{ "type": "Domain", "indicator": "deerfield.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/deerfield.com", "alexa": "http://www.alexa.com/siteinfo/deerfield.com", "indicator": "deerfield.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4032084174, "indicator": "deerfield.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69f47e886aac3dce3a958d27", "name": "2011: Malware Analysis Report", "description": "", "modified": "2026-05-31T10:27:23.455000", "created": "2026-05-01T10:20:56.666000", "tags": [], "references": [ "2011-03-11 - Trojan.Koredos Comes with an Unwelcomed Surprise.pdf", "2011-01-20 - Beschreibung des Virus Backdoor.Win32. Buterat.afj.pdf", "2011-03-08 - Worm-Win32-Yimfoca.A.pdf", "2011-03-02 - TDL4 and Glupteba- Piggyback PiggyBugs.pdf", "2011-04-26 - SpyEye Targets Opera, Google Chrome Users.pdf", "2011-03-28 - Microsoft Hunting Rustock Controllers.pdf", "2011-01-09 - Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce.pdf", "2011-04-19 - TDSS part 1- The x64 Dollar Question.pdf", "2011-04-16 - Troj-Sasfis-O.pdf", "2011-05-19 - Win32-Expiro.pdf", "2011-06-22 - Criminals gain control over Mac with BackDoor.Olyx.pdf", "2011-04-30 - BKA-Trojaner (Ransomware).pdf", "2011-06-29 - Inside a Back Door Attack.pdf", "2011-07-26 - SpyEye Trojan defeating online banking defenses.pdf", "2011-04-28 - Un observateur d\u2019\u00e9v\u00e9nements aveugle\u2026.pdf", "2011-07-08 - Trojan.Mayachok.2- ?????? ??????? ?????????? VBR-???????.pdf", "2011-07-14 - Cycbot- Ready to Ride.pdf", "2011-07-06 - Cybercriminals switch from MBR to NTFS.pdf", "2011-07-28 - Trojan Tricks Victims Into Transferring Funds.pdf", "2011-08-27 - Morto.A.pdf", "2011-01-30 - GpCode Ransomware 2010 Simple Analysis.pdf", "2011-08-03 - HTran and the Advanced Persistent Threat.pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading.pdf", "2011-09-09 - BIOS Threat is Showing up Again!.pdf", "2011-09-02 - ZeuS Gets Another Update.pdf", "2011-08-24 - Ice IX, the first crimeware based on the leaked ZeuS sources.pdf", "2011-09-13 - Mebromi- the first BIOS rootkit in the wild.pdf", "2011-08-04 - Analysis of ngrBot.pdf", "2011-09-14 - Ice IX- not cool at all.pdf", "2011-09-14 - Malware burrows deep into computer BIOS to escape AV.pdf", "2011-09-19 - Mebromi BIOS rootkit affecting Award BIOS (aka -BMW- virus).pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading22.pdf", "2011-09-21 - Sept 21 Greedy Shylock - financial malware.pdf", "2011-09-09 - Stuxnet Malware Analysis Paper.pdf", "2011-09-27 - Debugging Injected Code with IDA Pro.pdf", "2011-10-07 - Rustock samples and analysis links. Rustock.C, E, I, J and other variants.pdf", "2011-10-14 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-10-06 - ZeuS-in-the-Mobile \u2013 Facts and Theories.pdf", "2011-10-08 - Possible Governmental Backdoor Found (-Case R2D2-).pdf", "2011-10-17 - W32-Yunsip!tr.pws.pdf", "2011-10-06 - Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI).pdf", "2011-10-13 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-10-31 - The Significance of the -Nitro- Attacks.pdf", "2011-10-26 - Tsunami Backdoor Can Be Used for Denial of Service Attacks.pdf", "2011-12-20 - Analyzing CVE-2011-4369 \u2013 Part One.pdf", "2011-12-08 - The Sykipot Attacks.pdf", "2011-12-11 - Intro. To Reversing - W32Pinkslipbot.pdf", "Duqu Trojan Questions and Answers.pdf", "Palebot trojan.pdf", "HTran.pdf", "Ghost RAT- Many faces.pdf", "Operation Shady Rat.pdf", "Alleged APT Intrusion Set 1.php Group.pdf", "Stuxnet , Duqu - The Evolution of Drivers.pdf", "The RSA Hack.pdf", "The Nitro Attacks - Stealing secrets from the Chemical Industry.pdf", "Global_Energy_Cyberattacks_-_Night_Dragon_.pdf", "The LURID Downloader.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1031, "domain": 435, "CVE": 13, "FileHash-MD5": 155, "FileHash-SHA1": 8, "FileHash-SHA256": 234, "email": 9, "hostname": 1031 }, "indicator_count": 2916, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a1f245f3709030a9f0ccb7", "name": "TAG-124\u2019s Multi-Layered TDS Infrastructure and Extensive User Base", "description": "A report by Insikt Group, based on an analysis of compromised WordPress sites, outlines the threat posed by a network of cybercriminal servers known as TAG-124, which is used to distribute malware.", "modified": "2025-03-06T10:04:51.026000", "created": "2025-02-04T10:56:05.010000", "tags": [ "tag124", "cloudflare", "wordpress", "insikt group", "figure", "google chrome", "future", "urls", "ta582", "fake google", "rhysida", "powershell", "april", "insikt", "remcos", "interlock" ], "references": [ "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base" ], "public": 1, "adversary": "Insikt", "targeted_countries": [], "malware_families": [ { "id": "Insikt", "display_name": "Insikt", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "REMCOS", "display_name": "REMCOS", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 30, "FileHash-SHA256": 30, "URL": 2, "domain": 254, "hostname": 112 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679ba047fa5e47a0f6e2c071", "name": "TAG-124\u2019s Multi-Layered TDS Infrastructure and Extensive User Base", "description": "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base\n\nInsikt Group has identified multi-layered infrastructure linked to a traffic distribution system (TDS) tracked by Recorded Future as TAG-124, which overlaps with threat activity clusters known as LandUpdate808, 404TDS, KongTuke, and Chaya_002. TAG-124 comprises a network of compromised WordPress sites, actor-controlled payload servers, a central server, a suspected management server, an additional panel, and other components. The threat actors behind TAG-124 demonstrate high levels of activity, including regularly updating URLs embedded in the compromised WordPress sites, adding servers, refining TDS logic to evade detection, and adapting infection tactics, as demonstrated by their recent implementation of the ClickFix technique.", "modified": "2025-03-01T15:01:42.461000", "created": "2025-01-30T15:52:39.738000", "tags": [ "fake google", "chrome update", "matomo instance", "remcos rat", "c2 ip", "address", "ta582", "hashes" ], "references": [], "public": 1, "adversary": "TAG-124", "targeted_countries": [], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "InformationTechnogyISAC", "id": "141282", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 30, "domain": 234, "hostname": 105 }, "indicator_count": 383, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "456 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "2011-08-27 - Morto.A.pdf", "2011-12-08 - The Sykipot Attacks.pdf", "2011-09-02 - ZeuS Gets Another Update.pdf", "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base", "2011-09-21 - Sept 21 Greedy Shylock - financial malware.pdf", "2011-07-14 - Cycbot- Ready to Ride.pdf", "2011-10-17 - W32-Yunsip!tr.pws.pdf", "2011-04-28 - Un observateur d\u2019\u00e9v\u00e9nements aveugle\u2026.pdf", "HTran.pdf", "Alleged APT Intrusion Set 1.php Group.pdf", "2011-10-13 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-08-24 - Ice IX, the first crimeware based on the leaked ZeuS sources.pdf", "2011-05-19 - Win32-Expiro.pdf", "2011-07-08 - Trojan.Mayachok.2- ?????? ??????? ?????????? VBR-???????.pdf", "2011-09-09 - Stuxnet Malware Analysis Paper.pdf", "2011-10-31 - The Significance of the -Nitro- Attacks.pdf", "2011-04-19 - TDSS part 1- The x64 Dollar Question.pdf", "2011-08-03 - HTran and the Advanced Persistent Threat.pdf", "The Nitro Attacks - Stealing secrets from the Chemical Industry.pdf", "2011-09-27 - Debugging Injected Code with IDA Pro.pdf", "2011-10-06 - Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI).pdf", "2011-04-26 - SpyEye Targets Opera, Google Chrome Users.pdf", "2011-12-20 - Analyzing CVE-2011-4369 \u2013 Part One.pdf", "2011-09-09 - BIOS Threat is Showing up Again!.pdf", "2011-09-14 - Malware burrows deep into computer BIOS to escape AV.pdf", "2011-06-22 - Criminals gain control over Mac with BackDoor.Olyx.pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading.pdf", "2011-07-28 - Trojan Tricks Victims Into Transferring Funds.pdf", "2011-09-14 - Ice IX- not cool at all.pdf", "The RSA Hack.pdf", "2011-10-06 - ZeuS-in-the-Mobile \u2013 Facts and Theories.pdf", "2011-09-13 - Mebromi- the first BIOS rootkit in the wild.pdf", "2011-04-30 - BKA-Trojaner (Ransomware).pdf", "2011-10-14 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-04-16 - Troj-Sasfis-O.pdf", "2011-10-26 - Tsunami Backdoor Can Be Used for Denial of Service Attacks.pdf", "Palebot trojan.pdf", "2011-10-07 - Rustock samples and analysis links. Rustock.C, E, I, J and other variants.pdf", "2011-01-20 - Beschreibung des Virus Backdoor.Win32. Buterat.afj.pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading22.pdf", "Duqu Trojan Questions and Answers.pdf", "Operation Shady Rat.pdf", "The LURID Downloader.pdf", "2011-07-26 - SpyEye Trojan defeating online banking defenses.pdf", "Stuxnet , Duqu - The Evolution of Drivers.pdf", "2011-03-28 - Microsoft Hunting Rustock Controllers.pdf", "2011-07-06 - Cybercriminals switch from MBR to NTFS.pdf", "2011-03-02 - TDL4 and Glupteba- Piggyback PiggyBugs.pdf", "2011-12-11 - Intro. To Reversing - W32Pinkslipbot.pdf", "2011-01-09 - Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce.pdf", "2011-06-29 - Inside a Back Door Attack.pdf", "2011-08-04 - Analysis of ngrBot.pdf", "2011-03-08 - Worm-Win32-Yimfoca.A.pdf", "Ghost RAT- Many faces.pdf", "2011-01-30 - GpCode Ransomware 2010 Simple Analysis.pdf", "2011-10-08 - Possible Governmental Backdoor Found (-Case R2D2-).pdf", "Global_Energy_Cyberattacks_-_Night_Dragon_.pdf", "2011-03-11 - Trojan.Koredos Comes with an Unwelcomed Surprise.pdf", "2011-09-19 - Mebromi BIOS rootkit affecting Award BIOS (aka -BMW- virus).pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Insikt", "TAG-124" ], "malware_families": [ "Insikt", "Remcos", "Socgholish", "Rhysida", "Interlock" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69f47e886aac3dce3a958d27", "name": "2011: Malware Analysis Report", "description": "", "modified": "2026-05-31T10:27:23.455000", "created": "2026-05-01T10:20:56.666000", "tags": [], "references": [ "2011-03-11 - Trojan.Koredos Comes with an Unwelcomed Surprise.pdf", "2011-01-20 - Beschreibung des Virus Backdoor.Win32. Buterat.afj.pdf", "2011-03-08 - Worm-Win32-Yimfoca.A.pdf", "2011-03-02 - TDL4 and Glupteba- Piggyback PiggyBugs.pdf", "2011-04-26 - SpyEye Targets Opera, Google Chrome Users.pdf", "2011-03-28 - Microsoft Hunting Rustock Controllers.pdf", "2011-01-09 - Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce.pdf", "2011-04-19 - TDSS part 1- The x64 Dollar Question.pdf", "2011-04-16 - Troj-Sasfis-O.pdf", "2011-05-19 - Win32-Expiro.pdf", "2011-06-22 - Criminals gain control over Mac with BackDoor.Olyx.pdf", "2011-04-30 - BKA-Trojaner (Ransomware).pdf", "2011-06-29 - Inside a Back Door Attack.pdf", "2011-07-26 - SpyEye Trojan defeating online banking defenses.pdf", "2011-04-28 - Un observateur d\u2019\u00e9v\u00e9nements aveugle\u2026.pdf", "2011-07-08 - Trojan.Mayachok.2- ?????? ??????? ?????????? VBR-???????.pdf", "2011-07-14 - Cycbot- Ready to Ride.pdf", "2011-07-06 - Cybercriminals switch from MBR to NTFS.pdf", "2011-07-28 - Trojan Tricks Victims Into Transferring Funds.pdf", "2011-08-27 - Morto.A.pdf", "2011-01-30 - GpCode Ransomware 2010 Simple Analysis.pdf", "2011-08-03 - HTran and the Advanced Persistent Threat.pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading.pdf", "2011-09-09 - BIOS Threat is Showing up Again!.pdf", "2011-09-02 - ZeuS Gets Another Update.pdf", "2011-08-24 - Ice IX, the first crimeware based on the leaked ZeuS sources.pdf", "2011-09-13 - Mebromi- the first BIOS rootkit in the wild.pdf", "2011-08-04 - Analysis of ngrBot.pdf", "2011-09-14 - Ice IX- not cool at all.pdf", "2011-09-14 - Malware burrows deep into computer BIOS to escape AV.pdf", "2011-09-19 - Mebromi BIOS rootkit affecting Award BIOS (aka -BMW- virus).pdf", "2011-08-28 - Windows Remote Desktop Worm -Morto- Spreading22.pdf", "2011-09-21 - Sept 21 Greedy Shylock - financial malware.pdf", "2011-09-09 - Stuxnet Malware Analysis Paper.pdf", "2011-09-27 - Debugging Injected Code with IDA Pro.pdf", "2011-10-07 - Rustock samples and analysis links. Rustock.C, E, I, J and other variants.pdf", "2011-10-14 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-10-06 - ZeuS-in-the-Mobile \u2013 Facts and Theories.pdf", "2011-10-08 - Possible Governmental Backdoor Found (-Case R2D2-).pdf", "2011-10-17 - W32-Yunsip!tr.pws.pdf", "2011-10-06 - Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI).pdf", "2011-10-13 - A Detailed Analysis of an Advanced Persistent Threat Malware.pdf", "2011-10-31 - The Significance of the -Nitro- Attacks.pdf", "2011-10-26 - Tsunami Backdoor Can Be Used for Denial of Service Attacks.pdf", "2011-12-20 - Analyzing CVE-2011-4369 \u2013 Part One.pdf", "2011-12-08 - The Sykipot Attacks.pdf", "2011-12-11 - Intro. To Reversing - W32Pinkslipbot.pdf", "Duqu Trojan Questions and Answers.pdf", "Palebot trojan.pdf", "HTran.pdf", "Ghost RAT- Many faces.pdf", "Operation Shady Rat.pdf", "Alleged APT Intrusion Set 1.php Group.pdf", "Stuxnet , Duqu - The Evolution of Drivers.pdf", "The RSA Hack.pdf", "The Nitro Attacks - Stealing secrets from the Chemical Industry.pdf", "Global_Energy_Cyberattacks_-_Night_Dragon_.pdf", "The LURID Downloader.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1031, "domain": 435, "CVE": 13, "FileHash-MD5": 155, "FileHash-SHA1": 8, "FileHash-SHA256": 234, "email": 9, "hostname": 1031 }, "indicator_count": 2916, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a1f245f3709030a9f0ccb7", "name": "TAG-124\u2019s Multi-Layered TDS Infrastructure and Extensive User Base", "description": "A report by Insikt Group, based on an analysis of compromised WordPress sites, outlines the threat posed by a network of cybercriminal servers known as TAG-124, which is used to distribute malware.", "modified": "2025-03-06T10:04:51.026000", "created": "2025-02-04T10:56:05.010000", "tags": [ "tag124", "cloudflare", "wordpress", "insikt group", "figure", "google chrome", "future", "urls", "ta582", "fake google", "rhysida", "powershell", "april", "insikt", "remcos", "interlock" ], "references": [ "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base" ], "public": 1, "adversary": "Insikt", "targeted_countries": [], "malware_families": [ { "id": "Insikt", "display_name": "Insikt", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "REMCOS", "display_name": "REMCOS", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 30, "FileHash-SHA256": 30, "URL": 2, "domain": 254, "hostname": 112 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679ba047fa5e47a0f6e2c071", "name": "TAG-124\u2019s Multi-Layered TDS Infrastructure and Extensive User Base", "description": "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base\n\nInsikt Group has identified multi-layered infrastructure linked to a traffic distribution system (TDS) tracked by Recorded Future as TAG-124, which overlaps with threat activity clusters known as LandUpdate808, 404TDS, KongTuke, and Chaya_002. TAG-124 comprises a network of compromised WordPress sites, actor-controlled payload servers, a central server, a suspected management server, an additional panel, and other components. The threat actors behind TAG-124 demonstrate high levels of activity, including regularly updating URLs embedded in the compromised WordPress sites, adding servers, refining TDS logic to evade detection, and adapting infection tactics, as demonstrated by their recent implementation of the ClickFix technique.", "modified": "2025-03-01T15:01:42.461000", "created": "2025-01-30T15:52:39.738000", "tags": [ "fake google", "chrome update", "matomo instance", "remcos rat", "c2 ip", "address", "ta582", "hashes" ], "references": [], "public": 1, "adversary": "TAG-124", "targeted_countries": [], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "InformationTechnogyISAC", "id": "141282", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 30, "domain": 234, "hostname": 105 }, "indicator_count": 383, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "456 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "deerfield.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "deerfield.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780269672.26712 }