In July 2024, Recorded Future’s Insikt Group publicly exposed TAG-100, a cyber-espionage campaign leveraging the Go-based backdoor Pantegana against high-profile government, intergovernmental and private organizations worldwide.
New evidence now attributes TAG-100 to a Chinese state-sponsored threat actor, designated RedNovember.
Between June 2024 and July 2025, RedNovember—overlapping with Storm-2077—has expanded its operations to target perimeter appliances and VPN solutions, deploying Pantegana and Cobalt Strike to establish persistence.
Recorded Future Network Intelligence identifies likely victims including ministries of foreign affairs in Central Asia and Southeast Asia, a state security organization in Africa, a European government directorate, two U.S. defense contractors, a European engine manufacturer and a trade-focused intergovernmental body in Southeast Asia.
RedNovember continues to rely on open-source and commodity C2 frameworks—Pantegana, Cobalt Strike and SparkRAT—to conduct reconnaissance, initial access and probable compromise.
The group has broadened its targeting to include the U.S. Defense Industrial Base and European space and aerospace organizations through spearphishing and exploitation campaigns.
Edge devices—firewalls, VPNs, load balancers and email servers—remain the primary initial access vector.
In April 2025, RedNovember mounted a focused campaign against Ivanti Connect Secure VPN appliances, scanning targets such as a major U.S. newspaper and a specialized engineering and military contractor.
Several intrusions coincided with geopolitical events of strategic interest to China, including military drills around Taiwan in December 2024 and U.S. diplomatic visits to Panama in April 2025.
Previously tracked as TAG-100, RedNovember exploits internet-facing devices to achieve large-scale initial footholds, then leverages Pantegana and Cobalt Strike for post-exploitation activity.
The group’s strategic use of publicly available PoC exploits and open-source backdoors lowers operational costs and obscures attribution.
RedNovember exemplifies a broader trend among Chinese state-sponsored actors targeting security appliances to scale access ahead of more selective, follow-on campaigns.
Insikt Group’s telemetry confirms continued use of Pantegana and Cobalt Strike, administered via ExpressVPN and potentially other commercial VPNs.
Two Go-based loaders (LESLIELOADER) were observed sideloading SparkRAT and Cobalt Strike Beacon in memory, with servers hosted on ALIBABA-CN-NET.
RedNovember also employed malicious Word and PDF lures exploiting the Follina flaw (CVE-2022-30190) to deliver LESLIELOADER, masquerading as VMware security patches.
Victimology and Targeting
RedNovember’s victims span government, defense, aerospace, legal and technology sectors. Notable incidents include:
- A Panamanian government-wide reconnaissance wave in April 2025, scanning over 30 ministries following U.S. diplomatic engagements.
- December 2024 activity targeting Taiwan Air Force-related infrastructure during China’s military exercises around the island.
- Multiple U.S. DIB and space research entities subjected to port scans and VPN exploit attempts.
- Compromise of a Taiwanese IT company and U.K.-based defense contractors via SonicWall SSL VPN and F5 BIG-IP appliances.
Mitigations
Organizations should integrate threat intelligence to detect Pantegana and SparkRAT C2 domains in real time, prioritize patching of high-risk RCE vulnerabilities in perimeter devices and enforce strict access controls on VPN and firewall management interfaces.
An agreement on the sale involving the two ports to a consortium led by US investment firm BlackRock and MSC (Mediterranean Shipping Company), set to be signed during the first week of April 2025.
Network segmentation, multi-factor authentication and enhanced logging on edge devices are critical to detecting and responding to post-exploitation activities.
RedNovember’s continued expansion across geographies and sectors underscores persistent vulnerabilities in internet-facing appliances.
Its reliance on open-source frameworks enables rapid scaling of campaigns, while intermittent shifts to commodity tools suggest a flexible operational posture.
With new exploits emerging and PoC code readily available, RedNovember—and similar state-sponsored actors—are poised to maintain aggressive targeting of edge devices. Vigilance and a defense-in-depth strategy will be essential to thwart future intrusions.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Source link
