Infostealer logs from 2024 allegedly expose Funnull backend access and a separate Gate.us compliance infiltration.
Polyfill.io, Funnull, Lumma Stealer, supply chain compromise, DPRK IT workers, cloud account takeover
Affected vendor / product: Websites embedding Polyfill.io (and related CDN domains); cloud and SaaS admin surfaces used to manage those domains
Primary issue: Web supply-chain compromise plus alleged insider-style access via synthetic identities
Exploitation status: Polyfill.io compromise observed in the wild (June 2024); domain-level mitigations followed, but residual exposure persists via embedded references and related infrastructure
Confidence level: Polyfill.io compromise (High); Funnull linkage (High); DPRK attribution in the Hudson Rock report (Moderate)
Severity: High (mass exposure + privileged account implications)
Publication context: New reporting based on retrospective 2024 infostealer artefacts
Executive Summary
Hudson Rock claims it has identified a North Korea-linked operator behind the 2024 Polyfill.io web supply-chain attack after the operator’s own Windows workstation was infected with Lumma Stealer (LummaC2), leaking credentials, browser history, and translation telemetry. (InfoStealers)
The Polyfill.io incident was a high-impact supply-chain compromise affecting at least 100,000 websites, with other estimates running substantially higher depending on measurement method (websites vs hosts embedding the script). (Sansec)
Beyond Polyfill.io, Hudson Rock further alleges the same operator infiltrated Gate.us under a synthetic identity and gained visibility into AML/KYC implementation details via vendor interactions and internal documentation. This portion of the claim has not been publicly confirmed by Gate.us or the named vendors, so should be treated as unverified external reporting. (InfoStealers)
Context
In June 2024, Sansec and others reported that Polyfill.io had been weaponised to serve malicious JavaScript, enabling traffic redirection and payload delivery to visitors of sites that embedded the library. (Sansec)
Cloudflare responded with automatic rewriting of Polyfill.io references to a safe mirror for sites on its platform, and public guidance to remove Polyfill.io dependencies entirely. (The Cloudflare Blog)
The broader ecosystem impact was significant. c/side reported hundreds of thousands of websites “targeted” (a different metric to Sansec’s impacted-site count), while Censys-based reporting indicated hundreds of thousands of hosts continued to embed Polyfill references after initial disclosure. (cside)
Separately, the U.S. Treasury sanctioned Funnull Technology Inc. in May 2025, stating Funnull purchased a web-developer code repository and maliciously altered it to redirect visitors from legitimate websites to scam and gambling properties. (U.S. Department of the Treasury)
Technical Analysis
How the Hudson Rock attribution is supposed to work
Hudson Rock’s core assertion is that a Lumma Stealer infection on the operator’s machine in August 2024 exfiltrated:
- Credentials for a Funnull DNS management portal (developer/admin access)
- Credentials for the Polyfill Cloudflare tenant (admin access to the weaponised domain)
- Browser history and Google Translate telemetry showing discussions and operational activity around Polyfill-related domain and DNS changes (InfoStealers)
Hudson Rock further states that external threat intelligence corroborated infrastructure overlap between the Funnull DNS portal domains and Funnull-hosted infrastructure via reverse PTR relationships, citing confirmation from an Infoblox researcher. This corroboration supports infrastructure linkage, but does not independently prove operator identity or tasking. (InfoStealers)
Why LummaC2 matters here
Lumma Stealer (LummaC2) is a widely used malware-as-a-service infostealer known for harvesting browser-stored credentials and other sensitive data. Microsoft describes it as an infostealer MaaS and tracks its developer/maintainer as Storm-2477. (microsoft.com)
The FBI and CISA note LummaC2 has been active across multiple U.S. critical infrastructure sectors, is commonly delivered via phishing and fake software, and exfiltrates credentials, financial data, crypto wallets, browser extensions and MFA details.
MITRE ATT&CK tracks Lumma Stealer as S1213 and documents its credential theft from web browsers among other behaviours. (MITRE ATT&CK)
The Gate.us infiltration claim (unverified externally)
Hudson Rock alleges the operator held a privileged role at Gate.us using a synthetic persona, accessed compliance tooling, and used translated internal communications and documentation to understand AML/KYC implementation details. This activity, if accurate, fits a pattern of DPRK “IT worker” operations that blend revenue generation, access brokerage, and targeted intelligence collection. (InfoStealers)
Impact Assessment
Web supply-chain exposure: The Polyfill.io compromise demonstrated how third-party script dependencies can create cross-site blast radius when a shared library is modified server-side. Even after takedowns and rewrites, long-lived embedded references and “set-and-forget” dependencies sustain risk in the long tail of the internet. (Sansec)
Privileged account risk: Hudson Rock’s reporting underscores that cloud admin credentials (for DNS/CDN control planes) are high-leverage targets. Compromise at this layer enables domain routing changes, script injection, and traffic steering at scale, often without touching the victim organisations directly. (InfoStealers)
Insider-style access via synthetic identities: If the Gate.us claims are accurate, they highlight a strategic risk: adversaries embedding into compliance and engineering workflows to learn detection thresholds and operational processes, not just steal credentials. Unit 42 has separately documented the increasing sophistication of DPRK synthetic identity operations, including deepfake-enabled interviewing. (Unit 42)
Threat Intelligence Context
| Tactic | Technique ID | Technique name | Observed behaviour |
|---|---|---|---|
| Initial Access | T1195.002 (MITRE ATT&CK) | Compromise Software Supply Chain | Polyfill.io CDN/library weaponised to deliver malicious script to downstream websites (Sansec) |
| Credential Access | T1555.003 (MITRE ATT&CK) | Credentials from Web Browsers | LummaC2 theft of browser-stored secrets (basis for Hudson Rock’s recovered portal credentials) |
| Defence Evasion | T1036 (MITRE ATT&CK) | Masquerading | LummaC2 delivery via “fake popular software” is explicitly noted by FBI/CISA |
| Initial Access / Persistence | T1078 (MITRE ATT&CK) | Valid Accounts | Hudson Rock alleges abuse of valid cloud/SaaS accounts for DNS/CDN administration (InfoStealers) |
Indicators of Compromise
The following are drawn from named sources and include historical domains that may no longer resolve. Vet before blocking to avoid unintended impact.
| Type | Value | Context / Notes | Source | Confidence |
|---|---|---|---|---|
| Domain | cdn.polyfill.io | Known compromised Polyfill script delivery domain (June 2024) | Sansec research (Sansec) | Confirmed (historical) |
| Domain | polyfill.io | Recommended for removal; Cloudflare implemented rewriting to a safe mirror | Cloudflare guidance (The Cloudflare Blog) | Confirmed (historical) |
| Domain | bootcdn.net | Reported by Sansec as related domain used by the same actor | Sansec research (Sansec) | Likely |
| Domain | bootcss.com | Reported by Sansec as related domain used by the same actor | Sansec research (Sansec) | Likely |
| Domain | staticfile.net | Reported by Sansec as related domain used by the same actor | Sansec research (Sansec) | Likely |
| Domain | staticfile.org | Reported by Sansec as related domain used by the same actor | Sansec research (Sansec) | Likely |
| Domain | unionadjs.com | Reported by Sansec as related domain used by the same actor | Sansec research (Sansec) | Likely |
| Domain | xhsbpza.com | Reported by Sansec as related domain used by the same actor | Sansec research (Sansec) | Likely |
| Domain | union.macoms.la | Reported by Sansec as related domain used by the same actor | Sansec research (Sansec) | Likely |
| Domain | newcrbpc.com | Reported by Sansec as related domain used by the same actor | Sansec research (Sansec) | Likely |
| Domain | kk5yuzmev2qbgulz.com | Hudson Rock reports this as the base for a FunnullDNS management portal used by the operator | Hudson Rock reporting (republished) (InfoStealers) | Unconfirmed externally |
| Domain | funnullcdn.com | Root domain used in Funnull-related CNAME infrastructure (fraud ecosystem) | FBI FLASH | Confirmed (as infrastructure indicator) |
| Domain | funnull01.vip | Root domain used in Funnull-related CNAME infrastructure (fraud ecosystem) | FBI FLASH | Confirmed (as infrastructure indicator) |
Incident Response Guidance
If you operate web properties:
- Inventory and remove Polyfill.io references across templates, tag managers, plugins, and third-party JavaScript includes. Cloudflare recommends replacement with a trusted mirror where removal is not immediately possible. (The Cloudflare Blog)
- Validate third-party script integrity using Subresource Integrity (SRI) and enforce a strict Content Security Policy (CSP) to reduce impact of unexpected script changes (where compatible with business requirements). (General best practice; Polyfill-specific mitigations are in Cloudflare/Sansec reporting.) (The Cloudflare Blog)
If you operate cloud admin surfaces (DNS/CDN/SaaS):
- Treat infostealer exposure as a credential-compromise event: rotate secrets, invalidate sessions, and review audit logs for administrative actions (DNS changes, worker/script deployments, access-token creation).
- Enforce phishing-resistant MFA for admin accounts and restrict admin access by device posture and conditional access. FBI/CISA guidance on LummaC2 focuses on reducing likelihood and impact via layered controls and continuous testing against mapped ATT&CK behaviours.
If you suspect DPRK IT worker-style infiltration:
- Strengthen hiring and onboarding verification, including liveness checks and identity validation, and implement continuous access evaluation for contractors and remote workers. Unit 42 provides practical detection strategies for synthetic-identity tactics. (Unit 42)
Mitigation Recommendations
- Prioritise removal of Polyfill.io and related domains from web estates and dependencies, even if the immediate domain threat appears reduced, because embedded references persist and can reintroduce risk if control changes again. (Sansec)
- Reduce infostealer blast radius by discouraging browser password storage on corporate endpoints, tightening execution controls for “installer” files from untrusted sources, and monitoring for credential-store access patterns consistent with infostealers.
- Monitor for Funnull-linked infrastructure patterns (notably CNAME root domains highlighted by the FBI) if you run abuse, brand-protection, or fraud operations, and coordinate with hosting/CDN providers for takedown where appropriate.
Further Reading
- Hudson Rock reporting (republished): Lumma Stealer telemetry linking Polyfill.io and Gate.us claims (InfoStealers)
- Independent coverage: SecurityWeek summary of Hudson Rock’s findings (SecurityWeek)
- Primary incident research: Sansec investigation into the Polyfill.io supply-chain compromise (Sansec)
- Mitigation action: Cloudflare’s Polyfill.io rewrite and removal guidance (The Cloudflare Blog)
- LummaC2 defensive guidance: FBI and CISA joint advisory (AA25-141B)
- Funnull ecosystem context: U.S. Treasury OFAC sanctions statement and FBI FLASH infrastructure indicators (U.S. Department of the Treasury)
- DPRK synthetic identity tradecraft: Unit 42 reporting on deepfake-enabled infiltration (Unit 42)