Full Report
2025-01-09 • Recorded Future • Insikt Group • win.plugx Open article on Malpedia
Analysis Summary
This summary is based on the context provided, which heavily references a specific threat report concerning the actor **RedDelta**.
# Threat Actor: RedDelta
## Attribution & Identity
* **Attribution:** Chinese State-Sponsored actor.
* **Aliases and Associations:** Associated with the China-Nexus TAG-112 cluster, according to related reporting.
## Activity Summary
* RedDelta was observed targeting **Taiwan, Mongolia, and Southeast Asia**.
* The actor employed an **adapted PlugX infection chain** in recent campaigns.
* Related activity from the associated TAG-112 cluster involved compromising **Tibetan websites to distribute Cobalt Strike**.
## Tactics, Techniques & Procedures
- Use of the **PlugX** malware, specifically an adapted infection chain.
- Use of **Cobalt Strike** for post-exploitation (observed in associated TAG-112 activity).
- Website compromise as an initial access vector (observed on Tibetan websites).
## Targeting
* **Sectors:** Not explicitly detailed in the provided context snippets, but traditionally state-sponsored actors target government, critical infrastructure, and political entities in the specified regions.
* **Geography:** Taiwan, Mongolia, and Southeast Asia.
* **Victims:** Tibetan websites (compromised by associated group).
## Tools & Infrastructure
* **Malware families used:** PlugX, Cobalt Strike.
* **Infrastructure:** Not specified in the provided context.
## Implications
RedDelta remains an active Chinese state-sponsored threat utilizing known sophisticated tooling (PlugX) while potentially adapting infection methods. Their focus on specific geopolitical regions suggests continued intelligence gathering or disruptive objectives related to Taiwan, Mongolia, and broader Southeast Asian interests.
## Mitigations
* Monitor for indicators associated with PlugX deployment, including unexpected execution or file write modifications associated with its infection chain.
* Strengthen defenses against web-based compromises, particularly for highly sensitive organizational websites (WAFs, Content Security Policy).
* Ensure robust network monitoring for standard C2 beaconing characteristic of Cobalt Strike usage.