Triad Nexus: FUNNULL CDN hosting DGA domains for suspect Chinese sites
Essential information
- Published
- 23/10/2024 13:19
- Modified
- 23/10/2024 13:51
- Tags
- 2024-10-23 cdn dga funnull gambling phishing suncity group supply chain attack triad nexus
- Related entities
- 70 observables, 9 techniques (mitre), 4 others
Description
Silent Push has uncovered a large-scale malicious infrastructure dubbed 'Triad Nexus' hosted on the FUNNULL content delivery network. The investigation revealed over 200,000 unique hostnames, with 95% created using Domain Generation Algorithms. FUNNULL is linked to hosting suspect gambling websites, investment scams, and a retail phishing campaign targeting major brands. Connections were found to the Suncity Group, previously implicated in money laundering for the Lazarus crime group. A supply chain attack involving the polyfill.io JavaScript library affected over 110,000 websites. The research exposes FUNNULL's role in facilitating various criminal activities and raises concerns about its practices as a CDN provider.