Cybercriminal Group Funnull Deploys Advanced RingH23 Toolkit to Hijack MacCMS and CDN Infrastructure
A notorious cybercriminal organization, Funnull—previously sanctioned by the U.S. Treasury—has resurfaced with a sophisticated new toolkit named RingH23. This advanced arsenal has been instrumental in compromising Content Delivery Network (CDN) nodes and infiltrating the MacCMS content management system, leading to the redirection of millions of users to illicit websites.
Background on Funnull
Operating under the alias Fangneng CDN, Funnull is a Philippines-registered entity that publicly offers CDN services. However, it has long been a pivotal infrastructure provider for Southeast Asia’s cybercriminal ecosystem. The group has been implicated in extensive pig-butchering scams and fraudulent investment platforms, resulting in victim losses exceeding $200 million. On May 29, 2025, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on Funnull, temporarily disrupting its operations. Demonstrating resilience, Funnull rebranded and resumed its activities under a new identity.
Discovery of the RingH23 Campaign
On July 9, 2025, analysts at XLab’s Cyber Threat Insight and Analysis System (CTIA) detected a suspicious ELF binary being distributed from the domain download.zhw[.]sh. Notably, this file registered zero detections on VirusTotal. Further investigation revealed that the embedded domain client.110[.]nz had an astonishing 1.6 billion DNS resolutions in XLab’s Passive DNS system, indicating a large-scale operation. This discovery initiated an in-depth threat-hunting investigation, uncovering one of the most sophisticated criminal CDN operations in recent years.
Infection Vectors Employed by Funnull
Funnull utilized two primary infection routes to deploy the RingH23 toolkit:
1. Compromising GoEdge CDN Management Nodes: Attackers infiltrated a GoEdge CDN management node and employed an infection module to issue SSH remote commands. This forced all connected edge nodes to download and execute the RingH23 toolkit, effectively spreading the malware across the CDN infrastructure.
2. Poisoning MacCMS Update Channels: The group targeted the official update channel of maccms.la, a widely adopted open-source video CMS with over 2,700 GitHub stars. By delivering a malicious PHP backdoor through this channel, the payload was silently fetched and activated upon the administrator’s first login after installation. To evade detection, the download link remained valid for only three minutes before automatically expiring, complicating forensic analysis.
Scale and Impact of the Attack
The magnitude of this campaign is staggering. XLab’s telemetry identified over 10,748 infected IP addresses, predominantly associated with streaming and movie-related websites. A typosquatted domain impersonating Cloudflare—cdnjs.clondflare[.]com—recorded 340,000 unique client visits in a single day at its peak on August 30, 2025. Given that XLab’s monitoring covers only about 5% of the domestic market, researchers conservatively estimate that over one million users per day were exposed to malicious JavaScript, redirecting them toward gambling and adult websites.
Anatomy of the RingH23 Toolkit
The RingH23 toolkit is a meticulously engineered, multi-component framework with distinct responsibilities across each stage of the attack chain—a hallmark of professional black-market development.
– Infect_init: Serving as the entry point, infect_init is a Golang-based infector packed with UPX that requires root privileges. It validates session tokens and group keys against a Command and Control (C2) server before proceeding.
– Download_init: After authentication, infect_init queries the GoEdge management database to harvest edge node credentials and deploys download_init across every connected server via SSH. Download_init acts as the staging engine, probing the compromised system’s Nginx configuration, registering with the C2 server, and retrieving download URLs for all remaining payloads—including the backdoor, rootkit, malicious Nginx module, and udev persistence rules.
– Badredis2s Backdoor: This component communicates over AES-128-CBC encrypted WebSocket tunnels, with C2 addresses dynamically fetched from Microsoft Azure Blob Storage. If the primary connection is blocked, it automatically falls back to DNS tunneling using the open-source iodine tool, ensuring persistent C2 access regardless of firewall restrictions.
– Badnginx2s Nginx Module: This module intercepts outbound traffic to inject malicious JavaScript, silently replace Ethereum and TRON wallet addresses with attacker-controlled ones, and insert 5-second video segments into HLS streaming playlists.
– Badhide2s Userland Rootkit: Completing the toolkit, this rootkit writes itself into /etc/ld.so.preload to conceal all malicious files, processes, and network connections from common tools like ps, ls, and netstat. Defenders can disable this rootkit by setting the environment variable RING04H={hash}, which reveals all hidden components instantly.
Recommendations for Mitigation
To counteract the threats posed by the RingH23 toolkit, XLab strongly recommends the following actions for website operators:
– Discontinue Use of maccms.la: Cease utilizing the maccms.la platform to prevent exposure to the malicious update channels exploited by Funnull.
– Audit Server Files: Conduct thorough audits of server files using commands like `grep xxSJRox` and `grep gzuncompress` to detect template injections and hidden PHP payloads.
– Remove active.php: Eliminate the active.php file from the application directory to disrupt the persistent reinfection cycle employed by the attackers.
By implementing these measures, website operators can significantly reduce the risk of compromise and protect their users from being redirected to malicious content.
