Targeted Nations and Malicious Activities
Between July 2023 and December 2024, the RedDelta threat group, associated with China, launched attacks on Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia, delivering a modified version of the PlugX backdoor.
Deceptive Tactics Utilized
The group employed various lure documents related to significant events, such as the 2024 Taiwanese presidential candidate Terry Gou, Vietnam’s National Holiday, and Mongolia’s flood protection measures, as well as invitations to an ASEAN meeting, according to analysis from Recorded Future’s Insikt Group.
Notable Breaches
Monitoring indicates that RedDelta successfully breached the Mongolian Ministry of Defense in August 2024 and the Communist Party of Vietnam in November 2024. Additionally, they targeted entities in Malaysia, Japan, the United States, Ethiopia, Brazil, Australia, and India from September to December 2024.
Background on the Threat Actor
RedDelta, active since 2012, is a state-sponsored group from China known by several names in the cybersecurity community, including BASIN, Bronze President, and Mustang Panda. The group is recognized for continually enhancing its malware delivery methods.
Evolving Infection Strategies
Recent RedDelta campaigns have featured infection tactics that utilize Visual Studio Code tunnels, a method adopted by various espionage efforts linked to China. The initial stages of their attacks often involve spear-phishing with Windows Shortcut, Installer, and Management Console files to initiate the infection process, culminating in the deployment of PlugX.
Proxying Techniques for Evasion
In a notable shift, RedDelta has been observed using Cloudflare’s content delivery network to mask its command-and-control (C2) communications, integrating into regular CDN traffic to evade detection. Recorded Future tracked 10 administrative servers connecting with known RedDelta C2 servers, all registered under China Unicom in Henan Province.
Focus on Strategic Priorities
The activities of RedDelta align closely with Chinese strategic objectives, zeroing in on governments and diplomatic entities within Southeast Asia, Mongolia, and Europe. Their recent targeting of Mongolia and Taiwan mirrors previous actions against perceived threats to the Chinese Communist Party’s authority, reflecting a return to earlier operational focuses after a detour towards European targets in 2022.
