TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base

Jan. 31, 2025, 10:39 a.m.

Description

Insikt Group has identified a complex infrastructure linked to the traffic distribution system TAG-124, which overlaps with several threat activity clusters and includes compromised WordPress sites and various servers. Multiple threat actors, including operators of Rhysida and Interlock ransomware, use TAG-124, reinforcing their connection through shared tactics and tools. Insikt Group anticipates that TAG-124 will continue to evolve and attract more users within the cybercriminal ecosystem.

Date

  • Created: Jan. 31, 2025, 10:09 a.m.
  • Published: Jan. 31, 2025, 10:09 a.m.
  • Modified: Jan. 31, 2025, 10:39 a.m.

Indicators

  • d738eef8756a03a516b02bbab0f1b06ea240efc151f00c05ec962d392cfddb93
  • 97105ed172e5202bc219d99980ebbd01c3dfd7cd5f5ac29ca96c5a09caa8af67
  • 9d508074a830473bf1dee096b02a25310fa7929510b880a5875d3c316617dd50
  • ccdf82b45b2ee9173c27981c51958e44dee43131edfbce983b6a5c146479ac33
  • 95b9c9bf8fa3874ad9e6204f408ce162cd4ae7a8253e69c3c493188cb9d1f4da
  • 950f1f8d94010b636cb98be774970116d98908cd4c45fbb773e533560a4beea7
  • 941fa9119eb1413fdd4f05333e285c49935280cc85f167fb31627012ef71a6b3
  • 92d2488e401d24a4bfc1598d813bc53af5c225769efedf0c7e5e4083623f4486
  • 8d911ef72bdb4ec5b99b7548c0c89ffc8639068834a5e2b684c9d78504550927
  • 7f8e9d7c986cc45a78c0ad2f11f28d61a4b2dc948c62b10747991cb33ce0e241
  • 7b8d4b1ab46f9ad4ef2fd97d526e936186503ecde745f5a9ab9f88397678bc96
  • 7ea83cca00623a8fdb6c2d6268fa0d5c4e50dbb67ab190d188b8033d884e4b75
  • 77dc705cecbc29089c8e9eea3335ba83de57a17ed99b0286b3d9301953a84eca
  • 77bd80e2a7c56eb37a33c2a0518a27deb709068fdc66bd1e00b5d958a25c7ad8
  • 7683d38c024d0f203b374a87b7d43cc38590d63adb8e5f24dff7526f5955b15a
  • 700f1afeb67c105760a9086b0345cb477737ab62616fd83add3f7adf9016c5e5
  • 67b5b54c85e7590d81a404d6c7ea7dd90d4bc773785c83b85bcce82cead60c37
  • 57e9e1e3ebd78d4878d7bb69e9a2b0d0673245a87eb56cf861c7c548c4e7b457
  • 6464cdbfddd98f3bf6301f2bf525ad3642fb18b434310ec731de08c79e933b3e
  • 4fa213970fdef39d2506a1bd4f05a7ceee191d916b44b574022a768356951a23
  • 43f4ca1c7474c0476a42d937dc4af01c8ccfc20331baa0465ac0f3408f52b2e2
  • 46aac6bf94551c259b4963157e75073cb211310e2afab7a1c0eded8a175d0a28
  • 42c1550b035353ae529e98304f89bf6065647833e582d08f0228185b493d0022
  • 430fd4d18d22d0704db1c4a1037d8e1664bfc003c244650cb7538dbe7c3be63e
  • 42d7135378ed8484a6a86a322ea427765f2e4ad37ee6449691b39314b5925a27
  • 342b889d1d8c81b1ba27fe84dec2ca375ed04889a876850c48d2b3579fbac206
  • 2da62d1841a6763f279c481e420047a108da21cd5e16eae31661e6fd5d1b25d7
  • 28c49af7c95ab41989409d2c7f98e8f8053e5ca5f7a02b2a11ad4374085ec6ff
  • 22dc96b3b8ee42096c66ab08e255adce45e5e09a284cbe40d64e83e812d1b910
  • 183c57d9af82964bfbb06fbb0690140d3f367d46d870e290e2583659609b19f2
  • 64.95.12.98
  • 64.95.12.38
  • 64.95.11.184
  • 64.94.85.98
  • 64.94.85.248
  • 64.190.113.41
  • 64.7.198.66
  • 64.190.113.111
  • 193.149.176.223
  • 216.245.184.210
  • 162.33.178.63
  • 162.33.178.113
  • 162.33.178.59
  • 162.33.177.82
  • 146.70.41.191
  • 162.33.177.36
  • 64.95.11.65
  • 193.149.176.179
  • 216.245.184.225
  • 162.33.178.75
  • winworld.es
  • true-blood.net
  • saighbuzu32uvv.top
  • robnzuwubz.top
  • riuzvi4tc.top
  • rifiziec.top
  • pretoria24.top
  • mysamsung7.shop
  • nvidias.shop
  • mobileyas.shop
  • micronsoftwares.com
  • mgjabikgjhhambm.top
  • melmejkjaakiakn.top
  • mcajijknegnbbga.top
  • kjalcimbfaaddff.top
  • khcjgjmfjgdleag.top
  • kffgkjmjangegkg.top
  • imfiejalbhhgijl.top
  • ikjfjkkagafbdke.top
  • ikhgijabfnkajem.top
  • iadkainhkafngnk.top
  • gubyzywey6b.top
  • gnmdjjckbgddaie.top
  • getazurecommand.icu
  • get-iwrreq.top
  • get-azurecommand.icu
  • gbkffjcglabkmne.top
  • gdihcicdghmcldd.top
  • futnbuzj3nh.top
  • fpziviec.top
  • faybzuy3byz2v.top
  • expressbuycomputers.shop
  • ejlhaidjmhcmami.top
  • ehnediemcaffbij.top
  • eebchjechginddk.top
  • dating2go.store
  • cryptotap.site
  • cryptoslate.cc
  • cmcuauec.top
  • cmcebigeiajbfcb.top
  • cljhkcjfimibhci.top
  • ckebfjgimhmjgmb.top
  • cignjjgmdnbchhc.top
  • bkkeiekjfcdaaen.top
  • azuregetrequest.icu
  • azurearc-cdn.top
  • azure-getrequest.icu
  • anjmhjidinfmlci.top
  • adednihknaalilg.top
  • amdradeon.shop
  • abhbdiiaehdejgh.top
  • 527newagain.top

Attack Patterns

  • MintsLoader
  • CleanUpLoader
  • PyInstaller
  • Remcos - S0332
  • TAG-124
  • T1608.004
  • T1584.001
  • T1583.001
  • T1587.001
  • T1583.004
  • T1583.003