Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain

Summary:

Between July 2023 and December 2024, Insikt Group observed the Chinese state-sponsored group RedDelta targeting Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia with an adapted infection chain to distribute its customized PlugX backdoor. The group used lure documents themed around the 2024 Taiwanese presidential candidate Terry Gou, the Vietnamese National Holiday, flood protection in Mongolia, and meeting invitations, including an Association of Southeast Asian Nations (ASEAN) meeting. RedDelta likely compromised the Mongolian Ministry of Defense in August 2024 and the Communist Party of Vietnam in November 2024. The group conducted spearphishing targeting the Vietnamese Ministry of Public Security, but Insikt Group observed no evidence of successful compromise. From September to December 2024, RedDelta likely targeted victims in Malaysia, Japan, the United States, Ethiopia, Brazil, Australia, and India.

In late 2023, RedDelta evolved the first stage of its infection chain to leverage a Windows Shortcut (LNK) file likely delivered via spearphishing. In 2024, the group transitioned to using Microsoft Management Console Snap-In Control (MSC) files. Most recently, RedDelta used spearphishing links to prompt a victim to load an HTML file remotely hosted on Microsoft Azure. Since July 2023, RedDelta has consistently used the Cloudflare content distribution network (CDN) to proxy command-and-control (C2) traffic, which enables the group to blend in with legitimate CDN traffic and complicates victim identification. Other state-sponsored groups, including Russia’s BlueAlpha, have similarly leveraged Cloudflare to evade detection.

RedDelta’s activities align with Chinese strategic priorities, focusing on governments and diplomatic organizations in Southeast Asia, Mongolia, and Europe. The group’s Asia-focused targeting in 2023 and 2024 represents a return to the group’s historical focus after targeting European organizations in 2022. RedDelta’s targeting of Mongolia and Taiwan is consistent with the group’s past targeting of groups seen as threats to the Chinese Communist Party’s power.

About RedDelta:

RedDelta has been active since at least 2012 and has focused on targeting Southeast Asia and Mongolia. The group has routinely adapted its targeting in response to global geopolitical events. RedDelta targeted the Vatican and other Catholic organizations with PlugX before 2021 talks between China and the Vatican. The has group compromised law enforcement and government entities in India, a government organization in Indonesia, and other targets across Myanmar, Hong Kong, and Australia.

In 2022, RedDelta shifted toward increased targeting of European government and diplomatic entities following Russia's invasion of Ukraine. This activity used an infection chain that began by delivering an archive file (ZIP, RAR, or ISO), which was likely delivered via spearphishing. The file contained a Windows Shortcut (LNK) file disguised with a double extension (such as .doc.lnk) and a Microsoft Word icon. Hidden folders within the archive contained three files used to complete dynamic-link library (DLL) search order hijacking: a legitimate binary, a malicious DLL loader, and an encrypted PlugX payload that was ultimately loaded into memory. User execution of the Shortcut file led to DLL search order hijacking. In November 2022, RedDelta evolved its tactics to stage the ISO file on a threat actor-controlled domain.

In March 2023, Insikt Group identified RedDelta targeting Mongolia using a similar infection chain that started with a container file (RAR, ZIP, ISO) consisting of an LNK file that triggered a DLL search order hijacking triad located within a hidden nested subdirectory. Decoy documents included an invitation from the World Association of Mongolia and a document claiming to be a BBC news interview about Tibetan Buddhism and Mongolia. RedDelta targeted:

Members of multiple Mongolian non-governmental organizations (NGOs), including a human rights and pro-democracy NGO focused on the Inner Mongolia Autonomous Region
Mongolian Buddhist activists in Mongolia and Japan
Academic professionals in Mongolia and Japan
Developers of two Mongolian mobile applications

Mitigations:

To detect and mitigate RedDelta activity, organizations should:

Use YARA and Sigma rules provided by Insikt Group to detect RedDelta Windows Installer (MSI), DLL, and LNK files (see below).
Configure intrusion detection systems (IDS), intrusion prevention systems (IPS), and other network defense mechanisms to alert on or block connection attempts from external IP addresses and domains associated with RedDelta (see below).
Keep software and applications — particularly operating systems, antivirus software, and core system utilities — up to date.
Filter email correspondence and scrutinize attachments for malware.
Conduct regular system backups and store them offline and offsite to ensure they are inaccessible via the network.
Adhere to strict compartmentalization of company-sensitive data, institute role-based access, and limit company-wide data access.
Deploy client-based host logging and intrusion detection capabilities to identify and thwart attacks early.
Prevent threat actors from bypassing security by disabling outdated authentication methods.
Implement tools like network IDS, NetFlow collection, host logging, and web proxy, alongside manual monitoring of detection sources.
Practice network segmentation and ensure special protections exist for sensitive information, such as multifactor authentication, and restricted accesss.

Leverage the Recorded Future® Third-Party Intelligence module and Threat Intelligence Browser Extension for real-time monitoring and prioritized vulnerability patching.

Review public guidance (1, 2, 3, 4) and Insikt Group’s “Charting China’s Climb as a Leading Global Cyber Power” report for comprehensive recommendations for mitigating Chinese advanced persistent threat activity more broadly.

Outlook:

Insikt Group anticipates that RedDelta will continue targeting organizations worldwide with its customized PlugX backdoor, focusing on Southeast Asia and China’s periphery, including Mongolia and Taiwan. Likely targets include governments, NGOs, activists, and religious organizations. RedDelta has continually evolved its infection chain and is anticipated to continue doing so in the future in response to major geopolitical developments.

To read the entire analysis, click here to download the report as a PDF.

Appendix A — Indicators of Compromise

Domains:
 abecopiers[.]com
 alicevivianny[.]com
 aljazddra[.]com
 alphadawgrecords[.]com
 alvinclayman[.]com
 antioxidantsnews[.]com
 armzrace[.]com
 artbykathrynmorin[.]com
 atasensors[.]com
 bkller[.]com
 bonuscuk[.]com
 bramjtop[.]com
 buyinginfo[.]org
 calgarycarfinancing[.]com
 comparetextbook[.]com
 conflictaslesson[.]com
 councilofwizards[.]com
 crappienews[.]com
 createcopilot[.]com
 cuanhuaanbinh[.]com
 dmfarmnews[.]com
 electrictulsa[.]com
 elevateecom[.]com
 epsross[.]com
 erpdown[.]com
 estmongolia[.]com
 financialextremed[.]com
 finasterideanswers[.]com
 flaworkcomp[.]com
 flfprlkgpppg[.]shop
 getfiledown[.]com
 getupdates[.]net
 glassdoog[.]org
 globaleyenews[.]com
 goclamdep[.]net
 goodrapp[.]com
 gulfesolutions[.]com
 hajjnewsbd[.]com
 hisnhershealthynhappy[.]com
 homeimageidea[.]com
 howtotopics[.]com
 importsmall[.]com
 indiinfo[.]com
 infotechtelecom[.]com
 inhller[.]com
 instalaymantiene[.]com
 iplanforamerica[.]com
 irprofiles[.]com
 itduniversity[.]com
 ivibers[.]com
 jorzineonline[.]com
 kelownahomerenovations[.]com
 kentscaffolders[.]com
 kerrvillehomeschoolers[.]com
 kxmmcdmnb[.]online
 lebohdc[.]com
 linkonmarketing[.]com
 loginge[.]com
 lokjopppkuimlpo[.]shop
 londonisthereason[.]com
 looksnews[.]com
 maineasce[.]com
 meetviberapi[.]com
 mexicoglobaluniversity[.]com
 mobilefiledownload[.]com
 mojhaloton[.]com
 mongolianshipregistrar[.]com
 mrytlebeachinfo[.]com
 myynzl[.]com
 newslandtoday[.]net
 normalverkehr[.]com
 nymsportsmen[.]com
 oncalltechnical[.]com
 onmnews[.]com
 pgfabrics[.]com
 pinaylizzie[.]com
 profilepimpz[.]com
 quickoffice360[.]com
 redactnews[.]com
 reformporta[.]com
 richwoodgrill[.]com
 riversidebreakingnews[.]com
 rpcgenetics[.]com
 sangkayrealnews[.]com
 shreyaninfotech[.]com
 smldatacenter[.]com
 spencerinfo[.]net
 starlightstar[.]com
 tasensors[.]com
 techoilproducts[.]com
 thelocaltribe[.]com
 tigermm[.]com
 tigernewsmedia[.]com
 tophooks[.]org
 truckingaccidentattorneyblog[.]com
 truff-evadee[.]com
 tychonews[.]com
 unixhonpo[.]com
 usedownload[.]com
 vanessalove[.]com
 versaillesinfo[.]com
 vopaklatinamerica[.]com
 windowsfiledownload[.]com
 xxmodkiufnsw[.]shop 
 365officemail[.]com
 7gzi[.]com
 
 
 Additional Staging Domains
 https[:]//getfiledown[.]com/utdkt
 https[:]//versaillesinfo[.]com/brjwcabz
 https[:]//lifeyomi[.]com/trkziu
 https[:]//lebohdc[.]com/uleuodmm
 https[:]//cdn7s65[.]z13[.]web[.]core[.]windows[.]net
 https[:]//edupro4[.]z13[.]web[.]core[.]windows[.]net
 https[:]//elevateecom[.]com/deqcehfg
 https[:]//vabercoach[.]com/uenic
 https[:]//artbykathrynmorin[.]com/lczjnmum
 
 
 RedDelta Administration Servers
 115.61.168[.]143
 115.61.168[.]170
 115.61.168[.]229
 115.61.169[.]139
 115.61.170[.]105
 115.61.170[.]70
 182.114.108[.]91
 182.114.108[.]93
 182.114.110[.]11
 182.114.110[.]170
 

 RedDelta C2 Servers (October–December 2024)
 103.79.120[.]92
 45.83.236[.]105
 116.206.178[.]67
 45.133.239[.]183
 116.206.178[.]68
 103.238.225[.]248
 45.133.239[.]21
 103.238.227[.]183
 103.107.104[.]37
 107.148.32[.]206
 167.179.100[.]144
 116.206.178[.]34
 149.104.2[.]160
 207.246.106[.]38
 45.76.132[.]25
 155.138.203[.]78
 144.76.60[.]136
 38.180.75[.]197
 107.155.56[.]15
 107.155.56[.]87
 202.91.36[.]213
 107.155.56[.]4
 149.104.12[.]64
 154.205.136[.]105
 223.26.52[.]208
 45.128.153[.]73
 96.43.101[.]245
 45.135.119[.]132
 161.97.107[.]93
 103.107.105[.]81
 103.107.104[.]4
 103.107.104[.]57
 154.90.47[.]123
 147.78.12[.]202
 

 Shortcut (LNK) Files (SHA256)
 a0a3eeb6973f12fe61e6e90fe5fe8e406a8e00b31b1511a0dfe9a88109d0d129
 2232cd249be265d092ea923452f82aae28f965b48897fe6f05a7cd4495fcd96e
 aaad74fbf1b3f499aa2be9f5a86f0d6427c2d807c27532090671295a2b5d67e0
 6e37ad572f1e7d228c8c0c7cb1ef2d966d16d681669587cfb80e063106d77a6e
 6ac4b0fd81e317615e0935e83874ef997b7bff3aff2f391405a2e22161f4fd45
 dd2d8fb565b18065bde545da16f67f31036b4d45dec5b82caa74e30a617e85e8
 945f7ca6ce890f6cd1813b0ed1912ef25ed4a5f11da0fe97c20fe443bd4489a1
 042045687882ec8dc2d61e26e86e56620c4a1e694b46f9ce814b060cb0cf4bb5
 5479927c78faed415853c3ba3798dfff93d4047a17c3c4d87f7dc1ce8289395c
 d8981d4cbca9b99828a9459e4abfbbe20a221bfc59fc0f2a6d6a751c363b26c4
 c6bd2c31ebaa8d51964c49a22bc796aa506e594d6f1b1043b01d0baf58836172
 df3e5c62fa7086eec23c04cb52a17d64aa0b4f252551c8a65c599291a7cee61f
 2c791775e66a77fe72aa826823f554bfe9a41525c6c1c14798cf56a42925db31
 74f3101e869cedb3fc6608baa21f91290bb3db41c4260efe86f9aeb7279f18a1
 

 MSC files (SHA256)
 1cbf860e99dcd2594a9de3c616ee86c894d85145bc42e55f4fed3a31ef7c2292 (Meeting_Invitation.msc)
 54549745868b27f5e533a99b3c10f29bc5504d01bd0792568f2ad1569625b1fd (240422 264-24 SOLO airfield surveys.msc)
 8c9e1f17e82369d857e5bf3c41f0609b1e75fd5a4080634bc8ae7291ebe2186c (Meeting Invitation.msc)
 d0c4eb52ea0041cab5d9e1aea17e0fe8a588879a03415f609b195cfbd69caafc (Meeting.msc) 
 ca0dfda9a329f5729b3ca07c6578b3b6560e7cfaeff8d988d1fe8c9ca6896da5 (Meeting invitation.msc)
 6784b646378c650a86ba4fdd4baaaf608e5ecdf171c71bb7720f83965cc8c96f (Meeting.msc)
 00619a5312d6957248bac777c44c0e9dd871950c6785830695c51184217a1437 (Pg 151 vv nghi le Quoc khanh 2.9.msc)
 eae187a91f97838dbb327b684d6a954beee49f522a829a1b51c1621218039040 (BCTT 02.9 AM Final.docx.msc)
 c1f27bed733c5bcf76d2e37e1f905d6c4e7abaeb0ea8975fca2d300c19c5e84f (ADSOM-Plus - Meeting Programme.msc)
 397afb74746b2fe01abc63789412b38f44ceb234a278a04b85b2bb5b4e64cc8c (Meeting Invitation.msc)
 49abaa2ba33af3ebde62af1979ed7a4429866f4f708e0d8e9cfffcfa7a279604 (Meeting Procedure.msc)
 3e6772aca8bb8e71956349f1ea9fecda5d9b9cfa00f8cdbf846c169ab468a370 (Meeting request.msc)
 f0aa5a27ea01362dce9ced3685961d599e1c9203eef171b76c855a3db41f1ec6 (Шуурхай мэдээ 2024-05-27 -.msc)
 e81982e40ee5aaed85817343464d621179a311855ca7bcc514d70f47ed5a2c67 (Meeting Invitation.msc)
 

 MSI files (SHA256)
 471e61015ff18349f4bf357447597a54579839336188d98d299b14cff458d132
 7c741c8bcd19990140f3fa4aa95bb195929c9429fc47f95cf4ab9fad03040f7b
 1efe366230043521c1f55cc049117a65acd1a29f4470446ad277f57c4f3a2feb
 7a2994a6b61ee8ac668e41e622edfa7ae7e06b66d80c2a535f5822bc98058c33
 364f38b48565814b576f482c1e0eb4c8d58effcd033fd45136ee00640a2b5321
 d4b9f7c167bc69471baf9e18afd924cf9583b12eee0f088c98abfc55efd77617
 dbe26b8c3a75f2a78e1a47e021e5ed0087dd8433a667ab8238385529239f108e
 71e462aaca0f2d8c8a685756b070d017c796de6ac22021a79d922f2f182d4fb0
 2d884fd8cfa585adec7407059064672d06a6f4bdc28cf4893c01262ef15ddb99
 30fbf917d0a510b8dac3bacb0f4948f9d55bbfb0fa960b07f0af20ba4f18fc19
 2cd4fb94268ba063b1a5eea7fe87e794fecf46c0f56c2aaa81e8c9052bb4f5f2 (Adobe-Setup.msi)
 38b2852a8dfadac620351c7bea674c29cc5aa89d051fb7acfb8d550df00d4403
 34e915d93b541471a9f7e747303f456732cd48c52e91ef268e32119ea8c433c0
 507aa944d77806b3f24a3337729b52168808e8d469e5253cbf889cdaabb5254e 
 976ffe00ca06a4e3d2482815c2770086e7283025eeecad0a750001dedaa2d16a 
 2cd4fb94268ba063b1a5eea7fe87e794fecf46c0f56c2aaa81e8c9052bb4f5f2
 c7ec098093eb08d2b36d1c37b928d716d8da021f93319a093808a7ceb3b35dc1
 c2d259056163788dce3a98562bb3bcba3a57a23854104e58a8d0fe18200d690b
 62adbe84f0f19e897df4e0573fc048272e0b537d5b34f811162b8526b9afaf32 (Adobe-Setup.msi)
 

 DLL files (SHA256)
 67c23db357588489031700ea8c7dc502a6081d7d1a620c03b82a8f281aa6bde6
 b6f375d8e75c438d63c8be429ab3b6608f1adcd233c0cc939082a6d7371c09bb
 a7735182b7f9f2c10af3f8d2d10634c344d984f6e53e7a3787e4d3d756a7a0a0
 53bafcf064d421341c582d93108e84df2f0e284c2b0a4dc2deb9099aa953bf5a
 7a16ba2f0d2c4f7779b67e41f8196ddc6652ca7b61607696ed154df83c8d7b9c
 749d8980d80966480c85c112a10e1be3d391c1f4673977e880fa461edc2cbf18
 2220a9297876d7ffb5ad8da4d35ed7b2c8746129f66056e81c4f74a6bb224fd7
 3ced0837225b635f2ed63e4f72f95933d804e089a21eb8022407a74d772bb94f
 f1f58fda25e2a6dde9cab4faf02f7246d2a8ab2c96b4b055deea4093eee9d0e6
 77f813a461b4f1f1c765d951f0bf04668d96efea72cb8ecfb594ea2e36153cf8
 dc155cb86f5240c2c39c851e006e39cb33ed9b52e0633cbcdcc2164a47a93e22
 5400fda058d7a13c27e9c95453634e4fee9a421023e0d4482f3eacc198caa928
 367a98647dea14345e258bc01dfb77b46d1a895e91b5d088cf949de34db13f59
 f1812ca5170af2401d501561d2a3036379752d22111b10f9ac570587364c82aa
 e1c85c49982339770189f7947b5bfeb926bc3e4e1d1c63655cb0f8cfdc82a647
 f2b04c3c764c85c0bedb434b55304d26d067662cd47e620e219657a0007c9fe0
 c25b3a3d7779cb89772454a756ce48ed3744cf233564d309b6f8d19bd8e26fa4 (hid.dll) 
 1bde2b050117d7f27e55a71b4795476decace1850587a17d6cf6fd3fc030ff1a (hid.dll) 
 73451742de056d3d06f7c42904651439198df449115f7adb08601b8104bec6fb (hid.dll)
 651c096cf7043a01d939dff9ba58e4d69f15b2244c71b43bedb4ada8c37e8859 (msi.dll) 
 f8c1a4c3060bc139d8ac9ad88d2632d40a96a87d58aba7862f35a396a18f42e5 (msi.dll)
 288e79407daae7ae9483ef789d035d464cf878a611db453675ba1a2f6beb1a03 (FormDll.dll)
 ee9c935adae0d830cdc0fccd12b19c32be4f15dffcf454a9d807016ce59ff9a9
 c5aa22163eb302ef72c553015ae78f1efe79e0167acad10047b0b25844087205 (hid.dll)
 1a37289c70c78697b85937ae4e1e8a4cebb7972c731aceaef2813e241217f009 (hid.dll)
 49c32f39d420b836a2850401c134fece4946f440c535d4813362948c2de3996f (hid.dll)
 83946986b28fd8d04d59bab994cd2dc48e83b9711a8f453d8364c2ad27ea0254 (hid.dll)
 ade0b5cfedfa73252ec72deee7eb79e26380e2e50b47efcfe12350c9a255bb66 (hid.dll) 
 b63f51537957572c43c26fc8e9088361978ee901df4b8e67d48843c4fb7c027b (hid.dll)
 557f04c6ab6f06e11032b25bd3989209de90de898d145b2d3a56e3c9f354d884
 

 Encrypted Payloads (DAT) (SHA256)
 095855cf6c82ae662cce34294f0969ca8c9df266736105c0297d2913a9237dd1
 abd5a09ec75ff36df87ece894cab441ef7f021f5bdd8ba55d00b8ed8aac03ab4
 7b8dbfe66d16ad627d3864bd5d396b98a86c75aa4a3d87067a03221d73a560c1
 52ba1bd4d40202c24cb896a355f094dbe0dc6e211f5ddd5b59f0c39b99203172
 b02b2c0a9209f20dab4efbc458160f5a9efdb81b6474ec10bb727295a86d825a
 7f382a8b19613d078e4b78b677cb7592cab7c17577638e7ecad0a4952c6f4055
 aafff72a8c4ad7be37b25e3686a28a11f1d29a0acc771cac1974e17c176c5ed1
 16dd782942b25aa2eb61bc7de36820444b9f55846c815e249a942b52c61be6b5
 d674025113d350438a11439d56db111881de887fea41b2d168c6c2b8d8c22014
 ca963057e69914d7e6c40aa7c43b393a1516f6dfdd2abfed12ddaa21fc2cfcce
 96085a217f0841bae3fe77ecf60785a5cf4051748e90c818cf6160f7fd00b12e
 bde73773529ec32161fb8a675b50678771bf317a83f3dd8d0c47f54bdc665722
 94ad60e87518ac2f655be1b0297e0109da3ef0ae733357206e3e87712c5dfba7
 908ff3a80ef065ab4be1942e0d41583903f6aac02d97df6b4a92a07a633397a8 (NoteLogger.dat)
 a5cd617434e8d0e8ae25b961830113cba7308c2f1ff274f09247de8ed74cac4f (NoteLogger.dat)
 4ac2a633904b0da3ac471776ecbaded91e1f3a5107630fafde76868cace46051 (inkformDB.dat)
 75e849cc96c573fdfe0233b4d9a79c17fb4c40f15c0b6c0d847c461a30f1cbe8
 d188e877066f0932440d4cd8e8e2e856d7b92d40b475b7c0f0c996b34a2847a4 (LDevice.dat)
 37c7bdac64e279dc421de8f8a364db1e9fd1dcca3a6c1d33df890c1da7573e9f (LDevice.dat)
 6e07e37618f57ac1930865e175d49ef1bf85aa882ffbd30538f55f64d024085b (LDevice.dat) 
 58a73d445f6122c921092001b132460bb6c1601dc93ecfaabe5df2bf0fef84de (LDevice.dat)
 9afddc7ff0a75975748e5dc7d81eee8cd32be79ca32edfebd151a376563e7d4b (LDevice.dat)
 9333cc552193cfe9122515e3d7b210de317c297f1c09da5180b3a7f006d94fe4 (LDevice.dat)
 3552708726f50ee949656e66a4a10da304bae088fa1b875bfab9e182b6ec97f7 (LDevice (3).dat)
 5dae5254493df246c15e52fd246855a5d0a248f36925cecee141348112776275 (officeime.dat)
 

 Legitimate Executables (SHA256)
 b9836265c6bfa17cd5e0265f32cedb1ced3b98e85990d000dc8e1298d5d25f93 (ONENOTEM.exe)
 87d0abc1c305f7ce8e98dc86712f841dd491dfda1c1fba42a70d97a84c5a9c70 (inkform.exe)
 d27c5d38c2f3e589105c797b6590116d3ec58ad0d2b998d2ea92af67b07c76b1 (ExcelRepairToolboxLauncher.exe)
 282fc12e4f36b6e2558f5dd33320385f41e72d3a90d0d3777a31ef1ba40722d6 (LDeviceDetectionHelper.exe)
 80a7ff01de553cb099452cb9fac5762caf96c0c3cd9c5ad229739da7f2a2ca72 (imecmnt.exe)
 

 HTML files (SHA256)
 0b152012c1deab39c6ed7fe75a27168eaaec43ae025ee74d35c2fee2651b8902
 0c7ee8667f48c50ea68c9ad02880f0ff141a3279bd000502038a3a187c7d1ede
 
 
 File Paths
 C:\Users\Admin\AppData\Local\GkyOpucv\
 C:\Users\Public\SecurityScan\
 C:\Users\Public\.vsCodes\
 C:\ProgramData\.vscodes\
 C:\Users\< USER >\AppData\Local\MUxPOTy\
 C:\ProgramData\SamsungDriver\
 C:\Users\Admin\AppData\Roaming\.inkform\inkformDB.dat
 C:\Users\Admin\AppData\Roaming\VirtualFile\inkform.exe
 C:\Users\Admin\AppData\Roaming\VirtualFile\FormDll.dll
 C:\Users\Public\.inkform\inkformDB.dat
 C:\Users\Public\Intelnet\FormDll.dll
 C:\Users\Public\Intelnet\inkform.exe
 C:\Users\Public\.inkform\inkformDB.dat
 C:\Users\Public\SecurityScan\FormDll.dll
 C:\Users\Public\SecurityScan\inkform.exe
 C:\ProgramData\.inkform\inkformDB.dat
 C:\ProgramData\Intelnet\FormDll.dll
 C:\ProgramData\Intelnet\inkform.exe
 C:\Users\Admin\.inkform\inkformDB.dat
 C:\Users\Admin\SamsungDriver\inkform.exe
 C:\Users\Admin\SamsungDriver\FormDll.dll
 

Appendix B — MITRE ATT&CK Techniques

Tactic: Technique	ATT&CK Code
Resource Development: Acquire Infrastructure — Virtual Private Server	T1583.003
Resource Development: Acquire Infrastructure — Domains	T1583.001
Initial Access: Phishing — Spearphishing Attachment	T1566.001
Initial Access: Phishing — Spearphishing Link	T1566.002
Execution: CUser Execution — Malicious File	T1204.002
Execution: Command and Scripting Interpreter — PowerShell	T1059.001
Persistence: Boot or Logon Autostart Execution — Registry Run Keys / Startup Folder	T1547.001
Defense Evasion: Hijack Execution Flow — DLL Search Order Hijacking	T1574.001
Defense Evasion: Execution Guardrails — Geofencing	T1627.001
Defense Evasion: Deobfuscate/Decode Files or Information	T1140
Defense Evasion: System Binary Proxy Execution — MMC	T1071.001
Defense Evasion: System Binary Proxy Execution — Msiexec	T1218.007
Defense Evasion: Masquerading — Match Legitimate Name or Location	T1036.005
Defense Evasion: Masquerading — Double File Extension	T1036.007
Découverte : Découverte des informations système	T1082
Command-and-Control: Encrypted Channel — Symmetric Cryptography	T1573.001
Command-and-Control: Data Encoding: Standard Encoding	T1132.001
Command-and-Control: Web Service	T1102

Appendix C — YARA and Sigma Rules

Sigma rule to detect RedDelta DLL hijacking attempts to load PlugX:

title: Potential RedDelta APT DLL Hijacking Attempt

id: a8535c40-4e04-4ff6-baea-479ea6b0adea

status: stable

description: Detects DLL potential hijacking of LDeviceDetectionHelper.exe in a subdirectory of AppData\Local. Used by RedDelta APT to load PlugX.

author: MGUT, Insikt Group, Recorded Future

date: 2024/09/06

references:

https://tria.ge/240803-bmgessseme/behavioral1/analog?q=lDevice&image=C%3A%5CUsers%5CAdmin%5CAppData%5CLocal%5CaPGfRwbjwQD%5CLDeviceDetectionHelper.exe

tags:

- attack.t1574.001 # Hijack Execution Flow: DLL Search Order Hijacking

logsource:

product: windows

category: process_creation

detection:

image_start:

Image|startswith:

- 'C:\Users\'

image_end:

Image|endswith:

- '\AppData\Local\*\LDeviceDetectionHelper.exe'

condition:

image_start and image_end

level: critical

falsepositives:

- Unlikely

YARA rule to detect RedDelta loaders written in NIM:

import "pe"

rule APT_CN_RedDelta_Nim_Loader_DEC23 {

meta:

author = "JGrosfelt, Insikt Group, Recorded Future"

date = "2023-12-21"

description = "Detects RedDelta RC4 Implementation in Nim Loaders"

version = "1.0"

RF_THREATACTOR = "RedDelta"

RF_THREATACTOR_ID = "en_T6N"

strings:

/*

RedDelta Custom RC4 Implementation (from RC4)

8B 8D E0 FB FF FF mov ecx, [ebp+var_420]

89 F2 mov edx, esi

32 54 3B 08 xor dl, [ebx+edi+8]

0F BE D2 movsx edx, dl

E8 E7 C5 FF FF call sub_6DB03E5C

89 85 E0 FB FF FF mov [ebp+var_420], eax

89 F8 mov eax, edi

83 C0 01 add eax, 1

89 C7 mov edi, eax

0F 81 8E FE FF FF jno loc_6DB07716

*/

$s1 = { 8B 8D E0 FB FF FF 89 F2 32 54 3B 08 0F BE D2 E8 ?? ?? ?? ?? 89 85 E0 FB FF FF 89 F8 83 C0 01 89 C7 0F }

condition:

(uint16 (0) == 0x5a4d)

and $s1

}

rule APT_CN_RedDelta_Nim_Loader_Aug24 {

meta:

author = "MGUT, Insikt Group, Recorded Future"

date = "2024-09-06"

description = "Detects RedDelta MSI files used to load PlugX via DLL hijacking"

version = "1.0"

hash = "49c32f39d420b836a2850401c134fece4946f440c535d4813362948c2de3996f"

hash = "c5aa22163eb302ef72c553015ae78f1efe79e0167acad10047b0b25844087205"

RF_THREATACTOR = "RedDelta"

RF_THREATACTOR_ID = "en_T6N"

strings:

$func = "winimConverterVarObjectToPtrObject"

condition:

uint16be(0) == 0x4d5a

and filesize < 500KB

and pe.number_of_exports == 2

and pe.exports("HidD_GetHidGuid")

and pe.exports("NimMain")

and $func

}

YARA rule to detect MSI executables used to load PlugX:

rule APT_CN_RedDelta_MSI_Aug24 {

meta:

author = "MGUT, Insikt Group, Recorded Future"

date = "2024-09-06"

description = "Detects RedDelta MSI files used to load PlugX via DLL hijacking"

version = "1.0"

hash = "30fbf917d0a510b8dac3bacb0f4948f9d55bbfb0fa960b07f0af20ba4f18fc19"

hash = "2d884fd8cfa585adec7407059064672d06a6f4bdc28cf4893c01262ef15ddb99"

RF_THREATACTOR = "RedDelta"

RF_THREATACTOR_ID = "en_T6N"

strings:

$s1 = "TARGETDIR[%LOCALAPPDATA]"

$s2 = "\\LDeviceDetectionHelper.exe"

$s3 = "hid.dll"

condition:

uint32be(0) == 0xd0cf11e0 and all of them

}

YARA rule to detect LNK files used to load PlugX (applies to infection chain from 2023):

rule APT_CN_RedDelta_LNK_Oct23 {

meta:

author = "Mkelly, Insikt Group, Recorded Future"

date = "2023-10-13"

description = "Detects RedDelta LNK files used to retrieve and install .msi files via Powershell"

version = "1.0"

hash = "a0a3eeb6973f12fe61e6e90fe5fe8e406a8e00b31b1511a0dfe9a88109d0d129"

hash = "74f3101e869cedb3fc6608baa21f91290bb3db41c4260efe86f9aeb7279f18a1"

RF_THREATACTOR = "RedDelta"

RF_THREATACTOR_ID = "en_T6N"

strings:

$s1 = "install.InstallProduct" wide

$s2 = "install=New-Object" wide

$s3 = "install.uilevel = 2" wide

$s4 = "REMOVE=ALL" wide

condition:

uint16(0) == 0x004c

and filesize < 5MB

and 3 of them

}