216.73.217.80

Funnull Resurfaces: Exposing RingH23 Arsenal and MacCMS Supply Chain Attacks

· Published 02/03/2026 17:39 · Modified 03/03/2026 17:15

Export JSON

Essential information

Published
02/03/2026 17:39
Modified
03/03/2026 17:15
Tags
2026-03-02 badhide2s badnginx2s badredis2s cdn poisoning cryptocurrency theft maccms ringh23 supply chain attack traffic hijacking v2deck
Related entities
40 observables, 1 intrusion sets (apt), 14 techniques (mitre), 5 malware, 60 others

Description

The report details the resurgence of the Funnull cybercriminal group, now utilizing a new arsenal called . It exposes their tactics, including compromising GoEdge CDN nodes, poisoning the supply chain, and deploying sophisticated malware components like , , and . The group has expanded its operations to inject malicious JavaScript, hijack cryptocurrency transactions, and redirect traffic to fraudulent sites. The campaign's impact is estimated to affect millions of users daily. The report also highlights Funnull's use of a suspicious new CDN infrastructure, CDN1.AI, likely created to evade detection.

External references