Full Report
RedNovember, a likely Chinese state-sponsored cyber-espionage group, has targeted global government, defense, and tech sectors using advanced tools like Pantegana and Cobalt Strike. Discover the latest findings and victimology from Recorded Future’s in-depth analysis.
Analysis Summary
# Threat Actor: RedNovember (Formerly TAG-100, Overlaps with Storm-2077)
## Attribution & Identity
* **Attribution:** Highly likely a Chinese state-sponsored threat activity group conducting suspected cyber-espionage.
* **Aliases:** Previously tracked as TAG-100.
* **Associated Groups:** Overlaps with Storm-2077.
## Activity Summary
RedNovember has been active between June 2024 and July 2025, conducting cyber-espionage targeting high-profile government, intergovernmental, and private sector organizations globally. Activity observed in Taiwan and Panama occurred in close proximity to geopolitical and military events of strategic interest to China. The group has significantly broadened its targeting remit.
A specific campaign in April 2025 focused on the reconnaissance and targeting of Ivanti Connect Secure (ICS) VPN devices across multiple countries.
## Tactics, Techniques & Procedures
The group combines weaponized Proof-of-Concept (PoC) exploits with open-source post-exploitation frameworks to lower operational costs and potentially obfuscate attribution.
* **Initial Access:**
* Targeting and compromising edge devices for initial access, including SonicWall, Cisco ASA, F5 BIG-IP, Palo Alto Networks GlobalProtect, Sophos SSL VPN, Fortinet FortiGate instances, Outlook Web Access (OWA) instances, and Ivanti Connect Secure (ICS) VPN appliances.
* Exploiting Public-Facing Applications ([T1190]).
* Spearphishing Attachment ([T1566.001]).
* **Execution:**
* User Execution: Malicious Link ([T1204.001]).
* User Execution: Malicious File ([T1204.002]).
* **Command and Control (C2):**
* Reliance on Pantegana (Go-based backdoor) and Cobalt Strike.
* Use of open-source backdoor SparkRAT.
* Communication via Application Layer Protocol: Web Protocols ([T1071.001]).
* Use of Non-Standard Port ([T1571]).
* **Resource Development:**
* Acquire Infrastructure: Virtual Private Server ([T1583.003]).
* **Reconnaissance:**
* Gather Victim Network Information: Network Security Appliances ([T1590.006]).
## Targeting
* **Sectors:** Government, Defense, Technology, Aerospace organizations, Space organizations, Law firms, US Defense Industrial Base (DIB), and specialized engineering/military contractors.
* **Geography:** Global. Specific examples mentioned include Central Asia, Africa, Europe, Southeast Asia, Taiwan, and Panama.
* **Victims:** A ministry of foreign affairs (Central Asia), a state security organization (Africa), a European government directorate, a trade-focused intergovernmental cooperation body (Southeast Asia), at least two United States (US) defense contractors, a European engine manufacturer, a major US newspaper, and a specialized US engineering and military contractor.
## Tools & Infrastructure
* **Malware Families Used:**
* Pantegana (Open-source, multi-platform Go backdoor).
* Cobalt Strike (Used for post-exploitation).
* SparkRAT (Open-source backdoor).
* LESLIELOADER (Mentioned in an associated YARA rule).
* **Infrastructure (C2, domains, IPs):**
* No specific C2 domains or IPs were detailed and defanged in the provided text snippet.
## Implications
RedNovember exemplifies a trend amongst state-sponsored actors of leveraging open-source tools and weaponized PoC exploits to maintain operations at scale while potentially lowering detection risk or increasing attribution obfuscation. Their focus on widely deployed perimeter devices (VPNs, firewalls) indicates the critical and persistent vulnerability of internet-facing infrastructure remains a primary initial access vector for espionage operations.
## Mitigations
* Focus heightened security monitoring and patching efforts on perimeter devices such as VPNs, firewalls, load balancers, virtualization infrastructure, and email servers (including SonicWall, Cisco ASA, F5 BIG-IP, Palo Alto GlobalProtect, Sophos SSL VPN, Fortinet FortiGate, OWA, and Ivanti Connect Secure).
* Implement strict defenses against spearphishing and exploitation of public-facing applications.
* Monitor for the use of common open-source post-exploitation frameworks like Pantegana and Cobalt Strike.