A cybercriminal group tied to the FUNNULL Content Delivery Network has made a calculated return with a far more sophisticated and evasive infrastructure. <\/p>\n
Known as Triad Nexus, the group has rebuilt its global fraud operation following U.S. Treasury sanctions, deploying over 175 randomly rotating CNAME domains to power a sprawling network of scam portals that target victims across multiple countries.<\/p>\n
Triad Nexus is not a new player in the threat landscape. The group is deeply rooted in organized criminal networks across Asia and has been actively running investment scams, money laundering operations, and illegal gambling platforms since at least 2022. <\/p>\n
Its earlier campaigns relied heavily on the FUNNULL CDN as the primary backbone, enabling fast delivery of fraudulent websites designed to look exactly like trusted global brands. <\/p>\n
What changed after the U.S. sanctions was not the group\u2019s criminal intent \u2014 it was their method of concealment.<\/p>\n
Following the May 2024 federal sanctions, the group rapidly pivoted to what researchers describe as \u201cinfrastructure laundering.\u201d <\/p>\n
Rather than relying solely on low-reputation servers, Triad Nexus began hijacking legitimate enterprise cloud accounts at major providers including Amazon Web Services, Cloudflare, Google, and Microsoft. <\/p>\n
By routing malicious traffic through these trusted platforms, the group created an appearance of legitimacy that made its fake portals far harder to detect or block. <\/p>\n
Silent Push analysts and researchers identified this tactical shift<\/a> as a major evolution, noting that the group had abandoned stable CNAME domains in favor of a rotating pool of over 175 randomly generated CNAME domains \u2014 each one connecting clusters of fraudulent websites to stolen or illicitly acquired IP addresses.<\/p>\n The scale of the fraud is staggering. Triad Nexus has been linked to over one billion dollars in reported victim losses, with individual losses averaging around $47,000. <\/p>\n The group primarily runs \u201cpig butchering\u201d scams, where victims are manipulated over weeks or months into investing large sums into fake cryptocurrency platforms<\/a>. <\/p>\n Their catalog of fraudulent portals includes pixel-perfect clones of luxury brands like Tiffany, Cartier, and Chanel, financial platforms like Western Union and MoneyGram, and banking portals falsely tied to Wells Fargo, Goldman Sachs, and Bank of America.<\/p>\n To avoid law enforcement attention after the sanctions, the group also launched a series of \u201cclean\u201d front companies \u2014 entities with professional branding and fabricated operating histories designed to manufacture trust among unsuspecting users. <\/p>\n One particularly revealing example is a fake CDN provider operating as cdnbl.com, which falsely claims to have served clients since 2007. Domain registration records confirm it was only created in March 2024, exposing the deception at its core.<\/p>\n One technically alarming aspect of Triad Nexus\u2019s rebuilt operation is its deliberate use of multi-layered CNAME chains to hide the true destination of its traffic. <\/p>\n A CNAME, or Canonical Name record, is a DNS entry that redirects one domain to another. Standard security tools typically only follow a single step in this chain, meaning the real final endpoint often goes completely undetected.<\/p>\n Triad Nexus actively exploits this blind spot. Its infrastructure routes traffic through multiple intermediate CNAME domains \u2014 sometimes three or four layers deep \u2014 before landing on a final IP address hosted on a reputable enterprise cloud platform.<\/p>\n This multi-layered redirection makes it extremely difficult for automated detection tools<\/a> to trace traffic back to its true origin. <\/p>\n To further avoid oversight, the group has placed a deliberate U.S. block across many of its portals, displaying an error that reads \u201cThe region has been denied\u201d to American visitors, while simultaneously expanding its scam operations into Spanish, Vietnamese, and Indonesian markets to keep its fraud profits flowing.<\/p>\n Organizations are strongly advised to move beyond reactive security measures. Security teams<\/a> should adopt CNAME chain analysis capabilities, monitor for newly registered lookalike domains, enforce strict DNS resolution policies, and maintain deep visibility across all network layers to detect and disrupt threats of this nature before they reach end users.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post FUNNULL-Linked Triad Nexus Resurfaces With 175+ Rotating CNAME Domains and Global Scam Portals<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nGeographic Evasion and the Rotating CNAME Infrastructure<\/strong><\/h2>\n
![\"CNAME](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiavJjPWJFOfjGg-AY-gm5RCGzN6bm_Wsi5E0p5BpGjtASIAOAkb1PgHleNw2CQbi_xTPHWeAJEi0WkRnFlsa49qYgr2nJr9SgvUWtkUY6gdo6dBcmJoR4j7QT7Ph9rWUgZO7qo_j7XuqW52eVMzga6OR_Byf0GKLRLC5Pf2F2F2uF4X0PHkr54fgs2dMs\/s16000\/CNAME%2520chain%2520between%2520an%2520IP%2520and%2520a%2520client%2520domain%2520cluster%2520%28Source%2520-%2520Silent%2520Push%29.webp?ssl=1\")