Funnull Resurfaces: Exposing RingH23 Arsenal and MacCMS Supply Chain Attacks
Essential information
- Published
- 02/03/2026 17:39
- Modified
- 03/03/2026 17:15
- Tags
- 2026-03-02 badhide2s badnginx2s badredis2s cdn poisoning cryptocurrency theft maccms ringh23 supply chain attack traffic hijacking v2deck
- Related entities
- 40 observables, 1 intrusion sets (apt), 14 techniques (mitre), 5 malware, 60 others
Description
The report details the resurgence of the Funnull cybercriminal group, now utilizing a new arsenal called RingH23. It exposes their tactics, including compromising GoEdge CDN nodes, poisoning the MacCMS supply chain, and deploying sophisticated malware components like Badredis2s, Badnginx2s, and Badhide2s. The group has expanded its operations to inject malicious JavaScript, hijack cryptocurrency transactions, and redirect traffic to fraudulent sites. The campaign's impact is estimated to affect millions of users daily. The report also highlights Funnull's use of a suspicious new CDN infrastructure, CDN1.AI, likely created to evade detection.