A Chinese language cyberespionage group has compromised a minimum of two US protection contractors and varied different organizations within the Americas, Europe, Asia, and Africa, cybersecurity agency Recorded Future reviews.
Between July 2024 and July 2025, the menace actor, tracked as RedNovember, was seen focusing on high-profile organizations globally, throughout authorities, protection, aerospace, and different industries.
For preliminary entry, the cyberspies compromised edge gadgets from Cisco, F5, Fortinet, Ivanti, Palo Alto Networks, SonicWall, and Sophos, in addition to Outlook Internet Entry (OWA) situations.
As a part of the assaults, RedNovember deployed a Go-based backdoor dubbed Pantegana, offensive safety instruments comparable to Cobalt Strike and SparkRAT, and open supply instruments for preliminary entry, reconnaissance, and follow-up actions.
The menace actor, Recorded Future notes, is thought for utilizing Pantegana as its command-and-control (C&C) framework, together with Cobalt Srike, and continues to depend on ExpressVPN for server administration, whereas additionally possible adopting Warp VPN for distant entry to its infrastructure.
The cybersecurity agency noticed the cyberespionage group focusing on the OWA portals of a South American nation previous to a state go to in China, and people of ministries of international affairs in Southeast Asia and South America.
Over the previous yr, the group has focused authorities and diplomatic organizations in a number of international locations, throughout Africa, Asia, Europe, and South America, and is believed to have maintained long-time entry to an intergovernmental group primarily based in Southeast Asia.
RedNovember was seen focusing on outstanding US aerospace and protection organizations and protection industrial base entities, in addition to different world protection organizations, together with a European space-focused analysis middle.Commercial. Scroll to proceed studying.
In April 2025, the group focused a US engineering and army contractor. Whereas communication between the menace actor’s infrastructure and two internet-accessible ICS VPN endpoints inside the group was seen, Recorded Future didn’t discover sufficient proof to conclude profitable compromise.
“Additionally in April 2025, RedNovember carried out intensive reconnaissance towards an IP deal with area related to a better training establishment related to the US Navy,” the cybersecurity agency notes.
The cyberespionage group was additionally noticed focusing on non-public organizations, together with European manufacturing companies, a worldwide regulation agency, a Taiwanese IT firm, two American oil and gasoline firms, a number of Fijian monetary establishments, authorities entities, media organizations, and transportation authorities.
Different targets embody an American newspaper, a US engineering and army contractor, and two South Korean scientific analysis and nuclear regulation establishments.
In accordance with Recorded Future, RedNovember’s assault campaigns primarily deal with reconnaissance and the exploitation of newly disclosed vulnerabilities in edge gadgets, together with Palo Alto Networks GlobalProtect firewalls, Ivanti Join Safe situations, Test Level VPN gateways, Sophos UTM login portals, SonicWall SonicOS and SonicWall SSL-VPN situations, and F5 BIG-IP gadgets.
The cybersecurity agency believes that “RedNovember, together with different Chinese language state-sponsored menace exercise teams, will virtually actually proceed to focus on edge gadgets and exploit vulnerabilities quickly after their launch.”
Associated: Cisco Patches Zero-Day Flaw Affecting Routers and Switches
Associated: FBI Warns of Spoofed IC3 Web site
Associated: Turla and Gamaredon Working Collectively in Recent Ukrainian Intrusions
Associated: Menace Actor Infests Inns With New RAT
