A long-running threat campaign linked to a Chinese state-sponsored cyber-espionage group highlights the importance of patching and protecting edge devices and internet-facing assets.
RedNovember – previously tracked as TAG-100 and also overlapping with Storm-2077 – targeted unpatched web-facing assets from at least a dozen well-known IT and security vendors in a campaign tracked between June 2024 and July 2025, according to a new report from Recorded Future’s Insikt threat research group.
“RedNovember is one of multiple other Chinese state-sponsored threat groups that are increasingly achieving initial access to targets by targeting vulnerabilities in internet-facing devices, including security products,” the report warns. “Targeting internet-facing devices has proven to be an effective way for Chinese state-sponsored threat groups to scale initial access and achieve initial footholds in large numbers of organizations ahead of more targeted follow-on activity.”
Devices and Vulnerabilities Targeted by RedNovember
RedNovember has targeted government, intergovernmental, and private sector organizations around the world, the researchers said, often using the Go-based backdoor Pantegana, open-source backdoors like SparkRAT, and Cobalt Strike among its tactics. Defense, aerospace and space organizations and law firms have been among the group’s targets.
Victim organizations have included a Central Asian ministry of foreign affairs, an African state security organization, a European government directorate, a Southeast Asian government, at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental body in Southeast Asia.
The threat group has conducting spearphishing and vulnerability exploitation attempts against Defense Industrial Base (DIB) organizations in the U.S. and space organizations in Europe. Some of the activity, including in Taiwan and Panama, “took place in close proximity to geopolitical and military events of key strategic interest to China,” the researchers said.
“We observed RedNovember reconnoitering and likely compromising edge devices for initial access,” the researchers wrote.
“RedNovember has repeatedly conducted surge targeting of specific edge devices following the disclosure of vulnerabilities and the publication of PoC exploit code for those same devices,” they added.
Devices targeted have included SonicWall, Cisco Adaptive Security Appliances (ASA), F5 BIG-IP, Palo Alto Networks GlobalProtect, Sophos SSL VPN, and Fortinet FortiGate instances, in addition to Outlook Web Access (OWA) instances and Ivanti Connect Secure (ICS) VPN appliances.
Targeted vulnerabilities identified by the researchers have included:
- CVE-2022-30190, a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT)
- CVE-2024-3400, a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions
- CVE-2024-24919, a Check Point Quantum Security Gateways information disclosure vulnerability
The Check Point and Palo Alto exploits closely followed the release of public proof of concept (PoC) exploits, the researchers said.
Given the long list of products and vendors noted by the researchers, there are likely many more vulnerabilities that have been exploited by the threat group.
RedNovember has “increasingly focused its initial access efforts on targeting edge devices, including security solutions such as VPNs, firewalls, load balancers, virtualization infrastructure, and email servers,” they said.
Chinese Threat Group Targets U.S., Taiwan, South Korea
RedNovember’s biggest targets have been organizations in the U.S., Taiwan, and South Korea, although in April 2025 it heavily targeted Panamanian government organizations, and the group has conducted operations in other global regions too.
A list of assets and targets includes:
- A 3CX web client instance connected to the ministry responsible for museums in a western European country
- A Zimbra Collaboration Suite server linked to a Southeast Asian country
- A Fortinet FortiGate appliance believed to be linked to the foreign affairs ministry of an East Asian country
- A Huawei router likely associated with a Southeast Asian government
- An African government’s Cisco ASA appliance
In April 2025, the threat group heavily targeted Ivanti Connect Secure (ICS) VPN devices in multiple countries. Targets included a major U.S. newspaper, a specialized U.S. engineering and military contractor, and a number of Korean organizations, the researchers said.
In March 2025, the threat group targeted a European engine manufacturer’s SonicWall VPN device and login pages for the company’s F5 BIG-IP devices and VDI environment.
