Friday 26 September 12:00 - 12:30, Red room
Julian-Ferdinand Vögele (Recorded Future)
Traffic Distribution Systems (TDS) have become a cornerstone of modern cybercriminal operations, reflecting the increasing professionalization and scale of the underground economy. Among these, TAG-124 – an activity cluster intersecting with LandUpdate808, 404TDS, KongTuke and Chaya_002 – has emerged as one of the most prolific and technically sophisticated. A novel and previously undocumented finding is TAG-124's suspected connections to a distinct network of backlinking farms to amplify the visibility, reach, and apparent legitimacy of its infrastructure – marking a rare convergence of SEO abuse and malware delivery at this scale.
This talk provides a detailed technical analysis of TAG-124's infrastructure and operations. We begin by embedding TAG-124 within the broader cybercriminal ecosystem, highlighting its role in complex infection chains and its use by multiple threat actors, including those distributing Interlock ransomware, TA866/Asylum Ambuscade, SocGholish, D3F@CK Loader, and TA582. We then break down TAG-124's multi-tiered infrastructure, which includes large numbers of compromised WordPress sites, actor-controlled payload delivery servers, suspected management servers, various control panels, and other upstream servers. We explore hypotheses around the techniques TAG-124 may use to initially compromise and persist within WordPress environments – an essential pillar of its infection chain. In this context, we also track the campaign's evolution, showcasing how it has adapted to evade detection through tactics such as URL rotation, infrastructure scaling, and increasingly modular TDS logic. Finally, we discuss TAG-124's suspected connections to a distinct network of backlinking farms, providing new insights into how TAG-124 appears to integrate with a broader SEO manipulation ecosystem to increase its operational resilience. We conclude with an outlook on the future of TDS-based threats and discuss practical implications for defenders seeking to detect and disrupt these evolving infrastructures.
 |
Julian-Ferdinand Vögele Julian-Ferdinand Vögele is a threat researcher at Recorded Future's Insikt Group with expertise in malware research, threat hunting, and intelligence. Julian-Ferdinand focuses on malware analysis and malicious infrastructure detection. Before joining Recorded Future, Julian-Ferdinand worked in IT security at Security Research Labs, where he conducted security research and engaged in red team exercises. He completed his Master's degree in computer science at UCL in London and is a scholar of the German Academic Scholarship Foundation. |
Back to VB2025 conference page