The IT Nerd

Silent Push has released new research revealing that following US Treasury sanctions in 2025, Triad Nexus has matured its operational security, employing geographic fencing to blind US investigators while simultaneously laundering its infrastructure through account muling and a rotating network of “clean” front companies. 

Triad Nexus is responsible for $200M+ in reported losses, driven largely by sophisticated “pig-butchering” and virtual currency scams. Individual victim losses average $150K, highlighting the high conversion nature of its operations. Despite federal sanctions in 2025, the group has reinstated its global fraud engine, shifting its focus toward emerging markets while maintaining a persistent threat to Western enterprise assets. 

Triad Nexus continues to pose a direct risk to corporate brand integrity and customer trust. The group manages an industrialized catalog of impersonation assets targeting: 

Banking and Fintech: Payment portals for more than 25 global institutions (including Wells Fargo and Bank of America) used for large-scale credential harvesting and “pig-butchering” scams. 

Luxury Retail: High-fidelity clones of brands such as Tiffany and Cartier to intercept high-value consumer transactions. 

Global Logistics: Exploitation of services, including the Vietnam Post, to facilitate regional personally identifiable information (PII) theft. 

You can read the research here: https://www.silentpush.com/blog/triad-nexus-funnull-2026

Silent Push has revealed its analysts have identified more than 10,000 unique infected IP addresses as part of the SystemBC botnet malware family, which is used in ransomware attacks and as a SOCKS5 proxy network. 

Silent Push’s analysis shows SystemBC infections are globally distributed at scale, with the highest concentration of infected IP addresses observed in the US, followed by Germany, France, Singapore, and India.

Silent Push identified SystemBC infections within sensitive infrastructure, including compromised IP addresses hosting government websites in Burkina Faso and Vietnam. 

The research uncovers a previously undocumented SystemBC variant written in Perl, indicating continued development activity and ongoing evolution of the malware family.

You can read the analysis here: https://www.silentpush.com/blog/systembc

Silent Push has uncovered an extensive network of domains associated with a long-term, ongoing web-skimmer campaign, known under the umbrella name: “Magecart.” 

This campaign utilizes scripts targeting at least six major payment network providers: American Express, Diners Club, Discover (a subsidiary of Capital One), JCB Co., Ltd., Mastercard, and UnionPay. 

The most likely victims of this web-skimming campaign are online shoppers and enterprise organizations that are clients of the various payment providers. 

Current findings suggest this campaign has been active for several years, dating back to the beginning of 2022. 

You can read the details here: https://www.silentpush.com/blog/magecart

Silent Push has published new research in which its threat analysts uncover threat actors using Adaptix, a free and open source tool commonly used by penetration testers, to deliver malicious payloads. Silent Push has observed heavy ties linking Adaptix to Russia and the Russian criminal underworld. 

Abuse of Adaptix was first discovered during Silent Push’s research on the new malware CountLoader, which they reported previously. Soon after signatures were added to Silent Push detection methods, several public reports highlighted the surge in threat actors using Adaptix in global ransomware campaigns. 

Silent Push has identified a potential threat actor with significant ties to Russia who goes by the handle “RalfHacker,” appears to be a developer behind Adaptix, and manages a Russian language sales Telegram channel for the tool. 

The research can be found here: https://www.silentpush.com/blog/adaptix-c2.

TodaySilent Push released an in-depth analysis of SocGholish (operated by TA569)—functioning as a sophisticated Malware-as-a-Service operation, selling access to compromised systems to various financially motivated cybercriminal clients. The malware acts as an Initial Access Broker (IAB), enabling other notorious groups and even the Russian GRU’s Unit 29155 to conduct follow-on attacks, including ransomware deployments.

The research dives into how SocGholish uses fake browser updates to lure victims in and leads them to drive-by malware downloads. The group also leverages Traffic Distribution Systems (including Parrot and Keitaro TDS) to filter and redirect victims to malicious content.

Additionally, the group’s use of domain shadowing and rotates its domains frequently to evade detection, making proactive threat intelligence crucial for defense and keeps them one step ahead of the game. 

You can read more here: https://www.silentpush.com/blog/socgholish

Silent Push today announced the release of IP Context – a powerful new detection method that identifies all uses of IP addresses in one place, including use as a VPN, proxy, or sinkhole or benign scanner across the company’s global dataset.

IP Context allows defenders to minimize fraud and abuse through more effective identification of adversary infrastructure by gaining immediate context on the function and risk level of any given IP address. Tagged IPs are presented alongside everything else we know about an indicator – including its relationship with the rest of the Internet – in a single view, including DNS history, hosting relationships, campaign associations,  and proprietary categories not available anywhere else.VPNs and proxies are tagged and filtered per commercial service provider. Proxies are further categorized as ‘residential’, ‘open’, ‘http’, ‘socks4/5’, or if authentication is required.

With currently over 50 million IPs categorized daily as a VPN, proxy, or sinkhole, Silent Push brings full-spectrum tagging and enrichment to any IP it scans – whether it’s in an existing threat feed or discovered during an investigation.

Enterprise use cases for IP Context include:

• Credential Stuffing & Account Takeover Detection: Flag login attempts from residential proxy IPs commonly used in automated attacks, helping SOC teams act before escalation.
• Infrastructure Discovery: Reveal contextual information about unknown IP addresses, allowing differentiation between normal users, residential proxies, and VPNs.
• Threat Actor Clustering: Identify shared proxy or VPN services across campaigns, enabling faster attribution and proactive blocking of related assets.
• Incident Response & Malware Triage: Instantly recognize sinkhole-tagged IPs to avoid false alarms and focus efforts on containment and root cause analysis.
• Advertising Fraud and Abuse Discovery: IP Context provides new opportunities to track ad fraud operators and coordinated inauthentic traffic schemes.

IP Context is available as an add-on for Enterprise customers. Tags are accessible through Silent Push’s Total View screen, or as a daily bulk data download, allowing teams to integrate tag intelligence into existing workflows and filter based on their unique operational needs.

Silent Push has uncovered a new Chinese fake marketplace e-commerce phishing scam campaign using thousands of websites to spoof retail brands.

Silent Push followed a tip from Mexican journalist Ignacio Gómez Villaseñor about a threat actor targeting “Hot Sale 2025,” an annual sales event similar to “Black Friday” in the U.S.

The Silent Push team pivoted from that Mexico-centric campaign into thousands of websites that broadly targeted a more global audience with abundant waves of fake marketplace scams.

Silent Push has observed this threat actor group building multiple phishing websites with pages spoofing well-known retailers, including Apple, Harbor Freight Tools, Michael Kors, REI, Wayfair, and Wrangler Jeans.

The threat actor has also been caught abusing online payment services such as MasterCard, PayPal, and Visa, as well as payment security techniques for Google Pay, in order across this campaign’s network of scam websites.

You can read the research here.

Today, Silent Push released that its threat analysts have uncovered three cryptocurrency companies that are actually fronts for the North Korean APT group Contagious Interview: BlockNovas LLC, Angeloper Agency, and SoftGlide LLC.

Silent Push’s malware analysts confirmed that three strains, BeaverTail, InvisibleFerret, and OtterCookie, are being used to spread malware via “interview malware lures” to unsuspecting cryptocurrency job applicants.

The threat actor heavily uses AI-generated images to create profiles of “employees” for the three front crypto companies. As part of the crypto attacks, the threat actors are heavily using Github, job listing, and freelancer websites.

This is now live at https://www.silentpush.com/blog/contagious-interview-front-companies/

Today, Silent Push announced that its threat analysts have discovered threat actors enabled by mainstream cloud providers, including Amazon Web Services (AWS) and Microsoft Azure. 

New details uncovered in the course of this reporting indicate that FUNNULL is likely using fraudulent or stolen accounts to acquire these IPs to map to their CNAMEs, and providers we have spoken to claim this wasn’t caught in real time due to visibility holes from the technical complexity of their DNS architecture.

Additional key findings include:

• FUNNULL has rented over 1,200 IPs from Amazon and nearly 200 from Microsoft. Although most IPs have been taken down, new ones are acquired every few weeks.
• There are indications of FUNNULL illicitly acquiring the IPs using stolen or fraudulent accounts. However, external visibility into this process is limited.
• Money laundering is directly associated with a service hosted on shell websites, retail phishing schemes, and pig-butchering scams being kept online via infrastructure laundering.

This is now live at https://www.silentpush.com/blog/infrastructure-laundering/.