TAG-124TAG-124

Also known as: LandUpdate808 · TAG-124

Known aliases
2

Profile

TAG-124 is a threat actor that employs a traffic distribution system to distribute malware, primarily using MintsLoader and targeting various sectors through phishing emails and compromised websites. The actor injects malicious JavaScript into WordPress sites, leading victims to fake Google Chrome update landing pages that facilitate malware downloads, often masquerading as legitimate updates. TAG-124 has been linked to multiple ransomware groups, including Rhysida and Interlock, and demonstrates high activity levels by regularly updating its infrastructure and refining its infection tactics, such as the ClickFix technique. Notable compromised sites include those associated with the Polish Centre for Testing and Certification and the Economic Community of West African States (ECOWAS).

Aliases· 2

LandUpdate808TAG-124

References

  1. https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting
  2. https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Actor
TAG-112
Actor
TAG-140
Actor
Team46
Actor
Larva-208
Actor
TAG-56
Actor
Phlox Tempest
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.