Man
Professional
- Messages
- 3,222
- Reaction score
- 810
- Points
- 113
The FUNNULL network has created an army of immortal ghost domains.
Silent Push specialists have uncovered the long-standing activities of the Chinese Content Delivery Network (CDN) called FUNNULL, which supports large-scale criminal campaigns. For more than 2 years, experts have been tracking FUNNULL, identifying a link to investment fraud, fake trading apps, and suspicious gambling networks.
According to the study, the FUNNULL infrastructure is used to proxy more than 200,000 unique domains, 95% of which are created using domain name generation algorithms (DGAs). This makes tracking and blocking more difficult, as DGA domains are random sequences of characters and numbers that can change automatically.
Silent Push has designated the cluster of malicious domains with the term "Triad Nexus," highlighting FUNNULL's association with organized crime. The researchers also found thousands of gambling sites that use the brands of the Suncity Group, an organization closely associated with the Lazarus group.
A 2024 UN report states that Suncity Group was involved in laundering large sums of money related to North Korea. Suncity Group previously operated VIP casino rooms in Macau, but after the arrests and lawsuits, the group's activities moved to the Internet, where numerous gambling sites operate under the Suncity brand.
The study also linked FUNNULL to a supply chain attack through the Polyfill library, in which mobile users were redirected to Asian gaming sites. The attack on the supply chain affected the largest commercial and government websites around the world.
In addition to gambling scams, phishing campaigns targeting major brands such as Chanel, Cartier, Tiffany & Co., eBay, and others are being distributed through FUNNULL's infrastructure. Phishing sites used pages to enter logins, disguising themselves as official company websites to steal users' personal data.
The FUNNULL CDN works on the principle of "Bulletproof Hosting" — servers that ignore requests to remove malicious content. This allows the criminal infrastructure to remain active longer than usual. On its website, FUNNULL does not provide a clear procedure for handling requests to remove material, which creates additional problems for law enforcement agencies and companies fighting cybercrime.
Silent Push plans to investigate further and release additional reports revealing new details of the FUNNULL framework.
Source
Silent Push specialists have uncovered the long-standing activities of the Chinese Content Delivery Network (CDN) called FUNNULL, which supports large-scale criminal campaigns. For more than 2 years, experts have been tracking FUNNULL, identifying a link to investment fraud, fake trading apps, and suspicious gambling networks.
According to the study, the FUNNULL infrastructure is used to proxy more than 200,000 unique domains, 95% of which are created using domain name generation algorithms (DGAs). This makes tracking and blocking more difficult, as DGA domains are random sequences of characters and numbers that can change automatically.
Silent Push has designated the cluster of malicious domains with the term "Triad Nexus," highlighting FUNNULL's association with organized crime. The researchers also found thousands of gambling sites that use the brands of the Suncity Group, an organization closely associated with the Lazarus group.
A 2024 UN report states that Suncity Group was involved in laundering large sums of money related to North Korea. Suncity Group previously operated VIP casino rooms in Macau, but after the arrests and lawsuits, the group's activities moved to the Internet, where numerous gambling sites operate under the Suncity brand.
The study also linked FUNNULL to a supply chain attack through the Polyfill library, in which mobile users were redirected to Asian gaming sites. The attack on the supply chain affected the largest commercial and government websites around the world.
In addition to gambling scams, phishing campaigns targeting major brands such as Chanel, Cartier, Tiffany & Co., eBay, and others are being distributed through FUNNULL's infrastructure. Phishing sites used pages to enter logins, disguising themselves as official company websites to steal users' personal data.
The FUNNULL CDN works on the principle of "Bulletproof Hosting" — servers that ignore requests to remove malicious content. This allows the criminal infrastructure to remain active longer than usual. On its website, FUNNULL does not provide a clear procedure for handling requests to remove material, which creates additional problems for law enforcement agencies and companies fighting cybercrime.
Silent Push plans to investigate further and release additional reports revealing new details of the FUNNULL framework.
Source
