Ddos 
Image: XLabs
Cybersecurity researchers at XLab have issued a major report detailing the re-emergence of Funnull (also known as Fangneng CDN), a notorious Philippines-registered group designated by the U.S. government as a primary enabler of Southeast Asian “pig-butchering” scams. After a brief period of dormancy following OFAC sanctions in May 2025, the group has returned with a “fully self-owned, server-side attack framework” dubbed RingH23.
The new campaign marks a significant shift in sophistication. While the group previously “parasitized existing public CDN services,” they now deploy a professional-grade, modular toolkit to compromise CDN nodes directly. The RingH23 arsenal includes:
- Badredis2s (ring04h_office_bin): A backdoor maintaining long-term persistence with C2 hosted on Azure Blob Storage.
- Badnginx2s (module.so): A malicious Nginx module used for traffic hijacking, cryptocurrency wallet replacement, and malicious JavaScript injection.
- Badhide2s (libutilkeybd.so): A userland rootkit that leverages the LD_PRELOAD mechanism to conceal malicious activity from system administrators.
- UDEV Persistence: A rare technique using udev.rules to ensure the malware automatically executes every time the system reboots.
XLab identified two independent vectors used by Funnull to spread their infection:
- Path One: CDN Node Takeover
The attackers first compromised GoEdge management nodes to implant an infection module. This module then issued SSH remote commands to all connected edge nodes, forcing them to download the RingH23 downloader. - Path Two: Software Supply Chain Poisoning
The group has also targeted AppleCMS (maccms.la edition), a video site management system popular in China. Evidence shows the official update channel was used to distribute malicious PHP backdoors. This poisoning is “highly deceptive,” as the “payload triggers only upon the administrator’s first login after installation” and the download link remains valid for just three minutes to hinder forensic analysis.
The ultimate goal of the campaign is traffic hijacking for profit. By injecting malicious JavaScript into web pages, visitors are redirected to gambling and pornographic sites. The scale of this operation is industrialized; XLab estimates that one typosquatted domain, clondflare.com, was accessed by 6.8 million users in a single day.
Even more concerning is the group’s “behavioral profiling” strategy. The redirection probability is dynamically adjusted based on the time of day and the type of content the user is browsing. For instance, “between 4:00-7:00 AM, the redirection probability reaches as high as 80%, exploiting users’ late-night fatigue and lowered self-control”.
To evade tracking, Funnull has recently migrated its hosting to a suspicious new infrastructure layer called CDN1.AI. Although it claims to be a legitimate global CDN, XLab notes its “operational hygiene is notably poor,” including an expired SSL certificate on its official site. Researchers assess with high confidence that “CDN1.AI is not an independent third-party CDN, but rather a newly established front infrastructure controlled by Funnull”.
The return of Funnull proves that cybercriminal supply chains are “highly resilient”. Organizations using GoEdge or AppleCMS are urged to conduct deep forensic audits and monitor for outbound traffic to CDN1.AI-linked domains.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
