Threat Actors Leverage TAG-124 Infrastructure to Deliver Malicious Payloads

In a concerning trend for cybersecurity, multiple threat actors, including ransomware groups and state-sponsored entities, are utilizing a malicious traffic distribution system (TDS) known as TAG-124 to optimize the delivery of malware payloads to high-value targets.

According to research by Insikt Group from Recorded Future, TAG-124 operates similarly to legitimate TDSs used in online advertising, leveraging user browser data, geolocation, and behavioral patterns to make rapid decisions on traffic routing.

However, instead of directing users to targeted ads, TAG-124 funnels vulnerable individuals to malicious content, such as ransomware and remote access tools, while employing defensive mechanisms to evade detection by researchers and sandboxes.

This infrastructure has become a critical tool for cybercriminals engaged in “big game hunting,” where they prioritize organizations likely to pay substantial extortion demands, such as those in healthcare and other critical sectors.

Notable ransomware operators like Rhysida and Interlock have been tied to TAG-124.

Rhysida, a ransomware-as-a-service group, gained notoriety in 2023 for an attack on Prospect Medical Holdings, stealing over 500,000 social security numbers and disrupting operations across numerous hospitals and clinics.

Similarly, Interlock claimed responsibility for a December 2024 attack on Texas Tech University Health Sciences Center, exfiltrating 2.6 TB of sensitive data.

Both groups exhibit overlapping tactics and encryption behaviors, suggesting potential collaboration, though their exact relationship remains unclear.

Beyond ransomware, TAG-124 is also linked to TA866 (Asylum Ambuscade), a cybercrime group likely operating on behalf of the Russian government, which targets financial institutions and conducts espionage against government entities in Europe and Central Asia.

Additionally, malware like SocGholish and D3F@ck loader, used for remote access and further payload delivery, have been associated with this TDS, amplifying its reach through techniques like search engine optimization (SEO) poisoning and compromising legitimate websites.

Rising Risks and Defensive Challenges

The use of shared infrastructure like TAG-124 enhances the efficiency of cybercriminals, creating a dangerous cycle where successful attacks fund further investment in specialized tools and services.

This escalating sophistication increases the risk of high-impact ransomware and espionage-driven data theft for businesses worldwide.

According to the Report, The early role of TAG-124 in the attack kill chain makes it difficult to detect, yet failing to identify such intrusions can lead to severe consequences, as seen in a recent class action lawsuit against Sunflower Medical following a breach attributed to Rhysida.

The intrusion went undetected for three weeks, highlighting the critical need for early threat identification to mitigate legal and operational fallout.

To counter TAG-124 and similar TDSs like VexTrio and BlackTDS, defenders must adopt advanced threat detection strategies, such as custom file scanning with YARA and log-based rules available through platforms like Recorded Future’s Intelligence Cloud.

Educating users about the dangers of SEO poisoning and enforcing secure browser settings, including automatic updates and pop-up blockers, can further reduce exposure to malicious prompts often tied to TAG-124 infrastructure.

As cybercriminals continue to adopt legitimate content delivery techniques for illicit purposes, understanding and blocking TDS-related indicators remains a vital step in disrupting multiple threat actors early in their attack cycles.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!