Chinese state-sponsored hacker group RedDelta targeting organizations within Europe, Southeast Asia

Cybersecurity firm Recorded Future’s Insikt Group continues to track activity attributed to the likely Chinese state-sponsored threat activity group RedDelta targeting organizations within Europe and Southeast Asia using a customized variant of the PlugX backdoor. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. 

“Since at least 2019, RedDelta has been consistently active within Southeast Asia, particularly in Myanmar and Vietnam, but has also routinely adapted its targeting in response to global geopolitical events,” Recorded Future wrote in a post on Friday. “This is historically evident through the group’s targeting of the Vatican and other Catholic organizations in the lead-up to 2021 talks between Chinese Communist Party (CCP) and Vatican officials, as well as throughout 2022 through the group’s shift towards increased targeting of European government and diplomatic entities following Russia’s invasion of Ukraine,” it added.

The post added that the RedDelta closely overlaps with public industry reporting under the aliases BRONZE PRESIDENT, Mustang Panda, TA416, Red Lich, and HoneyMyte.

The Recorded Future post said that RedDelta has consistently conducted long-term cyber-espionage campaigns in line with the strategic interests of the Chinese government, including historical targeting of government and public sector organizations across Asia and Europe as well as overseas organizations associated with minority groups within mainland China such as Tibetan and Catholic Church-related entities.

Recorded Future additionally identified probable victim entities within Myanmar and Vietnam regularly communicating with RedDelta C2 infrastructure.

Despite the volume of public reporting on the group’s activity, RedDelta employs a high operational tempo relative to other state-sponsored actors, according to the post. “The group also maintains a rapid pace of development for its flagship backdoor (remote access trojan [RAT]), a variant of the long-running backdoor PlugX that is heavily customized for anti-analysis for detection evasion,” it added.

In November this year, RedDelta hackers shifted from using archive files to using malicious optical disc image (ISO) files containing a simplified shortcut (LNK) file for delivery of an updated PlugX payload.

Recorded Future said that during the three-month period from September through November this year, RedDelta has regularly used an infection chain employing malicious shortcut (LNK) files, which trigger a dynamic-link library (DLL) search-order-hijacking execution chain to load consistently updated PlugX versions. “Throughout this period, the group repeatedly employed decoy documents specific to government and migration policy within Europe.” 

The post also identified a European government department focused on trade communicating with RedDelta command-and-control (C2) infrastructure in early August 2022. “This activity commenced on the same day that a RedDelta PlugX sample using this C2 infrastructure and featuring an EU trade-themed decoy document surfaced on public malware repositories.”

Earlier this month, Recorded Future detailed threat activity group TAG-53’s credential harvesting infrastructure used for Russia-aligned espionage operations. The group’s activity was identified through a combination of network intelligence and analysis derived from open-source reporting.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.