A sophisticated cybercriminal group, Funnull, previously sanctioned by the U.S. Treasury, has resurfaced with a potent new toolkit named RingH23. This arsenal is being used to systematically compromise Content Delivery Network (CDN) nodes and inject malicious code into the popular MacCMS content management system, ultimately redirecting millions of users to illicit websites. This marks a significant advancement in Funnull’s capabilities, moving beyond mere hijacking of existing services to deploying a self-owned, server-side attack infrastructure.
Funnull, also recognized as Fangneng CDN, is an entity registered in the Philippines that publicly advertises CDN services. However, investigations reveal it has long served as a crucial infrastructure provider for cybercriminal operations in Southeast Asia, facilitating large-scale “pig-butchering” scams and fraudulent investment platforms. These activities have reportedly resulted in victim losses exceeding $200 million. While the U.S. Treasury’s Office of Foreign Assets Control (OFAC) formally sanctioned the group on May 29, 2025, effectively halting their operations, the resilient nature of criminal supply chains has allowed Funnull to quietly rebuild under a new identity.
Analysts at XLab identified Funnull’s resurgence on July 9, 2025. Their Cyber Threat Insight and Analysis System (CTIA) detected a previously unknown ELF binary being distributed from the domain download.zhw[.]sh. This file registered zero detections on VirusTotal, indicating its novelty. The embedded domain client.110[.]nz exhibited an astounding 1.6 billion DNS resolutions in XLab’s Passive DNS system, a strong indicator that the researchers were observing a widespread campaign rather than an isolated incident. This discovery initiated a detailed threat-hunting investigation, which ultimately revealed one of the most advanced criminal CDN operations documented in recent years.
Funnull employed two distinct infection vectors for this campaign. The first involved compromising a GoEdge CDN management node. Attackers then utilized an infection module to issue SSH remote commands, compelling all connected edge nodes to download and execute the RingH23 toolkit. The second method involved poisoning the official update channel of maccms.la, a widely adopted open-source video CMS with a significant presence on GitHub. This allowed the attackers to deliver a malicious PHP backdoor. The backdoor was designed to be silently fetched and activated upon the administrator’s first login after installation. Crucially, the download link for this payload remained active for only three minutes, automatically expiring to hinder forensic analysis.
The scale of the impact is considerable. XLab’s telemetry identified over 10,748 infected IP addresses, predominantly associated with streaming and movie-related websites. One specific domain, typosquatting on Cloudflare as cdnjs.clondflare[.]com, recorded approximately 340,000 unique client visits on August 30, 2025, at its peak. Considering that XLab’s monitoring captures only about 5% of the domestic market, researchers conservatively estimate that over one million users daily were exposed to malicious JavaScript, redirecting them to gambling and adult content websites.
Inside the RingH23 Arsenal: Modular Design Built for Total Control
The RingH23 toolkit is characterized by its meticulously engineered, multi-component framework. Each component fulfills a distinct role within the attack chain, showcasing a level of professionalism typically associated with black-market development rather than opportunistic hacking.
The initial entry point is an executable named infect_init, developed in Golang and packed with UPX. This component requires root privileges and performs validations of session tokens and group keys against a Command and Control (C2) server before proceeding. Following successful authentication, it queries the GoEdge management database to extract credentials for edge nodes. Subsequently, it deploys the next stage, download_init, to every connected server via SSH.
download_init functions as the staging engine. It examines the compromised system’s Nginx configuration, registers with the C2 server, and retrieves download URLs for all subsequent payloads. These include the backdoor, rootkit, a malicious Nginx module, and udev persistence rules.
The most technically advanced component is the Badredis2s backdoor, identified as ring04h_office_bin. This backdoor communicates using AES-128-CBC encrypted WebSocket tunnels. C2 addresses are dynamically fetched from Microsoft Azure Blob Storage. If the primary connection is unsuccessful, it automatically reverts to DNS tunneling utilizing the open-source iodine tool, ensuring persistent C2 access regardless of firewall limitations.
In parallel, the Badnginx2s Nginx module intercepts outbound traffic. Its function is to inject malicious JavaScript, covertly replace Ethereum and TRON wallet addresses with those controlled by the attackers, and insert short, 5-second video segments into HLS streaming playlists. Complementing these components is the Badhide2s userland rootkit. This rootkit writes itself into /etc/ld.so.preload, effectively concealing all malicious files, processes, and network connections from common system monitoring tools like ps, ls, and netstat. Security professionals can immediately disable this rootkit by setting the environment variable RING04H={hash}, which immediately reveals all hidden malicious components.
XLab strongly advises website operators to cease using maccms.la immediately. They recommend auditing server files using the commands `grep xxSJRox` and `grep gzuncompress` to detect template injection and hidden PHP payloads. Furthermore, removing the file `active.php` from the application directory is advised to disrupt the persistent reinfection cycle.