RedDelta, a China-linked advanced persistent threat (APT) group, has been observed deploying a customized version of the PlugX backdoor to infiltrate targets in Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia. The cyber espionage operations took place between July 2023 and December 2024.
Sophisticated Lure Documents and Regional Focus
According to a new analysis from Recorded Future's Insikt Group, RedDelta leveraged well-crafted phishing documents to lure victims. These documents were themed around:
The 2024 Taiwanese presidential candidate Terry Gou
The Vietnamese National Holiday
Flood protection measures in Mongolia
Invitations to ASEAN meetings and other diplomatic events
Compromised Entities and Global Reach
Investigations indicate that RedDelta successfully breached the Mongolian Ministry of Defense in August 2024 and the Communist Party of Vietnam in November 2024. The group has also expanded its reach, targeting government agencies, diplomatic organizations, and research institutions in Malaysia, Japan, the United States, Ethiopia, Brazil, Australia, and India between September and December 2024.
RedDelta's Evolution: Advanced Tactics and Expanding Targets
Operating since at least 2012, RedDelta is also tracked under aliases such as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, Mustang Panda (Vertigo Panda), Red Lich, Stately Taurus, TA416, and Twill Typhoon.
Recent intelligence highlights the group's refinement of infection techniques, including leveraging Visual Studio Code tunnels in espionage operations targeting Southeast Asian governments. This approach mirrors tactics used by other China-backed cyber espionage groups like Operation Digital Eye and MirrorFace.
Exploiting LNK, MSI, and MSC Files for Initial Infection
RedDelta's attack chain initiates through spear-phishing campaigns distributing malicious Windows Shortcut (LNK), Windows Installer (MSI), and Microsoft Management Console (MSC) files. These act as initial payloads, deploying PlugX malware via DLL side-loading techniques.
Some campaigns observed in late 2024 also leveraged phishing emails containing links to HTML files hosted on Microsoft Azure, triggering the download of MSC payloads. These payloads subsequently deploy MSI installers, which then execute PlugX through DLL search order hijacking, a widely used evasion technique.
RedDelta Uses Cloudflare CDN to Obfuscate C2 Traffic
A major development in RedDelta's strategy is its use of Cloudflare's content delivery network (CDN) to mask command-and-control (C2) traffic. By routing malicious communications through legitimate CDN traffic, the group effectively evades security detections, making attribution and mitigation more challenging.
Recorded Future identified 10 administrative servers communicating with two known RedDelta C2 servers, all registered under China Unicom Henan Province.
Geopolitical Motivations: Aligning with China's Strategic Interests
RedDelta's activities align with China’s geopolitical objectives, primarily targeting governments, diplomatic missions, and research institutions across Southeast Asia, Mongolia, and Europe.
The group's intensified focus on Mongolia and Taiwan is consistent with previous cyber campaigns against entities viewed as potential threats to the Chinese Communist Party (CCP).
This resurgence in Asia-focused espionage marks a return to RedDelta’s traditional attack patterns following its focus on European organizations in 2022.
Wider Cyber Espionage Landscape: Silk Typhoon and U.S. Treasury Attack
The escalation of cyber threats is further underscored by a Bloomberg report linking a recent cyberattack on the U.S. Treasury Department to another China-backed threat group, Silk Typhoon (aka Hafnium). This same group was previously responsible for the Microsoft Exchange Server (ProxyLogon) zero-day exploits in early 2021.
Conclusion: Persistent Cyber Threat from China-Linked APTs
RedDelta’s latest campaigns reinforce the growing sophistication of China-nexus cyber espionage groups. With advanced techniques, stealthy infection chains, and the use of legitimate services to disguise operations, RedDelta remains a formidable actor in the global threat landscape.
Stay updated with the latest cybersecurity insights to safeguard your organization against evolving cyber threats.
