Funnull

Funnull, also referred to as Funnull Technology Inc., FUNNULL Technology Inc., and Fangneng CDN (方能CDN/方能科技), is described in the provided content as a Philippines-registered company and cybercriminal group that publicly claims to provide CDN services but has been linked to large-scale criminal infrastructure. The content states it has served as a core infrastructure provider for Southeast Asia’s cybercriminal ecosystem, particularly supporting romance baiting / “pig-butchering” and virtual-currency investment scams, gambling, money laundering, and related fraud operations. The U.S. Treasury Department’s Office of Foreign Assets Control sanctioned Funnull on May 29, 2025; the content also states Treasury sanctioned its administrator, Liu Lizhi, a Chinese national. Supporting reporting cited in the content links Funnull infrastructure to over 332,000 domains, and other reporting describes it as linked to over 1.4 million scam-hosting sites and to more than $200 million in U.S. victim losses. The content also links Funnull to supply-chain and traffic-redirection activity. It is described as having carried out a supply-chain attack on the Polyfill.io JavaScript library, and FUNNULL-operated infrastructure is referenced in malicious redirect chains observed in trojanized OphimCMS theme packages on Packagist. In that reporting, a FUNNULL-linked second-stage payload used heavily gated mobile-only redirection logic, anti-bot and anti-debugging checks, referrer requirements, time-of-day restrictions, second-visit cookies, and administrator-cookie exclusions before redirecting users to gambling or adult-content destinations. The domain union[.]macoms[.]la is specifically described as a documented Funnull IOC. The content further describes Funnull’s re-emergence with a server-side attack framework called RingH23. RingH23 is reported to compromise CDN infrastructure, including GoEdge management nodes and downstream edge nodes, and to poison the MacCMS (maccms.la) update channel to deploy malicious PHP backdoors. Reported components include an SSH-based propagation stage, a Golang infector, a downloader, an encrypted WebSocket backdoor that retrieves C2 information from Azure Blob Storage, DNS-tunneling fallback via iodine, a malicious Nginx module for JavaScript injection and cryptocurrency wallet-address swapping, and a userland rootkit using /etc/ld.so.preload for stealth. The campaign is described as enabling large-scale malicious JavaScript injection and redirection of users to gambling and pornographic sites, with many affected systems associated with streaming and movie-related websites. Based on the provided content, Funnull is a financially motivated cybercriminal actor and infrastructure provider, not described here as a state actor, although some commentary notes the broader difficulty of acting against cybercrime in jurisdictions where operators may have tacit government tolerance. No direct state attribution for Funnull is established in the provided material.