A suspected cyber espionage exercise cluster that was beforehand discovered concentrating on international authorities and personal sector organizations spanning Africa, Asia, North America, South America, and Oceania has been assessed to be a Chinese language state-sponsored menace actor.
Recorded Future, which was monitoring the exercise beneath the moniker TAG-100, has now graduated it to a hacking group dubbed RedNovember. It is also tracked by Microsoft as Storm-2077.
“Between June 2024 and July 2025, RedNovember (which overlaps with Storm-2077) focused perimeter home equipment of high-profile organizations globally and used the Go-based backdoor Pantegana and Cobalt Strike as a part of its intrusions,” the Mastercard-owned firm mentioned in a report shared with The Hacker Information.
“The group has expanded its concentrating on remit throughout authorities and personal sector organizations, together with protection and aerospace organizations, area organizations, and regulation corporations.”
Among the possible new victims of the menace actor embrace a ministry of overseas affairs in central Asia, a state safety group in Africa, a European authorities directorate, and a Southeast Asian authorities. The group can also be believed to have breached two no less than two United States (US) protection contractors, a European engine producer, and a trade-focused intergovernmental cooperation physique in Southeast Asia.
RedNovember was first documented by Recorded Future over a yr in the past, detailing its use of the Pantegana post-exploitation framework and Spark RAT following the weaponization of identified safety flaws in a number of internet-facing perimeter home equipment from Verify Level (CVE-2024-24919), Cisco, Citrix, F5, Fortinet, Ivanti, Palo Alto Networks (CVE-2024-3400), and SonicWall for preliminary entry.
The give attention to concentrating on safety options comparable to VPNs, firewalls, load balancers, virtualization infrastructure, and e-mail servers mirrors a development that has been more and more adopted by different Chinese language state-sponsored hacking teams to interrupt into networks of curiosity and preserve persistence for prolonged durations of time.
A noteworthy side of the menace actor’s tradecraft is using Pantegana and Spark RAT, each of that are open-source instruments. The adoption is probably going an try to repurpose present applications to their benefit and confuse attribution efforts, a trademark of espionage actors.
The assaults additionally contain using a variant of the publicly out there Go-based loader LESLIELOADER to launch Spark RAT or Cobalt Strike Beacons on compromised gadgets.
RedNovember is alleged to utilize VPN providers like ExpressVPN and Warp VPN to manage and join to 2 units of servers which might be used for exploitation of internet-facing gadgets and talk with Pantegana, Spark RAT, and Cobalt Strike, one other authentic program that has been broadly abused by dangerous actors.
Between June 2024 and Could 2025, a lot of the hacking group’s concentrating on efforts have been centered on Panama, the U.S., Taiwan, and South Korea. As lately as April 2025, it has been discovered to focus on Ivanti Join Safe home equipment related to a newspaper and an engineering and army contractor, each based mostly within the U.S.
Recorded Future mentioned it additionally recognized the adversary possible concentrating on the Microsoft Outlook Internet Entry (OWA) portals belonging to a South American nation earlier than that nation’s state go to to China.
“RedNovember has traditionally focused a various vary of nations and sectors, suggesting broad and altering intelligence necessities,” the corporate famous. “RedNovember’s exercise up to now has primarily centered on a number of key geographies, together with the US, Southeast Asia, the Pacific area, and South America.”
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a world community of future-focused thinkers.
Unlock tomorrow’s developments right now: learn extra, subscribe to our publication, and grow to be a part of the NextTech neighborhood at NextTech-news.com
