Full Report
Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia have been targeted by the China-nexus RedDelta threat actor to deliver a customized version of the PlugX backdoor between July 2023 and December 2024. "The group used lure documents themed around the 2024 Taiwanese presidential candidate Terry Gou, the Vietnamese National Holiday, flood protection in Mongolia, and meeting invitations, including an
Analysis Summary
# Threat Actor: RedDelta
## Attribution & Identity
China-nexus state-sponsored threat actor.
**Known Aliases and Associated Groups:** BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, Mustang Panda, Vertigo Panda (closely related), Red Lich, Stately Taurus, TA416, Twill Typhoon.
## Activity Summary
Targeting operations documented between July 2023 and December 2024, indicating a return to historical focus on Asia after 2022 activities targeting Europe. Campaigns involved spear-phishing with lure documents themed around regional political events (2024 Taiwanese presidential candidate Terry Gou, Vietnamese National Holiday), regional issues (Mongolian flood protection), and meeting invitations (ASEAN meeting). Believed to have compromised the Mongolian Ministry of Defense (August 2024) and the Communist Party of Vietnam (November 2024).
## Tactics, Techniques & Procedures
- Infection chains refined, utilizing Windows Shortcut (.LNK), Windows Installer (.MSI), and Microsoft Management Console (.MSC) files, likely deployed via spear-phishing.
- Deployment method involves DLL side-loading techniques to execute the PlugX backdoor.
- Observed use of phishing emails linking to HTML files hosted on Microsoft Azure to initiate the download sequence, leading to an MSI payload that abuses a legitimate executable vulnerable to DLL search order hijacking.
- Utilizing Cloudflare CDN to proxy Command-and-Control (C2) traffic, attempting to blend in with legitimate CDN traffic.
- Recent attack trends referenced include weaponizing Visual Studio Code tunnels for espionage operations.
## Targeting
- Sectors: Government and diplomatic organizations.
- Geography: Primary historical and recent focus on Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia. Also targeted victims in Malaysia, Japan, the United States, Ethiopia, Brazil, Australia, and India (Sept-Dec 2024). Aligns with Chinese strategic priorities focusing on Southeast Asia and Europe.
- Victims: Mongolian Ministry of Defense, Communist Party of Vietnam.
## Tools & Infrastructure
- Malware families used: Customized version of **PlugX** backdoor.
- Infrastructure (C2, domains, IPs): C2 traffic proxied via **Cloudflare CDN**. Two known C2 servers identified, supported by 10 administrative server IP addresses. All 10 identified IP addresses are registered to **China Unicom Henan Province**.
## Implications
RedDelta activities are directly aligned with Chinese strategic priorities, particularly concerning entities perceived as threats to the Chinese Communist Party's power (e.g., targeting Taiwan and Mongolia). Their continued evolution in infection chains and use of sophisticated proxying for command and control indicates a persistent, well-resourced state-sponsored threat actor focused on cyber espionage against geopolitical targets in Asia.
## Mitigations
Focus on improving detection across LNK, MSI, and MSC file execution chains. Security teams should monitor for anomalous file execution paths indicative of DLL side-loading or Hijacking. Investigate network traffic for C2 communications being funneled through known CDNs like Cloudflare, specifically looking for unusual traffic patterns associated with RedDelta C2s or infrastructure historically linked to China Unicom.