RingH23

RingH23 is a modular, server-side attack toolkit attributed in reporting to the cybercriminal group Funnull (aka Fangneng CDN), which was sanctioned by the U.S. Treasury (OFAC) on May 29, 2025. The toolkit is described as being used to silently compromise CDN infrastructure (including GoEdge management nodes and downstream edge nodes) and to poison the MacCMS (maccms.la) update channel to deploy malicious PHP backdoors, enabling large-scale malicious JavaScript injection and traffic redirection (notably to gambling/porn sites) with telemetry citing 10,748 infected IPs and an estimate of >1 million users/day exposed to redirects.

Infection routes described:

• GoEdge/CDN route: attackers compromise a GoEdge CDN management node, then use SSH remote commands to force connected edge nodes to download and execute RingH23 components. The entry component infect_init (Golang, UPX-packed, root required) validates a session token and group key with C2, queries the GoEdge management database to harvest edge-node credentials, and deploys download_init via SSH. download_init probes Nginx configuration, registers with C2, and retrieves additional payload URLs.
• MacCMS route: attackers poison the official update channel of maccms.la to deliver a malicious PHP backdoor that is fetched/activated on the administrator’s first login after installation; the download link is described as expiring after ~3 minutes to hinder retrieval.

Modules/capabilities described:

• Backdoor (Badredis2s; ring04h_office_bin/office_bin): AES-128-CBC encrypted WebSocket (WSS) tunnels; dynamically fetches C2 addresses from Microsoft Azure Blob Storage; fallback to DNS tunneling using iodine if primary connectivity is blocked; plugin-based.
• Malicious Nginx module (Badnginx2s; module.so): injects malicious JavaScript, swaps Ethereum and TRON wallet addresses to attacker-controlled ones, and inserts 5-second video segments into HLS playlists.
• Userland rootkit (Badhide2s; libutilkeybd.so): uses /etc/ld.so.preload to hide malicious files, processes, and network connections from tools such as ps, ls, and netstat.
• Persistence: udev.sh and udev.rules are referenced as persistence mechanisms via udev rules.

Attribution/naming notes in the content:

• The name “RingH23” is stated to derive from recurring “RING04H” strings and XOR key 0x23 used to decrypt configuration files.

Indicators explicitly mentioned in the content include:

• Distribution/infrastructure: download.zhw[.]sh; embedded domain client.110[.]nz.
• Typosquatted JS-hosting domains: code.jquecy[.]com, cdn.jsdclivr[.]com, cdnjs.clondflare[.]com, static.bytedauce[.]com.
• MacCMS malicious PHP payloads: active.php (MD5 b06b9f13505eb49d6b3f4bddd64b12ce) and addons.php (MD5 eb03db7ac9f10af66a1e2b16185fcadc).
• Backdoor/C2 domains listed: linuxdistro[.]net, debianhacks[.]net, fedoraforums[.]net, ubuntucommands[.]com, ntp[.]asia, ntporg[.]com, sbindns[.]com, plusedns[.]com.