{
  "name": "Funnull Resurfaces: Exposing RingH23 Arsenal and MacCMS Supply Chain Attacks",
  "slug": "funnull-resurfaces-exposing-ringh23-arsenal-and-maccms-supply-chain-attacks",
  "description": "The report details the resurgence of the Funnull cybercriminal group, now utilizing a new arsenal called RingH23. It exposes their tactics, including compromising GoEdge CDN nodes, poisoning the MacCMS supply chain, and deploying sophisticated malware components like Badredis2s, Badnginx2s, and Badhide2s. The group has expanded its operations to inject malicious JavaScript, hijack cryptocurrency transactions, and redirect traffic to fraudulent sites. The campaign's impact is estimated to affect millions of users daily. The report also highlights Funnull's use of a suspicious new CDN infrastructure, CDN1.AI, likely created to evade detection.",
  "published": "2026-03-02T16:39:22+00:00",
  "created_at": "2026-03-02T16:39:22+00:00",
  "modified_at": "2026-03-03T16:15:51+00:00",
  "created_at_opencti": "2026-03-02T16:39:22+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-03-02",
    "badhide2s",
    "badnginx2s",
    "badredis2s",
    "cdn poisoning",
    "cryptocurrency theft",
    "maccms",
    "ringh23",
    "supply chain attack",
    "traffic hijacking",
    "v2deck"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "8.139.6.156"
      },
      {
        "id": "",
        "name": "https://bucket.service.generate.110.nz/udev.sh"
      },
      {
        "id": "",
        "name": "https://cdnjs.jsdclivr.com/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css?v=3.7.8.2"
      },
      {
        "id": "",
        "name": "https://az-blob.110.nz/update/init"
      },
      {
        "id": "",
        "name": "https://3snzh72om4.apifox.cn"
      },
      {
        "id": "",
        "name": "http://union.macoms.la/jquery.min-4.0.2.js"
      },
      {
        "id": "",
        "name": "https://az-blob.110.nz/update/s2"
      },
      {
        "id": "",
        "name": "https://cdnjs.clondflare.com/jquery.min-3.7.8.1.js"
      },
      {
        "id": "",
        "name": "https://az-blob.110.nz/update/s1"
      },
      {
        "id": "",
        "name": "https://dowoxox.gfewr.com/B9.apk"
      },
      {
        "id": "",
        "name": "https://bucket.service.generate.110.nz/2025-12-19/7d1d49a8d8c1fa7b4b743ed551fa338c112268e1/udev.rules"
      },
      {
        "id": "",
        "name": "https://bucket.service.generate.110.nz/2025-12-19/7d1d49a8d8c1fa7b4b743ed551fa338c112268e1/kernel.so"
      },
      {
        "id": "",
        "name": "http://cdn.jsdelivr.vip/jquery.min-3.7.0.js"
      },
      {
        "id": "",
        "name": "http://cdnjs.jsdclivr.com/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css?v=3.7.8.2"
      },
      {
        "id": "",
        "name": "https://az-blob.110.nz/update/s9"
      },
      {
        "id": "",
        "name": "https://az-blob.110.nz/update/s7"
      },
      {
        "id": "",
        "name": "http://static.bytedauce.com/ajax/libs/bootstrap/5.3.3/css/bootstrap-grid.min.css"
      },
      {
        "id": "",
        "name": "https://download.joymeet.top/app/2PG/00056321.mobileconfig"
      },
      {
        "id": "",
        "name": "http://code.jquecy.com/jquery.min-3.6.8.js"
      },
      {
        "id": "",
        "name": "https://bucket.service.generate.110.nz/2025-12-19/7d1d49a8d8c1fa7b4b743ed551fa338c112268e1/module.so"
      },
      {
        "id": "",
        "name": "http://api.bdustatic.com/jquery.min-4.0.12.js"
      },
      {
        "id": "",
        "name": "https://plist.ztyfv.com/d/4F48MCiqtsjDCS7QOWs3KU.plist"
      },
      {
        "id": "",
        "name": "https://az-blob.110.nz/update/s4"
      },
      {
        "id": "",
        "name": "https://az-blob.110.nz/update/s3"
      },
      {
        "id": "",
        "name": "30340b0a9b7ee100909cb7fc8a0d65bdc249cecea5c078f464a17b3022104e62"
      },
      {
        "id": "",
        "name": "75e1366c54d9803e97c69234f31d7d1d0a0a1165fef9bd72f9fe8aa13955c11c"
      },
      {
        "id": "",
        "name": "a95b17ba5a419451b66e13e93baa1f7281d127cd8039ff20143df681dfb9cb0c"
      },
      {
        "id": "",
        "name": "27cb410b59e83b3f5274a6d80e0a572d0ef85a7a5d3606815ed71c1271be1123"
      },
      {
        "id": "",
        "name": "44810a9c726690e38abeca7edc62325317ce4e7b8c8fff3401a3180d184d8767"
      },
      {
        "id": "",
        "name": "568e137a510520acf7c84e151ded90803f83fe5561e29348caa8ae7c8514e96d"
      },
      {
        "id": "",
        "name": "43427b5742bfcc51c9382e6fe64b74a0148188010ef80de36359951e49d172a6"
      },
      {
        "id": "",
        "name": "bda1f5ceff6c4ec9ab2a9fd661f0c5e0113e418cab9a4358bd3e9926de13737a"
      },
      {
        "id": "",
        "name": "a324e95450eaa5e23fcdb66c056a4ef7c80a521da75751a0fb4c3cc542de0d4d"
      },
      {
        "id": "",
        "name": "a61ab901f3644db457fa87852a9f69890f42b0bfa263415ddecde04b8c569617"
      },
      {
        "id": "",
        "name": "077d6aed18d71c5fc08cbd2a52f963178189cdcedae21a2cf812560e3355c40a"
      },
      {
        "id": "",
        "name": "e829040cac2fbccdffe23024b9f8c64af77037f941b010d4727c2c292bbc3665"
      },
      {
        "id": "",
        "name": "4d71e92ca46e3f3fa74ebee8f4cab5d0ef214d63d1df880d5a17db94ac101dfb"
      },
      {
        "id": "",
        "name": "6da988eddf7e7be66c42e54bf781b554bbb81bf16767c47b617f634c48442aa4"
      },
      {
        "id": "",
        "name": "b49e03c9c759bbe8b45fe8bfa6b953fc381f5c8aa1dc56de1ae006815c0831a8"
      },
      {
        "id": "",
        "name": "09b0503f6eee217e5b9c41773b8b22a90e640f2f7c5a44adc48c5b70b50a4137"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:9fa7b238f6b2511c",
        "name": "V2deck",
        "slug": "v2deck"
      },
      {
        "id": "legacy:malware:2d69bec4022c2ca2",
        "name": "Badhide2s",
        "slug": "badhide2s"
      },
      {
        "id": "legacy:malware:de14b009823f7c96",
        "name": "RingH23",
        "slug": "ringh23"
      },
      {
        "id": "legacy:malware:8d063b6ccd4a191c",
        "name": "Badnginx2s",
        "slug": "badnginx2s"
      },
      {
        "id": "legacy:malware:c94edd1f807e8b99",
        "name": "Badredis2s",
        "slug": "badredis2s"
      }
    ],
    "intrusion_sets": [
      {
        "id": "d6d24ee6-9662-49ba-9e6a-e1ba09664313",
        "name": "Funnull",
        "slug": "funnull"
      }
    ],
    "attack_patterns": [
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "30f6a233-a437-4146-987a-3e42ae12889a",
        "name": "T1608.004"
      },
      {
        "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb",
        "name": "T1070"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "358e04b8-6f65-48b2-a24b-f101bfc6671a",
        "name": "T1195"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "China"
      },
      {
        "id": "",
        "name": "Telecommunications"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "nsj6.linuxdistro.net"
      },
      {
        "id": "",
        "name": "tutupytua.com"
      },
      {
        "id": "",
        "name": "js.mirrors163.com"
      },
      {
        "id": "",
        "name": "download.joymeet.top"
      },
      {
        "id": "",
        "name": "zybbzlast.com"
      },
      {
        "id": "",
        "name": "j6.linuxdistro.net"
      },
      {
        "id": "",
        "name": "js2.ntporg.com"
      },
      {
        "id": "",
        "name": "service.client.110.nz"
      },
      {
        "id": "",
        "name": "h2.debianhacks.net"
      },
      {
        "id": "",
        "name": "realfake909.net"
      },
      {
        "id": "",
        "name": "mobileconfig.aqyaqua.com"
      },
      {
        "id": "",
        "name": "gadlkd1.com"
      },
      {
        "id": "",
        "name": "lucycally.me"
      },
      {
        "id": "",
        "name": "api.bdustatic.com"
      },
      {
        "id": "",
        "name": "aqyaqua.com"
      },
      {
        "id": "",
        "name": "update.maccms.la"
      },
      {
        "id": "",
        "name": "dowoxox.gfewr.com"
      },
      {
        "id": "",
        "name": "flysky55.me"
      },
      {
        "id": "",
        "name": "jsdelivr.vip"
      },
      {
        "id": "",
        "name": "update.ntporg.com"
      },
      {
        "id": "",
        "name": "ailyunoss.com"
      },
      {
        "id": "",
        "name": "b.plusedns.com"
      },
      {
        "id": "",
        "name": "apk.aqyaqua.com"
      },
      {
        "id": "",
        "name": "cdn.jsdclivr.com"
      },
      {
        "id": "",
        "name": "linuxdistro.net"
      },
      {
        "id": "",
        "name": "bytedauce.com"
      },
      {
        "id": "",
        "name": "ailyun-oss.com"
      },
      {
        "id": "",
        "name": "3snzh72om4.apifox.cn"
      },
      {
        "id": "",
        "name": "cdnjs.clondflare.com"
      },
      {
        "id": "",
        "name": "js.ntporg.com"
      },
      {
        "id": "",
        "name": "debianhacks.net"
      },
      {
        "id": "",
        "name": "s.aqyaqua.com"
      },
      {
        "id": "",
        "name": "client.110.nz"
      },
      {
        "id": "",
        "name": "cdnjs.jsdclivr.com"
      },
      {
        "id": "",
        "name": "js.sbindns.com"
      },
      {
        "id": "",
        "name": "9688hopeeasy.cc"
      },
      {
        "id": "",
        "name": "moxymodiy.cc"
      },
      {
        "id": "",
        "name": "goyppg06.com"
      },
      {
        "id": "",
        "name": "firelategg.net"
      },
      {
        "id": "",
        "name": "fedoraforums.net"
      },
      {
        "id": "",
        "name": "static.bytedauce.com"
      },
      {
        "id": "",
        "name": "s11.ntporg.com"
      },
      {
        "id": "",
        "name": "cn.js.mirrors163.com"
      },
      {
        "id": "",
        "name": "maccmsp.la"
      },
      {
        "id": "",
        "name": "s10.ntporg.com"
      },
      {
        "id": "",
        "name": "jsdclivr.com"
      },
      {
        "id": "",
        "name": "a.plusedns.com"
      },
      {
        "id": "",
        "name": "plist.ztyfv.com"
      },
      {
        "id": "",
        "name": "bucket.service.generate.110.nz"
      },
      {
        "id": "",
        "name": "az-blob.110.nz"
      },
      {
        "id": "",
        "name": "cdn.jsdelivr.vip"
      },
      {
        "id": "",
        "name": "clondflare.com"
      },
      {
        "id": "",
        "name": "code.jquecy.com"
      },
      {
        "id": "",
        "name": "js.ntp.asia"
      },
      {
        "id": "",
        "name": "ubuntucommands.com"
      },
      {
        "id": "",
        "name": "union.macoms.la"
      },
      {
        "id": "",
        "name": "bdustatic.com"
      }
    ]
  },
  "external_refs": [
    "https://blog.xlab.qianxin.com/funnull-resurfaces-exposing-ringh23-arsenal-and-maccms-supply-chain-attacks/",
    "https://otx.alienvault.com/pulse/69a5cb4a6a4e3817035f5326"
  ]
}