Julian-Ferdinand Vögele
@julianferdinand.bsky.social
Threat Research @ Recorded Future. Previously @ Security Research Labs. He/Him. 🏳️🌈
I'm excited to speak at #VB2025 later this week! I'll be diving into TAG-124, a group whose services are leveraged by a wide range of actors, from cybercriminals to state-sponsored groups. Hit me up if you are in town!
www.virusbulletin.com/conference/v...
www.virusbulletin.com/conference/v...
September 22, 2025 at 8:23 AM
I'm excited to speak at #VB2025 later this week! I'll be diving into TAG-124, a group whose services are leveraged by a wide range of actors, from cybercriminals to state-sponsored groups. Hit me up if you are in town!
www.virusbulletin.com/conference/v...
www.virusbulletin.com/conference/v...
Really excited to present at #LABScon25 on ChamelGang‘s most recent campaign targeting the Taliban, a collaborative research project with @milenkowski.bsky.social (SentinelLABS) and @azaka.fun (TeamT5)! www.labscon.io/speakers/jul...
September 16, 2025 at 1:50 PM
Really excited to present at #LABScon25 on ChamelGang‘s most recent campaign targeting the Taliban, a collaborative research project with @milenkowski.bsky.social (SentinelLABS) and @azaka.fun (TeamT5)! www.labscon.io/speakers/jul...
5/ Both variants remain in active development, for example, in late August 2025 we observed C2 deaddrops on Steam Community pages, marking a new infrastructure tactic.
September 4, 2025 at 3:05 PM
5/ Both variants remain in active development, for example, in late August 2025 we observed C2 deaddrops on Steam Community pages, marking a new infrastructure tactic.
2/ TAG-150 is Insikt Group’s designation for the actor likely behind the malware families #CastleLoader, #CastleBot, and most recently #CastleRAT, a RAT documented here for the first time.
September 4, 2025 at 3:05 PM
2/ TAG-150 is Insikt Group’s designation for the actor likely behind the malware families #CastleLoader, #CastleBot, and most recently #CastleRAT, a RAT documented here for the first time.
10/ Using Recorded Future Network Intelligence, we observed a large number of victims, most of them within the Colombian government, though some were in other industries, but all were located in Colombia.
August 26, 2025 at 2:15 PM
10/ Using Recorded Future Network Intelligence, we observed a large number of victims, most of them within the Colombian government, though some were in other industries, but all were located in Colombia.
9/ The JavaScript mixed benign and obfuscated code, pulled additional payloads from Paste.ee, and eventually launched a PowerShell script that retrieved a JPG from Archive.org, extracted a hidden .NET assembly via steganography, and executed it in memory.
August 26, 2025 at 2:15 PM
9/ The JavaScript mixed benign and obfuscated code, pulled additional payloads from Paste.ee, and eventually launched a PowerShell script that retrieved a JPG from Archive.org, extracted a hidden .NET assembly via steganography, and executed it in memory.
8/ Notably, TAG-144 is increasingly using compromised Colombian government email accounts (e.g., alcaldia[@]simacota-santander[.]gov[.]co) to deliver phishing emails disguised as legal notices, often with malicious SVG attachments that link to staged JavaScript payloads hosted on Discord’s CDN.
August 26, 2025 at 2:15 PM
8/ Notably, TAG-144 is increasingly using compromised Colombian government email accounts (e.g., alcaldia[@]simacota-santander[.]gov[.]co) to deliver phishing emails disguised as legal notices, often with malicious SVG attachments that link to staged JavaScript payloads hosted on Discord’s CDN.
6/ Cluster 4, running from May 2024 to February 2025, stood out because it was not only linked to malware infrastructure but also to phishing activity, with campaigns leveraging compromised Colombian government domains.
August 26, 2025 at 2:15 PM
6/ Cluster 4, running from May 2024 to February 2025, stood out because it was not only linked to malware infrastructure but also to phishing activity, with campaigns leveraging compromised Colombian government domains.
2/ These clusters share core techniques like using cracked remote access trojans, dynamic domain providers, and legitimate internet services for staging, but they differ in their infrastructure, malware deployment, and overall operational methods.
August 26, 2025 at 2:15 PM
2/ These clusters share core techniques like using cracked remote access trojans, dynamic domain providers, and legitimate internet services for staging, but they differ in their infrastructure, malware deployment, and overall operational methods.
8/ Finally, we linked several Lumma affiliates to distinct personas on underground forums as well as to real-world individuals, all of whom appear to be deeply entrenched in the cybercrime ecosystem. Many were active on carding marketplaces such as BriansClub and on forums like Exploit and XSS.
August 20, 2025 at 2:08 PM
8/ Finally, we linked several Lumma affiliates to distinct personas on underground forums as well as to real-world individuals, all of whom appear to be deeply entrenched in the cybercrime ecosystem. Many were active on carding marketplaces such as BriansClub and on forums like Exploit and XSS.
7/ In other instances, we observed affiliates deploying multiple infostealers simultaneously, such as Vidar, Stealc, Meduza, and CraxsRAT. The rationale is clear: to maintain operational agility, increase success rates, and ensure resilience against law enforcement takedowns.
August 20, 2025 at 2:08 PM
7/ In other instances, we observed affiliates deploying multiple infostealers simultaneously, such as Vidar, Stealc, Meduza, and CraxsRAT. The rationale is clear: to maintain operational agility, increase success rates, and ensure resilience against law enforcement takedowns.
6/ Notably, our findings indicate that affiliates often operate multiple scams simultaneously. For instance, one affiliate, known by the alias blackowl23, was linked to rental scams, likely using stolen low-value accounts on platforms such as WG-Gesucht to trick victims into booking fake viewings.
August 20, 2025 at 2:08 PM
6/ Notably, our findings indicate that affiliates often operate multiple scams simultaneously. For instance, one affiliate, known by the alias blackowl23, was linked to rental scams, likely using stolen low-value accounts on platforms such as WG-Gesucht to trick victims into booking fake viewings.
5/ Additionally, our investigation revealed previously undocumented tools, including a modified credential validator and a phishing page generator called “DONUSSEF,” which leverages AI to create phishing pages (e.g., targeting PayPal).
August 20, 2025 at 2:08 PM
5/ Additionally, our investigation revealed previously undocumented tools, including a modified credential validator and a phishing page generator called “DONUSSEF,” which leverages AI to create phishing pages (e.g., targeting PayPal).
4/ These tools aren’t just used by affiliates, Lumma actively partners with them. E.g., its channel promoted GhostSocks, a proxy plugin turning infected bots into SOCKS5 nodes. We also observed cross-service promotion, such as kleenscan[.]com advertising hector[.]su’s exploit services, and others.
August 20, 2025 at 2:08 PM
4/ These tools aren’t just used by affiliates, Lumma actively partners with them. E.g., its channel promoted GhostSocks, a proxy plugin turning infected bots into SOCKS5 nodes. We also observed cross-service promotion, such as kleenscan[.]com advertising hector[.]su’s exploit services, and others.
3/ A notable service category highly common across affiliates involves the use of a specific group of offshore, privacy-focused hosting providers, such as hostcay[.]com and anonrdp[.]com, alongside other well-known providers.
August 20, 2025 at 2:08 PM
3/ A notable service category highly common across affiliates involves the use of a specific group of offshore, privacy-focused hosting providers, such as hostcay[.]com and anonrdp[.]com, alongside other well-known providers.
9/ The use of multiple companies and frequent name changes has been a core tactic of Candiru since its founding in 2014, and it’s a well-documented pattern across the spyware industry, as reported by the @atlanticcouncil.bsky.social, @citizenlab.ca, and Recorded Future, among others.
August 5, 2025 at 2:18 PM
9/ The use of multiple companies and frequent name changes has been a core tactic of Candiru since its founding in 2014, and it’s a well-documented pattern across the spyware industry, as reported by the @atlanticcouncil.bsky.social, @citizenlab.ca, and Recorded Future, among others.
6/ Overall, we identified 8 unique operational clusters: 5 appear active, including ones linked to Hungary & Saudi Arabia; 1 tied to Indonesia was active until Nov 2024; 2 linked to Azerbaijan remain uncertain as no recent victim-facing infrastructure was observed.
August 5, 2025 at 2:18 PM
6/ Overall, we identified 8 unique operational clusters: 5 appear active, including ones linked to Hungary & Saudi Arabia; 1 tied to Indonesia was active until Nov 2024; 2 linked to Azerbaijan remain uncertain as no recent victim-facing infrastructure was observed.
5/ We also traced portions of the higher-tier infrastructure back to Candiru’s own corporate network. While the precise role of the interaction is unclear, we suspect it could be involved in licensing checks or pushing software updates.
August 5, 2025 at 2:18 PM
5/ We also traced portions of the higher-tier infrastructure back to Candiru’s own corporate network. While the precise role of the interaction is unclear, we suspect it could be involved in licensing checks or pushing software updates.
I'm thrilled to be speaking at #VB2025 this September in Berlin! My talk will focus on TAG-124, a widespread traffic distribution system, and its role in the cybercriminal ecosystem, with a particular emphasis on its link to ransomware operations! 👉 tinyurl.com/3hurr52m
June 16, 2025 at 7:15 AM
I'm thrilled to be speaking at #VB2025 this September in Berlin! My talk will focus on TAG-124, a widespread traffic distribution system, and its role in the cybercriminal ecosystem, with a particular emphasis on its link to ransomware operations! 👉 tinyurl.com/3hurr52m
6/ All three vectors deployed by GrayAlpha were used in parallel during observed campaigns. However, as of this report, only the fake 7-Zip sites appear active, with new domains identified as recently as April 2025.
June 13, 2025 at 2:35 PM
6/ All three vectors deployed by GrayAlpha were used in parallel during observed campaigns. However, as of this report, only the fake 7-Zip sites appear active, with new domains identified as recently as April 2025.
4/ GrayAlpha's infection chain is built around three vectors: Fake browser update pages, fake 7-Zip download sites, the TDS TAG-124 network; notably, this is the first public documentation of TAG-124 being used by GrayAlpha.
June 13, 2025 at 2:35 PM
4/ GrayAlpha's infection chain is built around three vectors: Fake browser update pages, fake 7-Zip download sites, the TDS TAG-124 network; notably, this is the first public documentation of TAG-124 being used by GrayAlpha.
7/ In addition, we have tied parts of Predator’s infrastructure to a Czech entity, FoxITech s.r.o, previously connected to the Intellexa Consortium, as reported by Czech investigative journalists at investigace.cz.
June 12, 2025 at 2:23 PM
7/ In addition, we have tied parts of Predator’s infrastructure to a Czech entity, FoxITech s.r.o, previously connected to the Intellexa Consortium, as reported by Czech investigative journalists at investigace.cz.
4/ Over the past year, we detected Predator activity in several countries. Notably, Insikt Group is the first to report suspected Predator usage in Mozambique.
June 12, 2025 at 2:23 PM
4/ Over the past year, we detected Predator activity in several countries. Notably, Insikt Group is the first to report suspected Predator usage in Mozambique.
3/ While some infrastructure overlaps with earlier reports, Predator’s operators have evolved their tactics, employing new methods to evade detection (e.g., through 404 websites).
June 12, 2025 at 2:23 PM
3/ While some infrastructure overlaps with earlier reports, Predator’s operators have evolved their tactics, employing new methods to evade detection (e.g., through 404 websites).
2/ The newly identified infrastructure includes victim-facing Tier 1 servers and higher-tier (Tier 2 to 5) components likely linked to Predator operators in multiple countries.
June 12, 2025 at 2:23 PM
2/ The newly identified infrastructure includes victim-facing Tier 1 servers and higher-tier (Tier 2 to 5) components likely linked to Predator operators in multiple countries.