A recent report by Insikt Group reveals an ongoing, sophisticated cyber-espionage operation by the RedDelta advanced persistent threat (APT) group, a Chinese state-sponsored entity. Since mid-2023, RedDelta has been targeting political, government, and diplomatic entities across Taiwan, Mongolia, Southeast Asia, and other regions, employing customized PlugX backdoor malware and evolving infection chains to enhance their capabilities.
RedDelta’s attack methodology has undergone significant changes since 2023. Initially, the group employed Windows shortcut (LNK) files to initiate infection. However, they later transitioned to Microsoft Management Console (MSC) files and HTML spear-phishing links hosted on platforms like Microsoft Azure.
The infection chain typically involves:
- A phishing email containing a lure document or link.
- Execution of malicious files leading to search order hijacking.
- Deployment of the PlugX backdoor, a hallmark of RedDelta operations.
One of RedDelta’s notable tactics is the use of Cloudflare’s content delivery network (CDN) to proxy their command-and-control (C2) traffic. This approach helps the group blend malicious traffic with legitimate internet activity, complicating detection efforts. Similar tactics have been observed in campaigns by other state-sponsored groups like Russia’s BlueAlpha.
RedDelta’s operations align closely with Chinese geopolitical interests. Their targeting includes:
- Taiwan: Phishing campaigns themed around the 2024 Taiwanese presidential election.
- Mongolia: Decoy documents on flood protection and Buddhist activism.
- Vietnam: Lures related to national holidays and political entities.
RedDelta also extended their activities to regions like Japan, the U.S., and Australia. In August 2024, the group compromised the Mongolian Ministry of Defense and targeted Vietnam’s Ministry of Public Security.
The customized PlugX backdoor malware employed by RedDelta is loaded into memory through DLL search order hijacking, ensuring stealth. Newer infection chains utilize tools like the Nim programming language for crafting loaders, further complicating detection.
Related Posts:
- PlugX malware: The Enigma of Cyber Espionage Unveiled
- France Leads International Effort to Eradicate PlugX Trojan from 3,000 Systems
- Chinese Threat Groups Leverage Ransomware for Political Gain
- Global Cyber Collaboration Takes Down PlugX Worm
- Earth Preta’s Targeted Asian Campaigns: The DOPLUGS Malware Threat
