In a troubling development within the realm of cybersecurity, a multitude of threat actors, including ransomware groups and state-sponsored entities, have been utilizing a malevolent traffic distribution system (TDS) called TAG-124 to streamline the dissemination of malware payloads to high-profile targets.
Recent findings from the Insikt Group at Recorded Future have shed light on the operational mechanics of TAG-124, which functions in a manner akin to legitimate TDSs employed in online advertising. By capitalizing on user browser data, geolocation information, and behavioral patterns, TAG-124 is able to swiftly determine the routing of traffic.
However, rather than guiding users towards targeted advertisements, TAG-124 steers susceptible individuals towards malicious content, such as ransomware and remote access tools, all while employing defensive measures to evade detection by security researchers and sandboxes.
This infrastructure has emerged as a crucial weapon for cybercriminals engaged in what is known as “big game hunting,” a tactic in which they prioritize organizations that are more likely to acquiesce to significant extortion demands, particularly those operating in the healthcare sector and other critical industries.
Notably, ransomware operators such as Rhysida and Interlock have been linked to the utilization of TAG-124. Rhysida, a ransomware-as-a-service group that gained infamy in 2023 for a brazen attack on Prospect Medical Holdings, managed to pilfer over 500,000 social security numbers and disrupt operations across a multitude of hospitals and clinics.
Similarly, Interlock made headlines in December 2024 for launching an attack on Texas Tech University Health Sciences Center, during which they exfiltrated a staggering 2.6 TB of sensitive data. The parallels in tactics and encryption behaviors between these two groups suggest a potential collaboration, though the exact nature of their relationship remains shrouded in mystery.
Beyond ransomware, TAG-124 has also been associated with TA866 (Asylum Ambuscade), a cybercrime group believed to be operating under the auspices of the Russian government. This group primarily targets financial institutions and engages in espionage against government entities in Europe and Central Asia.
Additionally, certain malware strains like SocGholish and D3F@ck loader, utilized for remote access and the delivery of additional payloads, have been tied to this TDS, thereby expanding its reach through methods like search engine optimization (SEO) poisoning and compromising legitimate websites.
The utilization of shared infrastructure like TAG-124 serves to bolster the operational efficiency of cybercriminals, setting in motion a dangerous cycle where successful attacks result in further investments in specialized tools and services. This heightening level of sophistication poses an increased risk of high-impact ransomware attacks and espionage-driven data breaches for businesses on a global scale.
According to a report by Recorded Future, the early involvement of TAG-124 in the attack chain poses a significant challenge in terms of detection. Failure to promptly identify such intrusions can have severe repercussions, as evidenced by a recent class action lawsuit against Sunflower Medical following a breach attributed to Rhysida, which went undetected for a staggering three weeks.
In order to combat the threat posed by TAG-124 and similar TDSs like VexTrio and BlackTDS, defenders must embrace advanced threat detection strategies, including custom file scanning with YARA and log-based rules available through platforms like Recorded Future’s Intelligence Cloud. Educating users about the perils of SEO poisoning and enforcing secure browser settings, such as automatic updates and pop-up blockers, can further diminish exposure to malicious prompts often associated with TAG-124’s infrastructure.
As cybercriminals persist in leveraging legitimate content delivery techniques for illicit purposes, being able to identify and obstruct TDS-related indicators stands as a crucial step in disrupting the operations of multiple threat actors early on in their attack cycles. Stay updated on intriguing cybersecurity news by following us on Google News, LinkedIn, and X!