TAG-124 Hacked 1000+ Wordpress Sites To Embed Payloads

ClickFix Technique: Displays dialogs prompting users to execute pre-copied commands.
Dynamic URL Updates: Regularly changes URLs and filenames on compromised sites.
Conditional Logic in TDS: Filters traffic based on visitor attributes to optimize infections.

A sophisticated cyber campaign orchestrated by the threat group TAG-124 has compromised over 1,000 WordPress websites to deploy malicious payloads.

The operation leverages a multi-layered Traffic Distribution System (TDS) to infect users with malware, demonstrating advanced evasion tactics and infrastructure management.

TAG-124’s infrastructure consists of compromised WordPress sites injected with malicious JavaScript to redirect visitors to attacker-controlled payload servers.

SIEM as a Service

TAG-124’s high-level infrastructure setup (Source – Recorded Future)

These servers host malware disguised as legitimate software updates, such as fake Google Chrome updates.

Fake Google Chrome update variant 1 (left) and 2 (right) (Source – Recorded Future)

A central management panel allows attackers to control and update URLs, logic, and infection tactics, enabling dynamic and adaptive attack strategies.

Google Chrome fake update landing page on update-chronne[.]com (Source – Recorded Future)

Researchers at Insikt Group, Recorded Future’s threat research division noted that the attack begins when users visit compromised WordPress sites embedded with malicious scripts like the following:-