Introduction
TAG-124 is a threat actor that employs a traffic distribution system to distribute malware, primarily using MintsLoader and targeting various sectors through phishing emails and compromised websites. The actor injects malicious JavaScript into WordPress sites, leading victims to fake Google Chrome update landing pages that facilitate malware downloads, often masquerading as legitimate updates. TAG-124 has been linked to multiple ransomware groups, including Rhysida and Interlock, and demonstrates high activity levels by regularly updating its infrastructure and refining its infection tactics, such as the ClickFix technique. Notable compromised sites include those associated with the Polish Centre for Testing and Certification and the Economic Community of West African States (ECOWAS).
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Chrome Remote Desktop
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.