Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime,
Network Firewalls, Network Access Control
‘RedNovember’ Engages Organizations Across the US, Asia, and Europe
A recently identified hacking group, linked to extensive compromises of edge devices, has been confirmed as state-aligned with China, according to cybersecurity firm Recorded Future. The group, initially tracked as TAG100, was observed during a wave of cyber espionage activities commencing in July 2024, and is now known as RedNovember.
Recorded Future’s analysis has categorized RedNovember as a group likely sponsored by the Chinese government, highlighting its operations that dovetail with Beijing’s strategy to enhance geopolitical leverage and military preparedness. According to Alexander Leslie, the national security and intelligence leader at Recorded Future’s Insikt Group, RedNovember exemplifies China’s use of cyber capabilities as a tool for expanding influence.
This group has specifically targeted 30 organizations in Panama during a high-profile visit from U.S. Defense Secretary Pete Hegseth, while also executing operations coinciding with significant military exercises around Taiwan in December 2024. Such timing indicates a tactical approach aimed at maximizing espionage effectiveness during critical geopolitical events.
RedNovember has shown an affinity for compromising key edge devices, utilizing malware related to another Chinese threat actor, UNC5266, as seen through overlapping cyber infrastructure. This tactic reflects a broader trend where Chinese hackers systematically exploit vulnerable network devices to gain access to corporate environments. Other tracked groups, such as UNC3886 and UNC4841, also share this focus on edge device exploitation.
Since last year, the group has damaged numerous edge devices, including Cisco Adaptive Security Appliances and Fortinet devices, as well as software communication platforms like 3CX and Outlook Web Access. This technological focus has enabled them to extend their reach into both governmental and private sector networks, including defense, aerospace, and technology firms across the U.S., Panama, Asia, and Europe.
Through the strategic use of internet-facing devices, RedNovember manages to bypass conventional defenses, establishing enduring access to sensitive networks. Based on MITRE ATT&CK framework analysis, key adversary tactics such as initial access and persistence are apparent, showcasing methods that enable the group to remain undetected while infiltrating targets.
Once a network has been infiltrated, the group combines proof-of-concept exploits with the Pantegana open-source post-exploitation framework, which features sophisticated obfuscation techniques. They also utilize a Go-based payload known as Leslieloader, which facilitates the download of the backdoor referred to as SparkRAT. This toolset is compatible across various operating systems, enhancing the group’s operational versatility.
Leslie points out that the group’s reliance on open-source tools highlights a calculated approach where low-cost, scalable methods are leveraged for significant espionage outcomes. As the cyber threat landscape continues to evolve, RedNovember’s operations serve as a reminder for organizations to bolster their defenses against such sophisticated attacks.
