selection, exploiting organizations of varied sizes and sectors.
As TAG-124 garners more attention within the threat actor community, its infrastructure is expected to evolve, enhancing its capabilities and broadening its appeal.
The TDS serves not only as a platform for malware delivery but also as a connective thread linking disparate cybercriminal entities.
Analysts caution that the continued growth of these interconnected ecosystems could foster the rise of even more sophisticated cyber threats in 2025 and beyond.
The Insikt Group’s investigation underscores the critical importance of proactive threat intelligence in mitigating risks posed by such dynamic threats.
Organizations are advised to fortify their defenses by monitoring for indicators of compromise tied to TAG-124 and adopting robust detection mechanisms to thwart its infection strategies.
