Threat Research

Triad Nexus: Silent Push Uncovers FUNNULL CDN Hosting DGA Domains Linked to Chinese Gambling Sites, Investment Scams, Retail Phishing Campaigns, and a Polyfill.io Supply Chain Attack Affecting Over 110,000 Sites

Securonix

Silent Push’s Triad Nexus investigation maps FUNNULL, a Chinese CDN, to a global criminal infrastructure hosting investment scams, fake trading apps, gambling networks, and a large-scale supply-chain attack via polyfill.io. The research links DGAs to hundreds of thousands of hostnames, ties to the Suncity Group and Lazarus, and widespread retail phishing campaigns, highlighting an ecosystem designed to evade detection and monetize illicit activity. #FUNNULL #TriadNexus

Keypoints

  • FUNNULL CDN has been tracked for over two years as a hub for persistent criminal campaigns.
  • Researchers dubbed FUNNULL’s malicious domain cluster “Triad Nexus.”
  • About 200,000 unique hostnames proxied through FUNNULL, with more than 95% generated by DGAs.
  • Thousands of suspect gambling sites on FUNNULL feature branding tied to the Suncity Group, linked to Lazarus.
  • A polyfill.io supply-chain campaign redirected users and impacted over 110,000 websites.
  • FUNNULL-hosted retail phishing campaigns were discovered targeting major brands.

MITRE Techniques

  • [T1566] Phishing – Brief description of phishing activities and shopping-brand login pages. Quote: ‘Phishing login pages targeting major retail brands.’
  • [T1195] Supply Chain Compromise – Acquisition of a JavaScript library (polyfill.io) leading to malicious redirects. Quote: ‘Acquisition of polyfill.io leading to malicious redirects.’
  • [T1071.001] Domain Generation Algorithm – Large-scale domain creation via DGAs to evade detection. Quote: ‘Creation of numerous domains using DGAs to evade detection.’

Indicators of Compromise

  • [Domain] FUNNULL CDN infrastructure domains – funnull.vip, funnull01.vip
  • [IP] FUNNULL CDN IP address – 137.220.202.236
  • [Domain] Polyfill-related domains – polyfill.io, bootcdn.net
  • [Domain] Corporate/brand-related domains – acb.bet
  • [Domain] Gambling infrastructure domains – hiflyk47344.top
  • [Domain] Suncity-linked domains – 6289.com, threevip.cc
  • [URL] Telegram channels used for money-moving networks – t.me/TX_6688, t.me/TX_8988
  • [Email] Contact email found in public repositories – [email protected]
  • [GitHub] Developer templates related to Suncity sites – github.com/xianludh

Read more: https://www.silentpush.com/blog/triad-nexus-funnull/